Help
RSS
API
Feed
Maltego
Contact
Domain > cfquickstart.com
×
More information on this domain is in
AlienVault OTX
Is this malicious?
Yes
No
DNS Resolutions
Date
IP Address
2024-10-19
108.156.83.92
(
ClassC
)
2026-02-12
3.169.173.123
(
ClassC
)
Port 80
HTTP/1.1 200 OKContent-Type: text/htmlContent-Length: 64208Connection: keep-aliveDate: Thu, 12 Feb 2026 17:25:31 GMTLast-Modified: Tue, 23 Sep 2025 15:46:25 GMTETag: ac3f2d9b2919b3fd955c8b7945c8b659x-amz-server-side-encryption: AES256Accept-Ranges: bytesServer: AmazonS3X-Cache: Miss from cloudfrontVia: 1.1 5f7d374d92b73172fce43b7879076d1c.cloudfront.net (CloudFront)X-Amz-Cf-Pop: HIO52-P4X-Amz-Cf-Id: EuW9XcT0Lw0qhQs9gRP4oUlRPEABDpF5jhWhSuhTZBT0vSZ4R7CsXw !doctype html>html langen> head> title>Coalesce - AWS Fundamentals/title> meta charsetutf-8> meta nameviewport contentwidthdevice-width, initial-scale1, shrink-to-fitno> link hrefhttps://fonts.googleapis.com/css?familyPoppins:300,400,500,600,700,800,900 relstylesheet> link relstylesheet hrefhttps://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css> link relstylesheet hrefcss/style.css> /head> !-- Google tag (gtag.js) -->script async srchttps://www.googletagmanager.com/gtag/js?idG-TB46VWJWD9>/script>script> window.dataLayer window.dataLayer || ; function gtag(){dataLayer.push(arguments);} gtag(js, new Date()); gtag(config, G-TB46VWJWD9);/script> body> div classwrapper d-flex align-items-stretch> nav idsidebar> div classp-4 pt-5> a hrefhttps://coalescesolutions.com classimg logo mb-5 stylebackground-image: url(images/logo.png);>/a> ul classlist-unstyled components mb-5> li classactive> a hrefhttps://us-east-2.console.aws.amazon.com/cloudformation/home?regionus-east-2#/stacks/quickcreate?templateURLhttps%3A%2F%2Fcfquickstartexamples.s3.us-east-2.amazonaws.com%2Fworkshop_quickstart_s3.yml&stackNameCFDemo¶m_SourceBucketcfquickstartexamples¶m_MinSize1¶m_SourceKeycfdocs-foundeo.zip¶m_DesiredCapacity1¶m_InstanceTypet3.medium¶m_MaxSize3¶m_AppNameDemoApp target_blank> 2025 - CI/CD CloudFormation Quick Launch /a> /li> li classactive> a hrefhttps://cfquickstartexamples.s3.us-east-2.amazonaws.com/workshop_quickstart_s3.yml target_blank> 2025 - Direct Template Download /a> /li> li classactive> a href#homeSubmenu classhomeSubmenu navitem >Agenda/a> /li> li> a href#pageSubmenu classdropdown-toggle data-togglecollapse aria-expandedfalse>Getting Started/a> ul classcollapse list-unstyled show idpageSubmenu> li> a href# classgettingStarted navitem>Overview/a> /li> li> a href# classpriceestimator navitem>Identity and Access/a> /li> li> a href# classbudgets navitem>Budgets, Bills, and Regions/a> /li> li> a href# classworkshop navitem>Creating Workshop Static Website/a> /li> li> a href# classaws navitem>AWS Marketplace/a> /li> li> a href# classcloudtrail navitem>CloudTrail/a> /li> li>/li> a href# classssm navitem>Session Manager Overview/a> /li> /ul> /li> li> a href#pageSubmenu2 classdropdown-toggle data-togglecollapse aria-expandedfalse>Infrastructure as a Service/a> ul classcollapse list-unstyled show idpageSubmenu2> li> a href# classiaas navitem>VPC (Network)/a> /li> li> a href# classsecurity navitem>Security Groups/a> /li> li> a href# classiam navitem>IAM Instance Role/a> /li> li> a href# classkeypair navitem>Key Pair/a> /li> li> a href# classec2 navitem>EC2 - The Servers/a> /li> li> a href# classrds navitem>RDS - The Database/a> /li> li> a href# classloadbalancer navitem>Load Balancer/a> /li> li> a href# classdns navitem>DNS/a> /li> li> a href# classfinal navitem>Final Network Diagram/a> /li> /ul> /li> li> a href# classadministration navitem>Administration/a> /li> li> a href# classvpn navitem>VPN/a> /li> li> a href# classadvanced navitem>Advanced Topics/a> /li> li> a href# classglossary navitem>Glossary/a> /li> /ul> div classfooter> p> Copyright a hrefhttps://coalescesolutions.com>Coalesce Solutions, LLC/a> ©script>document.write(new Date().getFullYear());/script> All rights reserved/p> /div> /div> /nav> !-- Page Content --> div idcontent classp-4 p-md-5> nav classnavbar navbar-expand-lg navbar-light bg-light> div classcontainer-fluid> button typebutton idsidebarCollapse classbtn btn-primary> i classfa fa-bars>/i> span classsr-only>Toggle Menu/span> /button> button classbtn btn-dark d-inline-block d-lg-none ml-auto typebutton data-togglecollapse data-target#navbarSupportedContent aria-controlsnavbarSupportedContent aria-expandedfalse aria-labelToggle navigation> i classfa fa-bars>/i> /button> !-- div classcollapse navbar-collapse idnavbarSupportedContent> ul classnav navbar-nav ml-auto> li classnav-item active> a classnav-link href#>Home/a> /li> li classnav-item> a classnav-link href#>About/a> /li> li classnav-item> a classnav-link href#>Portfolio/a> /li> li classnav-item> a classnav-link href#>Contact/a> /li> /ul> /div> --> /div> /nav> !--h2 classmb-4>CFSummit West Workshop/h2>--> div idhome classpages> h3>Coalesce - AWS Fundamentals Workshop/h3> h4>Getting Started/h4> ol> li>AWS Console Navigation Overview/li> li>Intro to Root user vs IAM users/li> li>Secure Root user - add MFA/li> li>Intro to IAM Identity Center, Control Tower, and Organizations ol> li>See a classblue hrefhttps://jumpcloud.com/blog/aws-iam-vs-aws-sso>this blog entry/a> for overview/li> /ol> /li> li>Create IAM Administrator/li> li>Grant IAM access to billing details/li> li>Log in with IAM Administrator/li> li>Budget Alarms/li> li>Bills and Cost Explorer/li> li>Intro to Regions and Availability Zones/li> li>Choose your Region/li> li>Static Website Demonstration/li> ol> li>Register Domain/li> li>Transfer Domain/li> li>Create ACM Certificate/li> li>Create S3 Bucket and copy content/li> li>Create CloudFront/li> li>Update Route53 DNS Entries for CloudFront/li> li>Review Workshop Website content/li> /ol> li>Subscribe to Adobe ColdFusion 2023 on AWS Marketplace/li> li>Enable CloudTrail and send trail to CloudWatch Logs/li> li>Intro to AWS Systems Manager/li> /ol> h4>IaaS/h4> ol> li>Delete the default VPC/li> li>Create new VPC - assign CIDR/li> ol> li>Review CIDR concepts/li> /ol> li>Create Subnets ol> li>Discuss public vs private subnets/li> li>Review AZs/li> li>Create public/li> li>Create private/li> /ol> /li> li>Create Gateways ol> li>Internet Gateway/li> li>NAT Gateways/li> /ol> /li> li>Create and associate Routes/li> li>Security groups ol> li>Define your Security Group goals/li> li>Design Security Groups with as many references as possible/li> li>Create primary security groups ol> li>i. Load Balancer/li> li>VPN Client/li> li>CF Application Server/li> li>Database Server/li> /ol> /li> /ol> /li> li>Create IAM Instance Role/li> li>Create Key Pair/li> li>Launch EC2 Instance (CF Application Server)/li> li>Launch RDS Instance (Database Server)/li> li>Create Load Balancer Target Group/li> li>Create Application Load Balancer/li> li>Configure the DNS for ALB/li> li>Review Final Network Diagram/li> /ol> h4>Administration/h4> ol> li>Quotas/li> li>SSM Connection Demonstration/li> li>AWS Config/li> li>GuardDuty/li> li>Detective/li> li>CloudWatch/li> li>Security Hub/li> /ol> h4>Create VPN (prereq - IAM Identity Center)/h4> ol> li>Prep VPN Authentication in IAM Identity Center/li> li>Add IAM Identity Provider/li> li>Client VPN Endpoint/li> li>Associate VPN with the Network/li> li>Install AWS VPN Client and test/li> /ol> h4>Advanced topics:/h4> ol> li>Amazon Inspector - Scan your EC2 instances for vulnerabilities and compliance configurations/li> li>DHCP Option Sets - private DNS resolution/li> li>VPC Peering Connections - inter-account or inter-VPC network traffic/li> li>VPC Flow Logs - network packet logging/li> li>Database Parameters - Customize MySQL server settings, e.g. enabling lower-case table name/li> li>Transit Gateways - useful for cross-region and more complicated structure network traffic/li> li>VPC Endpoint Services (your services) - extend your services to other accounts/customers without traversing the internet/li> li>VPC Endpoints (AWS services) - access AWS services without traversing the internet/li> li>AMIs - Images of your EC2 instances/li> li>Autoscaling Group - Creating a cluster of servers of the same image/li> li>ElastiCache - Managed Redis service for caching and/or session storage/li> li>SES - Simple email service/li> li>Savings Plan and Reservations - save money and guarantee resource availability/li> li>Trusted Advisor - Advisements on configuration, budgeting, and right-sizing. Requires business support for most features./li> li>Well-Architected Tool - Review your workloads against AWS best practices/li> li>CloudFormation - Codify your IAAS/li> li>EventBridge - Scheduled jobs/li> li>IAM Identity Center - Central IAM access/li> li>Organizations - Multiple AWS Account configurations and consolidated billing/li> li>Control Tower - When using an Organization, using Control Tower on the management account lets you automate applying changes and policies for multiple accounts/li> li>CloudWatch Log Agent - Accumulating CF logs off of servers into AWS Console/li> li>AWS Support Tiers - AWS has multiple tiers of support available/li> /ol> /div> div idpage1 classpages styledisplay:none> h3>Getting Started/h3> Here is a quick view of the AWS services we will be covering today. At the end of this workshop, you will have some perspective of what these tools can do and will understand how easy it is to get started with each of them. br> img srcimages/image09.jpg>br>br> h3>Price Estimator/h3> p>Here is an estimator put together with some guesses at usage so you can understand the costs of deploying this guide.br> a classblue hrefhttps://calculator.aws/#/estimate?id90879c8c3537795dae500a0ad1177758e01ae1f1>https://calculator.aws/#/estimate?id90879c8c3537795dae500a0ad1177758e01ae1f1/a>br> Note, this does not include the AWS Marketplace fees for licensing ColdFusion. The ColdFusion license will equate to approximately $360 per server and you will only pay for it while the server is running. /p> /div> div idpage1a classpages styledisplay:none> h3>Identity and Access/h3> ol> li>b>Intro to Root user vs IAM Users/b> p> Root users log in with email addresses, IAM users log in with account number and usernames. br> Root accounts should only be used during initial setup, signup of support services, and emergency situations. /p> /li> li>b>Add MFA To Root/b>br> img srcimages/image01.jpg> p> On your root user My security credentials page, under Multi-factor authentication (MFA), choose Assign MFA device. br>br> On the MFA device name page, enter a Device name, choose Passkey or Security Key, and then choose Next. br>br> On Set up device, set up your passkey. Create a passkey with biometric data like your face or fingerprint, with a device pin, or by inserting the FIDO security key into your computers USB port and tapping it. br>br> Follow the instructions on your browser to choose a passkey provider or where you want to store your passkey to use across your devices. br>br> Choose Continue. /p> /li> li>b>Intro to IAM Identity Center, Control Tower, and Organizations/b> ol> li>See a classblue hrefhttps://jumpcloud.com/blog/aws-iam-vs-aws-sso>this blog entry/a> for overview/li> img srcimages/aws-iam-sso-4.webp>br>br> We are skipping creation of Identity Center since that requires an Organization to be set up. However, without setting up the IAM Identity Center, you will not be able to configure the VPN service as documented in this workshop. /ol> /li> li>b>Create IAM Administrator/b>br> img srcimages/image03.jpg>br>br> img srcimages/image04.jpg> p> Go to IAM -> Users and add a user. Be sure to click the box to enable the user access to the AWS management console. br> Attach IAM policy directly and select the AdministratorAccess policy. This will give full admin rights to this user. /p> /li> li>b>Enable IAM to Access Billing/b>br> p>Before logging out of the Root account, be sure to allow IAM users access to the billing section of AWS./p> img srcimages/image02.jpg> p>Click Edit by IAM user and role access to Billing information and enable the access./p> /li> li>b>Log in with IAM Administrator/b>br> img srcimages/image05.jpg> p>Within the IAM Dashboard, you will see a sign-in URL you can use to log in with your IAM user. Proceed to that URL and log in./p> /li> /ol> /div> div idbudgets classpages styledisplay:none> ol> li>b>Budget Alarms/b>br> Under Billing and Cost Management Budgets, click “Create budget”.br> Select “Monthly cost budget”, give it a name you would recognize if you receive this alarm, set an amount for the trigger, and enter in your email addresses to send the alarm.br> AWS will email you up to 3 times: if AWS determines you are trending higher than the defined amount, once you reach 85% of the alarm amount, and once you pass the alarm amount.br> img srcimages/image91.jpg>br> /li> li>b>Bills and Cost Explorer/b> p>Visit Billing and Cost Management and discuss viewing your Bills and Cost Explorer/p> /li> li>b>Introduction to Regions and Availability Zones/b> p>34 Regions, 108 Availability Zonesbr> AWS has the concept of a Region, which is a physical location around the world where they cluster data centers. Each group of logical data centers are called an Availability Zone. Each AWS Region consists of a minimum of three, isolated, and physically separate AZs within a geographic area. Unlike other cloud providers, who often define a region as a single data center, the multiple AZ design of every AWS Region offers advantages for customers. Each AZ has independent power, cooling, and physical security and is connected via redundant, ultra-low-latency networks. AWS customers focused on high availability can design their applications to run in multiple AZs to achieve even greater fault-tolerance. /p> img srcimages/regions.png>br>br> img srcimages/az.png> /li> li>b>Choose Region/b>br> p>The first major step when setting up your AWS account infrastructure, you need to select a region. Choose a region that works for your application./p> img srcimages/image06.jpg> /li> /ol> /div> div idpage2 classpages styledisplay:none> h3>Creating Workshop Static Website/h3> In this example, we are: ol> li>Registering a new domain called cfquickstart.com in Route 53/li> li>Creating a Certificate Manager (ACM) certificate to support HTTPS/li> li>Creating an S3 bucket to store the website files/li> li>Creating a CloudFront distribution for the website hosting and configuring it with the ACM certificate and S3 bucket./li> li>Updating Route 53 to point cfquickstart.com and www.cfquickstart.com to the new CloudFront distribution./li> /ol> br> ***Even though you may not have a static website to host, the Route 53 domain zone setup and Certificate Manager will be used later in the workshop.*** ol> li>b>Register Domain Name (Option 1)/b>br> img srcimages/image07.jpg>br>br> img srcimages/image08.jpg>br>br> Select the domain name and checkout. Fill out the contact information and requisite questions and submit. br>br> /li> li>b>Transfer Domain to AWS (Option 2)/b>br> Alternatively, if you already have a domain name and want to transfer it to Route 53, follow these steps.br> Create Hosted Zone in Route53.br> img srcimages/image10.jpg>br> After the Hosted Zone is created, take the Name servers given by AWS and update your registrars (Godaddy, Network Solutions, etc) name servers accordingly. Please make sure to add your DNS records accordingly before transferring to AWS Route 53. br> img srcimages/image11.jpg> br>br> /li> li>b>Create ACM Certificate/b>br> Within Certificate Manager, select Request certificate.br> img srcimages/image12.jpg>br> Select public certificate and click Next.br> img srcimages/image13.jpg>br> Enter your domain names (remember, *.cfquickstart.com will not work with the domain apex cfquickstart.com - so both will be needed to support apex and subdomains). Choose DNS Validation (what were using) or Email validation; whichever you can use to validate ownership of the domain. Click Request. br> img srcimages/image14.jpg>br> Once the Certificate is created, click the button “Create records in Route 53” and let it validate for you; or manually enter the provided CNAMEs in your DNS zone.br> img srcimages/image15.jpg>br> Hosting static website on S3 and CloudFront getting started documentation:br> a classblue hrefhttps://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.SimpleDistribution.html>https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.SimpleDistribution.html/a> br>br> /li> li>b>Create S3 Bucket/b>br> Under Amazon S3, click Create bucket and come up with a unique name for your bucket and leave all other options default while creatingbr> img srcimages/image16.jpg> br>br> /li> li>b>Create CloudFront Distribution/b>br> img srcimages/image17.jpg>br> During Creation: ol> li>Select your S3 bucket as the Origin domain/li> li>Select Origin Access Control/li> li>Create new OAC (accept defaults)/li> /ol> img srcimages/image18.jpg>br> In the S3 Bucket settings, Permissions tab, Click Edit to edit the Bucket Policy. Paste the copied policy from the CloudFront distribution and click Save changes.br> img srcimages/image19.jpg>br> Return to the CloudFront browser tab and continue setting up the distribution. br> Choose to not enable WAFbr> img srcimages/image20.jpg>br> Further down the form, add your domain name(s) in the Alternate domain name (CNAME) and select your ACM certificate.br> img srcimages/image21.jpg> br>br> /li> li>b>Update Route 53 DNS entries to point website to the new CloudFront distribution/b>br> In Route 53 for the hosted zone, click Create record.br> img srcimages/image22.jpg>br> Switch the entry to use an Alias and leave the Record type as an A record.br> img srcimages/image23.jpg>br> Click on Choose endpoint and select Alias to CloudFront distributionbr> img srcimages/image24.jpg>br> And select your CloudFront distribution.br> img srcimages/image25.jpg>br> Click “Add another record” and repeat the steps for a classblue hrefhttp://www.cfquickstart.com>www.cfquickstart.com/a> then click Create recordsbr> img srcimages/image26.jpg>br> Youre done! This has created a new static website on a new domain. br>br> /li> /ol> /div> div idpage3 classpages styledisplay:none> h3>AWS Marketplace/h3> Visit the Adobe ColdFusion 2023 Release listing - a classblue hrefhttps://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6>https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6/a>br>br> Click Continue to Subscribebr> img srcimages/image27.jpg>br> Then review the Terms and Conditions and click Accept Terms if it is acceptable to you.br>br> This enables you to pay as you go for ColdFusion licensing.br> img srcimages/image28.jpg>br> /div> div idpage4 classpages styledisplay:none> h3>CloudTrail/h3> CloudTrail provides an audit log of every access or change within AWS - whether or its in the AWS Console, CLI, or API call. Sending the CloudTrail logs to CloudWatch and S3 helps you maintain control of retaining this information.br>br> Visit AWS CloudTrail and click Create a trailbr>br> Give your trail a useful name and click Create trailbr> img srcimages/image29.jpg>br> Click into your new trail and click Edit on the CloudWatch Logs sectionbr> img srcimages/image30.jpg>br> Enable CloudWatch logs, create a new Log Group, and give the log group a useful name. Leave IAM role as New, give the role a useful name, and click Save changesbr> img srcimages/image31.jpg>br> /div> div idssm classpages styledisplay:none> h3>Session Manager Overview/h3> ul> li>Remote connect (Session Manager)/li> Quickly and securely access your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. li>Resource grouping (Resource Groups)/li> Make sense out of your AWS footprint by grouping your resources into applications. li>Running tasks on group resources (Automation)/li> Use built-in automations or build your own to accomplish complex operational tasks at scale. li>Remote execution (Run Command)/li> Safe and secure remote execution across instances at scale without SSH or PowerShell. li>Parameter store/li> Centralized hierarchical store for managing secrets or plain-text data. li>OS patch management (Patch Manager)/li> Simplify your operating system patching process for Windows and Linux. /ul> /div> div idpage5 classpages styledisplay:none> h3>VPC (Network) Setup/h3> ol> li>b>Delete the default VPC/b>br> Under VPC, select the default VPC and select the Delete action and proceed to delete the VPC and included resources. /li> li>b>Choose your CIDR address range for your network/b>br> Use tools like a classblue hrefhttps://www.subnet-calculator.com>www.subnet-calculator.com/a> for help with ranges.br> We will use 10.0.0.0/16 for the VPC network and will use 10.0.###.0/24 for each subnet.br> 10.0.0.0/16 is the range 10.0.0.0-10.0.255.255br> img srcimages/image32.jpg>br> 10.0.1.0/24 is the range 10.0.1.0-10.0.1.255br> img srcimages/image33.jpg>br> /li> li>b>Create the VPC/b>br> Here is the final goal for the VPC we will be creating; including the breakdown of AZs, subnets, and CIDRs.br> img srcimages/image34.jpg>br> Under VPC, click Create VPC.br> Select VPC only to be able to manually build every component. Optionally, you can use VPC and more to setup most of the network components in one step automatically.br> img srcimages/image35.jpg>br> Submit the Create VPC form after inputting the VPC Name and CIDRbr> img srcimages/image36.jpg>br> After VPC is created, edit the VPC settings and make sure the DNS resolution and DNS hostnames are enabled and click Save. Both of these are required for you to use RDS and other services.br> img srcimages/image37.jpg>br> /li> li>b>Create the Subnets/b>br> Under VPC -> Subnets, click Create subnetbr> Select your VPC, give the Subnet a useful name (like Public a for the availability of the subnet and the AZ the subnet will reside), select an Availability Zone, and enter the subnets CIDR block.br> img srcimages/image38.jpg>br> Repeat the settings for the rest of the Subnets:br> Public b, us-east-1b, 10.0.1.0/24br> Private App a, us-east-1a, 10.0.100.0/24br> Private App b, us-east-1b, 10.0.101.0/24br> Private DB a, us-east-1a, 10.0.200.0/24br> Private DB b, us-east-1b, 10.0.201.0/24br> In the end, it should look like this:br> img srcimages/image39.jpg>br> /li> li> b>Internet Gateway/b>br> Under VPC -> Internet gateways, click Create internet gatewaybr> Give it a name and click Create internet gatewaybr> img srcimages/image40.jpg>br> After the Internet Gateway is created, select the gateway and select Actions Attach to VPCbr> Select your VPC and click Attach internet gatewaybr> img srcimages/image41.jpg>br> /li> li> b>NAT Gateways/b>br> We will be routing traffic based on the following diagram.br> img srcimages/image42.jpg>br> Under VPC -> NAT gateways, click “Create NAT gateway”br> Give it a name (like “NAT a” with the “a” designating the AZ) and select your subnet in AZ a. Click on Allocate Elastic IP then click “Create NAT gateway”br> img srcimages/image43.jpg>br> Repeat for the AZ b public subnet.br> /li> li> b>Network Routes/b>br> Under VPC -> Route tables, rename on the provided route table “Public Route”br> img srcimages/image44.jpg>br> Edit the routes for the “Public Route”. Add a 0.0.0.0/0 destination route and target it to “Internet Gateway”br> img srcimages/image45-1.png>br> Select your Internet Gateway and click Save Changes img srcimages/image45-2.png>br> Create another Route Table called “Private NAT a”, Edit the routes, add a 0.0.0.0/0 destination route and target it to “NAT Gateway” and select your “NAT a” NAT Gateway and click Save.br> img srcimages/image46.jpg>br> Repeat for “Private NAT b” with “NAT b”.br> Create another Route Table for “Private Only” with no additional routes than the default local.br> Click into “Private NAT a” and open the “Subnet associations” tab. Click “Edit subnet associations”, select “Private App a” and click “Save associations”.br> img srcimages/image47.jpg>br> Repeat for “Private NAT b” with “Private App b”br> Repeat for “Private Only” with “Private DB a” and “Private DB b”br> /li> /ol> /div> div idpage6 classpages styledisplay:none> h3>Security Groups/h3> ol> li> b>Define your Security Group goals/b>br> Only allow network traffic that is required for your systems to operate.br> img srcimages/image48.jpg>br> /li> li> b>Design Security Groups with as many references as possible/b>br> Security group rules can refer to other security groups by reference. Use this feature where possible.br> /li> li> b>Create primary security groups/b>br> Under EC2 -> Security Groups, Click “Create security group”.br> Add name, description, select your VPC, and define your inbound rules and click “Create security group” for each security group.br> ol> li>Load Balancerbr>br> Inbound traffic from anywhere on HTTPS/port 443br> img srcimages/image49.jpg>br> /li> li>VPN Clientbr>br> img srcimages/image50.jpg>br> /li> li>CF Application Serverbr>br> Allow inbound traffic from the LoadBalancer security group on HTTP/port 80. Start typing the LoadBalancer name in the “Source” field and select the associated security group.br> img srcimages/image51.jpg>br> Add another inbound rule for TCP port 8500 from the VPN Clients security group. This will allow you to connect to the CF Admin while connected over VPN (assuming you permitted 10.255.*.* as a permitted connection within the CF Admin). Add any other ports you need to use while connected over VPN (RDP, SSH, HTTP, etc). /li> li>Database Serverbr>br> Add two inbound rules for MySQL/Aurora, one for CFApp and another VPN Client. This will allow the CF App Servers and VPN connections the ability to connect to the database.br> img srcimages/image52.jpg>br> /li> /ol> /li> /ol> /div> div idpage7 classpages styledisplay:none> h3>Create VPN/h3> ol> li>b>Prep VPN Authentication in IAM Identity Center/b>br> Create Application in IAM Identity Center, following these instructions:br> a classblue hrefhttps://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/>https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on//a>br> Complete the b>To create the VPN client SAML application/b> section and do not proceed past b>To create the VPN client self-service SAML application:/b>br />br /> Its buried in the instructions, but be sure to download the IAM Identity Center SAML metadata file during the Application creation process.br> img srcimages/image53.jpg>br> /li> li>b>Add IAM Identity Provider/b>br> In the AWS account that you are creating the Client VPN Endpoint, go to IAM -> Identity Providers and click “Add provider”br> Give the provider a name and choose the SAML metadata file you downloaded in the previous step.br> img srcimages/image54.jpg>br> /li> li>b>Client VPN Endpoint/b>br> Under VPC -> Client VPN endpoints, click “Create client VPN endpoint”br> Choose a Client IPv4 CIDR within the range of your VPC, but not used by one of your subnets. We are using 10.255.0.0/16br> Choose Federated authentication and select the AWSSSO option you created earlier in the IAM IDP.br> img srcimages/image55.jpg>br> Enable split-tunnel if you dont want all user traffic to route through the client VPN endpoint.br> img srcimages/image56.jpg>br> /li> li>b>Associate VPN Within the Network/b>br> In your new Client VPN Endpoint under the “Target network associations” tab, click “Associate target network”br> img srcimages/image58.jpg>br> /li> li>b>Setup Client/b>br> In your new Client VPN Endpoint, click on “Download client configuration”br> img srcimages/image59.jpg>br> /li> li>b>Install AWS VPN CLient/b>br> a classblue hrefhttps://aws.amazon.com/vpn/client-vpn-download/>https://aws.amazon.com/vpn/client-vpn-download//a>br> Open the AWS VPN Client application. Under File -> Manage Profiles, click “Add Profile”br> Click the profile the name “myVPN” and select the VPN Client Configuration File you just downloaded.br> img srcimages/image60.jpg>br> Test VPN Connectionbr> Select the VPN profile myVPN and click Connect. This will open your browser to the IAM Identity Center login page. If it does not open your browser and gets stuck in an endless Connect/Disconnect, then your Client VPN may be still associating with the network.br> img srcimages/image61.jpg>br> /li> /ol> /div> div idpage8 classpages styledisplay:none> h3>Create IAM Instance Role/h3> Your CF App Server needs AWS permissions to talk to AWS services for SSM connectivity, log reporting, etc. This permission is defined by the role you assign to the EC2 instance.br> Under IAM -> Roles, click “Create role”br> Select “AWS service” trusted entity type and “EC2 Role for AWS Systems Manager” Use case, click “Next”, and “Next”. Give a useful name to the role like “CFAppRole” and click “Create role”.br> img srcimages/image62.jpg>br> /div> div idpage9 classpages styledisplay:none> h3>Create Keypair/h3> Key Pairs are the security certificates that permit you to either access your servers or retrieve their passwords.br> Under EC2 -> Key Pairs, click “Create key pair” and give the key pair a name.br> For Windows servers:br> Select RSA as the type and choose .pem for the format.br> For Linux servers:br> Select RSA or ED25519 as the type (some newer Linux builds, such as Amazon Linux 2023, require ED25519 key pairs for SSH connectivity) and choose .pem or .ppk based on your needs (you can use tools to generate the other format).br> Click “Create key pair”.br> img srcimages/image63.jpg>br> This will immediately download the key pair file. Keep this file in a safe place as you will use it later. /div> div idpage10 classpages styledisplay:none> h3>EC2 - The Servers/h3> h4>Launch EC2 Instance/h4> Under AWS Marketplace -> Manage Subscriptions, click “Launch” on the Adobe ColdFusion (2023 Release) Windows.br> img srcimages/image64.jpg>br> Make sure the region is correct and click “Continue to launch through EC2”br> img srcimages/image65.jpg>br> On the Launch an instance page, set the following: ol> li> Give the instance a useful namebr> img srcimages/image66.jpg>br> /li> li> If you want to stay under the AWS Free Tier, keep the Instance Type t2.micro. For the server to be usable, change the Instance Type to t3a.large. For a thorough breakdown of instance types and their prices, please visit a classblue hrefhttps://instances.vantage.sh/>https://instances.vantage.sh//a> br> img srcimages/image67.jpg>br> /li> li> Choose the keypair you created earlier.br> img srcimages/image68.jpg>br> /li> li> Click Edit on the Network settings section.br> ul> li>Select Subnet “Private App a”/li> li>Select existing security group CFAppbr> img srcimages/image69.jpg>br> /li> /ul> /li> li> Under Advanced Details.br> ul> li>Change the IAM instance profile to the IAM role we created earlierbr> img srcimages/image70.jpg>br> /li> li>Change the Metadata version to “V1 and V2 (token optional)”br> img srcimages/image71.jpg>br> /li> /ul> li> Click “Launch instance”br> (Optional) Repeat for the second instance and place it in “Private App b”br> /li> /li> /ol> /div> div idpage11 classpages styledisplay:none> h3>RDS - The Database/h3> h4>Launch Database/h4> ol> li> Under RDS -> Subnet groups, click “Create DB subnet group”br> Give it a useful name, choose your VPC, AZs 1a and 1b, and select your private DB subnets (its easiest to identify by IP CIDR). Click “Create” br> img srcimages/image72.jpg>br> /li> li> Under RDS click “Create database”br> /li> li> Select the Aurora MySQL engine type.br> img srcimages/image73.jpg>br> /li> li> Name the DB Cluster, change the credentials to be “Self managed” and check the “Auto generate password”br> img srcimages/image74.jpg>br> /li> li> Choose burstable classes and select the t3.medium or t4g.medium type. Make sure an Aurora Replica will be created.br> img srcimages/image75.jpg>br> /li> li> Select the DB Subnet group we created previously. Select “Choose existing” security group and select the Database security group we created previously. br> img srcimages/image76.jpg>br> /li> li> Uncheck the DevOps Guru and Enhanced Monitoring br> img srcimages/image77.jpg>br> /li> li> Click “Create database” /li> /ol> Once the database is created, you will be given a hostname each for the writer and reader instances. You will use this hostname to configure your datasource in ColdFusion.br> img srcimages/image78.jpg> h4>Deleting the RDS Cluster/h4> When you are ready to delete the RDS cluster, you need to modify the cluster and disable “Deletion protection” and apply it immediately. img srcimages/image79.png> Once you do that, delete each individual instance. Once all instances are deleted, you can delete the cluster. /div> div idpage12 classpages styledisplay:none> h3>Load Balancer/h3> h4>Example components of the ALB/h4> img srcimages/image80.jpg> h4>Create Target Group/h4> Under EC2 -> Target Groups, click “Create target group”br> Choose the “Instances” type.br> img srcimages/image81.jpg>br> Give the Target group a useful name.br> Protocol : Port should be HTTP 80 or HTTPS 443. This is the port in which your server is listening (regardless of how the end user will connect)br> img srcimages/image82.png>br> Choose a health check protocol and path that makes sense for your application. Well leave it as HTTP and / respectively.br> Click Next.br> Check the instances you want to add to this Target Group and click “Include as pending below”.br> img srcimages/image82-1.png>br> Click “Create target group”br> h4>Create ALB/h4> Under EC2 -> Load Balancer, click “Create load balancer”br> Create an “Application Load Balancer”br> img srcimages/image83.jpg>br> Give the Load Balancer a useful name.br> Select your VPC and your AZs and choose your Public subnets in each.br> img srcimages/image84-1.png>br>br> Choose your LoadBalancer security group we created previously. img srcimages/image84-2.png>br>br> Make sure your listener is using HTTPS : 443 and select the Target Group we created previously. img srcimages/image86-1.png>br>br> Select the “From ACM” for the server certificate and select your ACM certificate from earlier. img srcimages/image86-2.png>br>br> Check the “Include WAF security protections behind the load balancer” img srcimages/image87.jpg>br>br> Click “Create load balancer” /div> div idpage13 classpages styledisplay:none> h3>DNS/h3> h4>Configure the DNS for ALB/h4> Under Route 53 -> Hosted Zones, click on your hosted zone and click “Create record”br> Enter www (or whatever you want) into the subdomain, enable the Alias toggle, select the “Route traffic to” to be “Alias to Application and Classic Load Balancer”, choose your Region, and select your ALB from the dropdown menu.br> Click “Create records”.br> img srcimages/image88.jpg>br> With a Route 53 alias, you can even point the domain apex (e.g. cfquickstart.com without any subdomain) to your load balancer. Normally this requires an IP address due to DNS standards. /div> div idpage14 classpages styledisplay:none> h3>Final Network Diagram/h3> img srcimages/image89.jpg>br> /div> div idpage15 classpages styledisplay:none> h3>Administration/h3> ol> li>b>Quotas/b>br> If you run into service limits as you start consuming more AWS services, you may be hitting a usage restriction that can be increased.br> Visit “Service Quotas”br> For example, drilling into the EC2 quotas and filtering for “demand”, we can see the vCPU usage we are Utilizing and how much we are limited. On this page, you can select and request an increase in your service limits if they are Adjustable.br> img srcimages/image90.jpg>br> /li> li>b>SSM Connection Demonstration/b>br> Under EC2 -> Instances. Click on your instance then click “Connect” (or right click and click “Connect”)br> img srcimages/image92.jpg>br>br> On the first tab (“Session Manager”), if you click Connect you will open a new browser window with access to the Powershell (Windows) or shell (Linux).br> img srcimages/image93.png>br>br> On the second tab shown (“RDP Client”), this is where you can retrieve the generated password for Windows.br>br> You can click to download an RDP shortcut file that will assist you in opening an RDP connection to the server. If you click on “Get password”, you will be able to upload your KeyPair pem file that you downloaded earlier, and click “Decrypt password” to retrieve the password.br> img srcimages/image94.jpg>br>br> img srcimages/image95.png>br>br> Alternatively, you can click on the “Connect using Fleet Manager” option, then you will be able to click “Fleet Manager Remote Desktop” img srcimages/image96-1.png>br>br> Then, you can select Authentication type “Key pair” and upload your PEM file and click “Connect”. img srcimages/image96-2.png>br>br> At this point, you connect to your servers desktop through your web browser:br> img srcimages/image97.jpg>br> /li> li>b>AWS Config/b>br> Visit AWS Config and either manually “Set up AWS Config” or click “1-click setup”. This will monitor your AWS resources and be able to log how configurations change over timervers desktop through your web browser:br> /li> li>b>GuardDuty/b>br> Visit GuardDuty and get started with all features to enable it. This uses ML to identify suspicious activity within your account and alert you accordingly.br> /li> li>b>Detective/b>br> Visit Detective and click “Get started” to enable it. This collects log data from AWS resources and applies ML and other tools to help you investigate root causes of security issues or suspicious activities.br> /li> li>b>Cloudwatch/b>br> Visit CloudWatch to view your logs, see your AWS service metrics, and set alarms.br> img srcimages/image98.jpg>br> /li> li>b>Security Hub/b>br> Visit Security Hub to configure automated security checks to identify and remediate security issuesbr> /li> /ol> /div> div idpage16 classpages styledisplay:none> h3>Advanced Topics/h3> Below are a sample of the advanced topics. List of other topics can be found on the agenda. ol> li>b>AWS Inspector/b>br> Vulnerability management by continually scanning your instances through agent or agentless methods. /li> li>b>DHCP Option Sets/b>br> Under VPC, you can create a custom DHCP Option Set to assign to your VPC. This lets you override various settings on resources running in your VPC, including the unqualified domain lookup value (e.g. a setting of company.local as the domain name means if you ping “theServerName”, itll automatically look up DNS entry for theservername.company.local), the NTP (time sync servers), the DNS server, and more.br> img srcimages/image99.jpg>br> /li> li>b>VPC Peering/b>br> VPC Peering allows you to connect a pair of VPCs either within the same AWS Account or with an external AWS Account. Peering is free and charges only apply for data transfer for peerings that cross AZs and Regions. CIDR blocks cannot overlap between VPCs and network traffic is not transitive (cannot hop across more than one peering connection).br> img srcimages/image100.jpg>br> /li> li>b>VPC Flow Logs/b>br> Each VPC has the option to enable flow logs. This logs network packet communications handled by your VPC. VPC flow logs can generate a lot of log records, but it is a useful tool to understand traffic flow, server compromise traffic, and data exfiltration.br> img srcimages/image101.jpg>br> /li> /ol> /div> div idglossary classpages styledisplay:none> h3>Glossary/h3> ul> li>b>AWS Certificate Manager (ACM)/b>br>AWS Certificate Manager is a web service for provisioning, managing, and deploying Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services./li>li>b>Amazon Machine Image (AMI)/b>br>An Amazon Machine Image (AMI) is an encrypted machine image stored in Amazon EBS or Amazon S3. AMIs function similarly to a template of a computers root drive. They contain the operating system and can also include software and layers of your application, such as database servers, middleware, and web servers. /li>li>b>Amazon Resource Name (ARN)/b>br>Amazon Resource Name is a standardized way to refer to an AWS resource (for example, arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob)./li>li>b>Aurora/b>br>Amazon Aurora is a fully managed MySQL-compatible relational database engine that combines the speed and availability of commercial databases with the simplicity and cost-effectiveness of open-source databases./li>li>b>Auto Scaling/b>br>AWS Auto Scaling is a fully managed service that you can use to quickly discover the scalable AWS resources that are part of your application and to configure dynamic scaling./li>li>b>Auto Scaling group (ASG)/b>br>A representation of multiple EC2 instances that share similar characteristics, and that are treated as a logical grouping for the purposes of instance scaling and management./li>li>b>Availability Zone (AZ)/b>br>A distinct location within a Region thats insulated from failures in other Availability Zones, and provides inexpensive, low-latency network connectivity to other Availability Zones in the same Region./li>li>b>Backup/b>br>AWS Backup is a managed backup service that you can use to centralize and automate the backup of data across AWS services in the cloud and on premises./li>li>b>Billing and Cost Management/b>br>AWS Billing and Cost Management is the AWS Cloud computing model where you pay for services on demand and use as much or as little as you need. While resources are active under your account, you pay for the cost of allocating those resources. You also pay for any incidental usage associated with those resources, such as data transfer or allocated storage./li>li>b>CIDR block/b>br>Classless Inter-Domain Routing. An internet protocol address allocation and route aggregation methodology./li>li>b>CloudFormation/b>br>AWS CloudFormation is a service for writing or changing templates that create and delete related AWS resources together as a unit./li>li>b>CloudFront/b>br>Amazon CloudFront is an AWS content delivery service that helps you improve the performance, reliability, and availability of your websites and applications./li>li>b>CloudTrail/b>br>AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements that the AWS service returns./li>li>b>CloudWatch/b>br>Amazon CloudWatch is a web service that you can use to monitor and manage various metrics, and configure alarm actions based on data from those metrics./li>li>b>CloudWatch Logs/b>br>Amazon CloudWatch Logs is a web service for monitoring and troubleshooting your systems and applications from your existing system, application, and custom log files. You can send your existing log files to CloudWatch Logs and monitor these logs in near-real time./li>li>b>Command Line Interface (CLI)/b>br>AWS Command Line Interface is a unified downloadable and configurable tool for managing AWS services. Control multiple AWS services from the command line and automate them through scripts./li>li>b>Config/b>br>AWS Config is a fully managed service that provides an AWS resource inventory, configuration history, and configuration change notifications for better security and governance. You can create rules that automatically check the configuration of AWS resources that AWS Config records./li>li>b>Control Tower/b>br>AWS Control Tower is a service used to set up and govern a secure, multi-account AWS environment./li>li>b>DB parameter group/b>br>A container for database engine parameter values that apply to one or more DB instances./li>li>b>Detective/b>br>Amazon Detective is a service that collects log data from your AWS resources to analyze and identify the root cause of security findings or suspicious activities. The Detective behavior graph provides visualizations to help you to determine the nature and extent of possible security issues and conduct an efficient investigation./li>li>b>Directory Service/b>br>AWS Directory Service is a managed service for connecting your AWS resources to an existing on-premises Microsoft Active Directory or to set up and operate a new, standalone directory in the AWS Cloud./li>li>b>Database Migration Service (DMS)/b>br>AWS Database Migration Service is a web service that can help you migrate data to and from many widely used commercial and open-source databases./li>li>b>Elastic Block Store (EBS)/b>br>Amazon Elastic Block Store is a service that provides block level storage volumes or use with EC2 instances./li>li>b>Elastic Load Balancing (ELB)/b>br>Elastic Load Balancing is a web service that improves an applications availability by distributing incoming traffic between two or more EC2 instances. There are four types of ELB services – Classic Load Balancer, Application Load Balancer (ALB), Network Load Balancer (NLB), and Gateway Load Balancer (GLB)./li>li>b>Elastic Compute Cloud (EC2)/b>br>Amazon Elastic Compute Cloud is a web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers. /li>li>b>Elastic IP address (EIP)/b>br>A fixed (static) IP address that you have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with your account, not a specific instance. They are elastic because you can easily allocate, attach, detach, and free them as your needs change. Unlike traditional static IP addresses, Elastic IP addresses allow you to mask instance or Availability Zone failures by rapidly remapping your public IP addresses to another instance./li>li>b>Elastic Network Interface (ENI)/b>br>An elastic network interface is additional network interface that can be attached to an instance. Elastic network interfaces include a primary private IP address, one or more secondary private IP addresses, an Elastic IP Address (optional), a MAC address, membership in specified security groups, a description, and a source/destination check flag. You can create an elastic network interface, attach it to an instance, detach it from an instance, and attach it to another instance. /li>li>b>ElastiCache/b>br>Amazon ElastiCache is a web service that simplifies deploying, operating, and scaling an in-memory cache in the cloud (Redis, Memcached). The service improves the performance of web applications by providing information retrieval from fast, managed, in-memory caches, instead of relying entirely on slower disk-based databases./li>li>b>EventBridge/b>br>Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources and routes that data to targets such as AWS Lambda. You can set up routing rules to determine where to send your data to build application architectures that react in real time to all of your data sources./li>li>b>GovCloud/b>br>AWS GovCloud (US) is an isolated AWS Region that hosts sensitive workloads in the cloud, ensuring that this work meets the US governments regulatory and compliance requirements. The AWS GovCloud (US) Region adheres to United States International Traffic in Arms Regulations (ITAR), Federal Risk and Authorization Management Program (FedRAMP) requirements, Department of Defense (DOD) Cloud Security Requirements Guide (SRG) Levels 2 and 4, and Criminal Justice Information Services (CJIS) Security Policy requirements./li>li>b>GuardDuty/b>br>Amazon GuardDuty is a continuous security monitoring service. Amazon GuardDuty can help to identify unexpected and potentially unauthorized or malicious activity in your AWS environment./li>li>b>Identity and Access Management (IAM)/b>br>AWS Identity and Access Management is a web service that Amazon Web Services (AWS) customers can use to manage users and user permissions within AWS./li>li>b>IAM Identity Center/b>br>AWS IAM Identity Center is a cloud-based service that brings together administration of users and their access to AWS accounts and cloud applications. You can control single sign-on access and user permissions across all your AWS accounts in AWS Organizations./li>li>b>Instance Type/b>br>A specification that defines the memory, CPU, storage capacity, and usage cost for an instance. Some instance types are for standard applications, whereas others are for CPU-intensive, memory-intensive applications. /li>li>b>Internet Gateway/b>br>Connects a network to the internet. You can route traffic for IP addresses outside your Amazon VPC to the internet gateway. /li>li>b>Key Management Service (KMS)/b>br>AWS Key Management Service is a managed service that simplifies the creation and control of encryption keys that are used to encrypt data./li>li>b>Key Pair/b>br>A set of security credentials that you use to prove your identity electronically. A key pair consists of a private key and a public key./li>li>b>AWS Management Console/b>br>AWS Management Console is a graphical interface to manage compute, storage, and other cloud resources./li>li>b>AWS Marketplace/b>br>AWS Marketplace is a web portal where qualified partners market and sell their software to AWS customers. AWS Marketplace is an online software store that helps customers find, buy, and immediately start using the software and services that run on AWS./li>li>b>Multi-AZ deployment/b>br>A primary DB instance that has a synchronous standby replica in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to the standby replica./li>li>b>Multi-Factor Authentication (MFA)/b>br>An optional AWS account security feature. After you enable AWS MFA, you must provide a six-digit, single-use code in addition to your sign-in credentials whenever you access secure AWS webpages or the AWS Management Console. You get this single-use code from an authentication device that you keep in your physical possession./li>li>b>NAT gateway/b>br>A Network Address Translation (NAT) device, managed by AWS, that performs network address translation in a private subnet, to secure inbound internet traffic. A NAT gateway uses both NAT and port address translation./li>li>b>Network ACL/b>br>An optional layer of security that acts as a firewall for controlling traffic in and out of a subnet. You can associate multiple subnets with a single network ACL, but a subnet can be associated with only one network ACL at a time./li>li>b>Organizations/b>br>AWS Organizations is an account management service that you can use to consolidate multiple AWS accounts into an organization that you create and centrally manage. /li>li>b>Relational Database Service (RDS)/b>br>Amazon Relational Database Service is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks./li>li>b>Redis/b>br>A fast, open-source, in-memory key-value data structure store. Redis comes with a set of versatile in-memory data structures with which you can easily create a variety of custom applications./li>li>b>Region/b>br>A named set of AWS resources thats in the same geographical area. A Region is comprised of at least three Availability Zones. AWS Regions are divided into partitions. AWS commercial Regions are in the AWS partition, China Regions are in the AWS-cn partition, and AWS GovCloud (US) Regions are in the AWS-us-gov partition./li>li>b>Reserved Instance/b>br>A pricing option for EC2 instances that discounts the on-demand usage charge for instances that meet the specified parameters. Customers pay for the entire term of the instance, regardless of how they use it./li>li>b>Route 53/b>br>Amazon Route 53 is a web service that you can use to create a new DNS service or to migrate your existing DNS service to the cloud./li>li>b>Route Table/b>br>A set of routing rules that controls the traffic leaving any subnet thats associated with the route table. You can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time./li>li>b>Simple Storage Service (S3)/b>br>Amazon S3 is storage for the internet. You can use it to store and retrieve any amount of data at any time, from anywhere on the web./li>li>b>Security Group/b>br>A named set of allowed inbound network connections for an instance. (Security groups in Amazon VPC also include support for outbound connections.) Each security group consists of a list of protocols, ports, and IP address ranges. A security group can apply to multiple instances, and multiple groups can regulate a single instance. /li>li>b>Security Hub/b>br>AWS Security Hub is a service that provides a comprehensive view of the security state of your AWS resources. Security Hub collects security data from AWS accounts and services and helps you analyze your security trends to identify and prioritize the security issues across your AWS environment./li>li>b>Service Quotas/b>br>A service for viewing and managing your quotas easily and at scale as your AWS workloads grow. Quotas, also referred to as limits, are the maximum number of resources that you can create in an AWS account./li>li>b>Service Role/b>br>An IAM role that grants permissions to an AWS service so it can access AWS resources. The policies that you attach to the service role determine which AWS resources the service can access and what it can do with those resources./li>li>b>Simple Email Service (SES)/b>br>Amazon Simple Email Service is a simple and cost-effective email solution for applications. /li>li>b>Shield/b>br>AWS Shield is a service that helps to protect your resources—such as Amazon EC2 instances, Elastic Load Balancing load balancers, Amazon CloudFront distributions, and Route 53 hosted zones—against DDoS attacks. AWS Shield is automatically included at no extra cost beyond what you already pay for AWS WAF and your other AWS services. For added protection against DDoS attacks, AWS offers AWS Shield Advanced. /li>li>b>Simple Notification Service (SNS)/b>br>Amazon Simple Notification Service is a web service that applications, users, and devices can use to instantly send and receive notifications from the cloud./li>li>b>Systems Manager (SSM)/b>br>AWS Systems Manager is the operations hub for AWS and hybrid cloud environments that can help achieve secure operations at scale. It provides a unified user interface for users to view operations data from multiple AWS services and automate tasks across their AWS resources./li>li>b>Trusted Advisor/b>br>AWS Trusted Advisor is a web service that inspects your AWS environment and makes recommendations for saving money, improving system availability and performance, and helping to close security gaps./li>li>b>Virtual Private Cloud (VPC)/b>br>Amazon Virtual Private Cloud is a web service for provisioning a logically isolated section of the AWS Cloud virtual network that you define. You control your virtual networking environment by selecting your own IP address range, creating subnets and configuring route tables and network gateways./li>li>b>VPC endpoint/b>br>A feature that you can use to create a private connection between your Amazon VPC and another AWS service without requiring access over the internet, through a NAT instance, a VPN connection, or Direct Connect. /li>li>b>Virtual Private Network (VPN)/b>br>AWS Virtual Private Network provides functionality that establishes encrypted connections between your network or device, and AWS. AWS VPN is comprised of two services: AWS Client VPN and AWS Site-to-Site VPN./li>li>b>Web Application Firewall (WAF)/b>br>AWS WAF is a web application firewall service that controls access to content by allowing or blocking web requests based on criteria that you specify. For example, you can filter access based on the header values or the IP addresses that the requests originate from. AWS WAF helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources./li>li>b>WorkSpaces/b>br>Amazon WorkSpaces is a managed, secure desktop computing service for provisioning cloud-based desktops and providing users access to documents, applications, and resources from supported devices./li>/ul> /div> /div> /div> script srcjs/jquery.min.js>/script> script srcjs/popper.js>/script> script srcjs/bootstrap.min.js>/script> script srcjs/main.js>/script> script> $(document).ready(function(){ $(.navitem).click(function(){ $(li).removeClass(active); $(this).parent().addClass(active); }); $(.homeSubmenu).click(function(){ $(.pages).hide(); $(#home).show(); }); $(.gettingStarted).click(function(){ $(.pages).hide(); $(#page1).show(); }); $(.budgets).click(function(){ $(.pages).hide(); $(#budgets).show(); }); $(.workshop).click(function(){ $(.pages).hide(); $(#page2).show(); }); $(.aws).click(function(){ $(.pages).hide(); $(#page3).show(); }); $(.cloudtrail).click(function(){ $(.pages).hide(); $(#page4).show(); }); $(.ssm).click(function(){ $(.pages).hide(); $(#ssm).show(); }); $(.glossary).click(function(){ $(.pages).hide(); $(#glossary).show(); }); $(.iaas).click(function(){ $(.pages).hide(); $(#page5).show(); }); $(.priceestimator).click(function(){ $(.pages).hide(); $(#page1a).show(); }); $(.security).click(function(){ $(.pages).hide(); $(#page6).show(); }); $(.vpn).click(function(){ $(.pages).hide(); $(#page7).show(); }); $(.iam).click(function(){ $(.pages).hide(); $(#page8).show(); }); $(.keypair).click(function(){ $(.pages).hide(); $(#page9).show(); }); $(.ec2).click(function(){ $(.pages).hide(); $(#page10).show(); }); $(.rds).click(function(){ $(.pages).hide(); $(#page11).show(); }); $(.loadbalancer).click(function(){ $(.pages).hide(); $(#page12).show(); }); $(.dns).click(function(){ $(.pages).hide(); $(#page13).show(); }); $(.final).click(function(){ $(.pages).hide(); $(#page14).show(); }); $(.administration).click(function(){ $(.pages).hide(); $(#page15).show(); }); $(.advanced).click(function(){ $(.pages).hide(); $(#page16).show(); }); }); /script> /body>/html>
Port 443
HTTP/1.1 200 OKContent-Type: text/htmlContent-Length: 64208Connection: keep-aliveDate: Thu, 12 Feb 2026 17:25:31 GMTLast-Modified: Tue, 23 Sep 2025 15:46:25 GMTETag: ac3f2d9b2919b3fd955c8b7945c8b659x-amz-server-side-encryption: AES256Accept-Ranges: bytesServer: AmazonS3X-Cache: Hit from cloudfrontVia: 1.1 bc4e0a32a1893d7693b91555def3133e.cloudfront.net (CloudFront)X-Amz-Cf-Pop: HIO52-P4X-Amz-Cf-Id: Duow4niTvEIGW_SAbyvH5mtXqIvA6wn_vskep4Dn_2NH279lTvYKfQAge: 1 !doctype html>html langen> head> title>Coalesce - AWS Fundamentals/title> meta charsetutf-8> meta nameviewport contentwidthdevice-width, initial-scale1, shrink-to-fitno> link hrefhttps://fonts.googleapis.com/css?familyPoppins:300,400,500,600,700,800,900 relstylesheet> link relstylesheet hrefhttps://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css> link relstylesheet hrefcss/style.css> /head> !-- Google tag (gtag.js) -->script async srchttps://www.googletagmanager.com/gtag/js?idG-TB46VWJWD9>/script>script> window.dataLayer window.dataLayer || ; function gtag(){dataLayer.push(arguments);} gtag(js, new Date()); gtag(config, G-TB46VWJWD9);/script> body> div classwrapper d-flex align-items-stretch> nav idsidebar> div classp-4 pt-5> a hrefhttps://coalescesolutions.com classimg logo mb-5 stylebackground-image: url(images/logo.png);>/a> ul classlist-unstyled components mb-5> li classactive> a hrefhttps://us-east-2.console.aws.amazon.com/cloudformation/home?regionus-east-2#/stacks/quickcreate?templateURLhttps%3A%2F%2Fcfquickstartexamples.s3.us-east-2.amazonaws.com%2Fworkshop_quickstart_s3.yml&stackNameCFDemo¶m_SourceBucketcfquickstartexamples¶m_MinSize1¶m_SourceKeycfdocs-foundeo.zip¶m_DesiredCapacity1¶m_InstanceTypet3.medium¶m_MaxSize3¶m_AppNameDemoApp target_blank> 2025 - CI/CD CloudFormation Quick Launch /a> /li> li classactive> a hrefhttps://cfquickstartexamples.s3.us-east-2.amazonaws.com/workshop_quickstart_s3.yml target_blank> 2025 - Direct Template Download /a> /li> li classactive> a href#homeSubmenu classhomeSubmenu navitem >Agenda/a> /li> li> a href#pageSubmenu classdropdown-toggle data-togglecollapse aria-expandedfalse>Getting Started/a> ul classcollapse list-unstyled show idpageSubmenu> li> a href# classgettingStarted navitem>Overview/a> /li> li> a href# classpriceestimator navitem>Identity and Access/a> /li> li> a href# classbudgets navitem>Budgets, Bills, and Regions/a> /li> li> a href# classworkshop navitem>Creating Workshop Static Website/a> /li> li> a href# classaws navitem>AWS Marketplace/a> /li> li> a href# classcloudtrail navitem>CloudTrail/a> /li> li>/li> a href# classssm navitem>Session Manager Overview/a> /li> /ul> /li> li> a href#pageSubmenu2 classdropdown-toggle data-togglecollapse aria-expandedfalse>Infrastructure as a Service/a> ul classcollapse list-unstyled show idpageSubmenu2> li> a href# classiaas navitem>VPC (Network)/a> /li> li> a href# classsecurity navitem>Security Groups/a> /li> li> a href# classiam navitem>IAM Instance Role/a> /li> li> a href# classkeypair navitem>Key Pair/a> /li> li> a href# classec2 navitem>EC2 - The Servers/a> /li> li> a href# classrds navitem>RDS - The Database/a> /li> li> a href# classloadbalancer navitem>Load Balancer/a> /li> li> a href# classdns navitem>DNS/a> /li> li> a href# classfinal navitem>Final Network Diagram/a> /li> /ul> /li> li> a href# classadministration navitem>Administration/a> /li> li> a href# classvpn navitem>VPN/a> /li> li> a href# classadvanced navitem>Advanced Topics/a> /li> li> a href# classglossary navitem>Glossary/a> /li> /ul> div classfooter> p> Copyright a hrefhttps://coalescesolutions.com>Coalesce Solutions, LLC/a> ©script>document.write(new Date().getFullYear());/script> All rights reserved/p> /div> /div> /nav> !-- Page Content --> div idcontent classp-4 p-md-5> nav classnavbar navbar-expand-lg navbar-light bg-light> div classcontainer-fluid> button typebutton idsidebarCollapse classbtn btn-primary> i classfa fa-bars>/i> span classsr-only>Toggle Menu/span> /button> button classbtn btn-dark d-inline-block d-lg-none ml-auto typebutton data-togglecollapse data-target#navbarSupportedContent aria-controlsnavbarSupportedContent aria-expandedfalse aria-labelToggle navigation> i classfa fa-bars>/i> /button> !-- div classcollapse navbar-collapse idnavbarSupportedContent> ul classnav navbar-nav ml-auto> li classnav-item active> a classnav-link href#>Home/a> /li> li classnav-item> a classnav-link href#>About/a> /li> li classnav-item> a classnav-link href#>Portfolio/a> /li> li classnav-item> a classnav-link href#>Contact/a> /li> /ul> /div> --> /div> /nav> !--h2 classmb-4>CFSummit West Workshop/h2>--> div idhome classpages> h3>Coalesce - AWS Fundamentals Workshop/h3> h4>Getting Started/h4> ol> li>AWS Console Navigation Overview/li> li>Intro to Root user vs IAM users/li> li>Secure Root user - add MFA/li> li>Intro to IAM Identity Center, Control Tower, and Organizations ol> li>See a classblue hrefhttps://jumpcloud.com/blog/aws-iam-vs-aws-sso>this blog entry/a> for overview/li> /ol> /li> li>Create IAM Administrator/li> li>Grant IAM access to billing details/li> li>Log in with IAM Administrator/li> li>Budget Alarms/li> li>Bills and Cost Explorer/li> li>Intro to Regions and Availability Zones/li> li>Choose your Region/li> li>Static Website Demonstration/li> ol> li>Register Domain/li> li>Transfer Domain/li> li>Create ACM Certificate/li> li>Create S3 Bucket and copy content/li> li>Create CloudFront/li> li>Update Route53 DNS Entries for CloudFront/li> li>Review Workshop Website content/li> /ol> li>Subscribe to Adobe ColdFusion 2023 on AWS Marketplace/li> li>Enable CloudTrail and send trail to CloudWatch Logs/li> li>Intro to AWS Systems Manager/li> /ol> h4>IaaS/h4> ol> li>Delete the default VPC/li> li>Create new VPC - assign CIDR/li> ol> li>Review CIDR concepts/li> /ol> li>Create Subnets ol> li>Discuss public vs private subnets/li> li>Review AZs/li> li>Create public/li> li>Create private/li> /ol> /li> li>Create Gateways ol> li>Internet Gateway/li> li>NAT Gateways/li> /ol> /li> li>Create and associate Routes/li> li>Security groups ol> li>Define your Security Group goals/li> li>Design Security Groups with as many references as possible/li> li>Create primary security groups ol> li>i. Load Balancer/li> li>VPN Client/li> li>CF Application Server/li> li>Database Server/li> /ol> /li> /ol> /li> li>Create IAM Instance Role/li> li>Create Key Pair/li> li>Launch EC2 Instance (CF Application Server)/li> li>Launch RDS Instance (Database Server)/li> li>Create Load Balancer Target Group/li> li>Create Application Load Balancer/li> li>Configure the DNS for ALB/li> li>Review Final Network Diagram/li> /ol> h4>Administration/h4> ol> li>Quotas/li> li>SSM Connection Demonstration/li> li>AWS Config/li> li>GuardDuty/li> li>Detective/li> li>CloudWatch/li> li>Security Hub/li> /ol> h4>Create VPN (prereq - IAM Identity Center)/h4> ol> li>Prep VPN Authentication in IAM Identity Center/li> li>Add IAM Identity Provider/li> li>Client VPN Endpoint/li> li>Associate VPN with the Network/li> li>Install AWS VPN Client and test/li> /ol> h4>Advanced topics:/h4> ol> li>Amazon Inspector - Scan your EC2 instances for vulnerabilities and compliance configurations/li> li>DHCP Option Sets - private DNS resolution/li> li>VPC Peering Connections - inter-account or inter-VPC network traffic/li> li>VPC Flow Logs - network packet logging/li> li>Database Parameters - Customize MySQL server settings, e.g. enabling lower-case table name/li> li>Transit Gateways - useful for cross-region and more complicated structure network traffic/li> li>VPC Endpoint Services (your services) - extend your services to other accounts/customers without traversing the internet/li> li>VPC Endpoints (AWS services) - access AWS services without traversing the internet/li> li>AMIs - Images of your EC2 instances/li> li>Autoscaling Group - Creating a cluster of servers of the same image/li> li>ElastiCache - Managed Redis service for caching and/or session storage/li> li>SES - Simple email service/li> li>Savings Plan and Reservations - save money and guarantee resource availability/li> li>Trusted Advisor - Advisements on configuration, budgeting, and right-sizing. Requires business support for most features./li> li>Well-Architected Tool - Review your workloads against AWS best practices/li> li>CloudFormation - Codify your IAAS/li> li>EventBridge - Scheduled jobs/li> li>IAM Identity Center - Central IAM access/li> li>Organizations - Multiple AWS Account configurations and consolidated billing/li> li>Control Tower - When using an Organization, using Control Tower on the management account lets you automate applying changes and policies for multiple accounts/li> li>CloudWatch Log Agent - Accumulating CF logs off of servers into AWS Console/li> li>AWS Support Tiers - AWS has multiple tiers of support available/li> /ol> /div> div idpage1 classpages styledisplay:none> h3>Getting Started/h3> Here is a quick view of the AWS services we will be covering today. At the end of this workshop, you will have some perspective of what these tools can do and will understand how easy it is to get started with each of them. br> img srcimages/image09.jpg>br>br> h3>Price Estimator/h3> p>Here is an estimator put together with some guesses at usage so you can understand the costs of deploying this guide.br> a classblue hrefhttps://calculator.aws/#/estimate?id90879c8c3537795dae500a0ad1177758e01ae1f1>https://calculator.aws/#/estimate?id90879c8c3537795dae500a0ad1177758e01ae1f1/a>br> Note, this does not include the AWS Marketplace fees for licensing ColdFusion. The ColdFusion license will equate to approximately $360 per server and you will only pay for it while the server is running. /p> /div> div idpage1a classpages styledisplay:none> h3>Identity and Access/h3> ol> li>b>Intro to Root user vs IAM Users/b> p> Root users log in with email addresses, IAM users log in with account number and usernames. br> Root accounts should only be used during initial setup, signup of support services, and emergency situations. /p> /li> li>b>Add MFA To Root/b>br> img srcimages/image01.jpg> p> On your root user My security credentials page, under Multi-factor authentication (MFA), choose Assign MFA device. br>br> On the MFA device name page, enter a Device name, choose Passkey or Security Key, and then choose Next. br>br> On Set up device, set up your passkey. Create a passkey with biometric data like your face or fingerprint, with a device pin, or by inserting the FIDO security key into your computers USB port and tapping it. br>br> Follow the instructions on your browser to choose a passkey provider or where you want to store your passkey to use across your devices. br>br> Choose Continue. /p> /li> li>b>Intro to IAM Identity Center, Control Tower, and Organizations/b> ol> li>See a classblue hrefhttps://jumpcloud.com/blog/aws-iam-vs-aws-sso>this blog entry/a> for overview/li> img srcimages/aws-iam-sso-4.webp>br>br> We are skipping creation of Identity Center since that requires an Organization to be set up. However, without setting up the IAM Identity Center, you will not be able to configure the VPN service as documented in this workshop. /ol> /li> li>b>Create IAM Administrator/b>br> img srcimages/image03.jpg>br>br> img srcimages/image04.jpg> p> Go to IAM -> Users and add a user. Be sure to click the box to enable the user access to the AWS management console. br> Attach IAM policy directly and select the AdministratorAccess policy. This will give full admin rights to this user. /p> /li> li>b>Enable IAM to Access Billing/b>br> p>Before logging out of the Root account, be sure to allow IAM users access to the billing section of AWS./p> img srcimages/image02.jpg> p>Click Edit by IAM user and role access to Billing information and enable the access./p> /li> li>b>Log in with IAM Administrator/b>br> img srcimages/image05.jpg> p>Within the IAM Dashboard, you will see a sign-in URL you can use to log in with your IAM user. Proceed to that URL and log in./p> /li> /ol> /div> div idbudgets classpages styledisplay:none> ol> li>b>Budget Alarms/b>br> Under Billing and Cost Management Budgets, click “Create budget”.br> Select “Monthly cost budget”, give it a name you would recognize if you receive this alarm, set an amount for the trigger, and enter in your email addresses to send the alarm.br> AWS will email you up to 3 times: if AWS determines you are trending higher than the defined amount, once you reach 85% of the alarm amount, and once you pass the alarm amount.br> img srcimages/image91.jpg>br> /li> li>b>Bills and Cost Explorer/b> p>Visit Billing and Cost Management and discuss viewing your Bills and Cost Explorer/p> /li> li>b>Introduction to Regions and Availability Zones/b> p>34 Regions, 108 Availability Zonesbr> AWS has the concept of a Region, which is a physical location around the world where they cluster data centers. Each group of logical data centers are called an Availability Zone. Each AWS Region consists of a minimum of three, isolated, and physically separate AZs within a geographic area. Unlike other cloud providers, who often define a region as a single data center, the multiple AZ design of every AWS Region offers advantages for customers. Each AZ has independent power, cooling, and physical security and is connected via redundant, ultra-low-latency networks. AWS customers focused on high availability can design their applications to run in multiple AZs to achieve even greater fault-tolerance. /p> img srcimages/regions.png>br>br> img srcimages/az.png> /li> li>b>Choose Region/b>br> p>The first major step when setting up your AWS account infrastructure, you need to select a region. Choose a region that works for your application./p> img srcimages/image06.jpg> /li> /ol> /div> div idpage2 classpages styledisplay:none> h3>Creating Workshop Static Website/h3> In this example, we are: ol> li>Registering a new domain called cfquickstart.com in Route 53/li> li>Creating a Certificate Manager (ACM) certificate to support HTTPS/li> li>Creating an S3 bucket to store the website files/li> li>Creating a CloudFront distribution for the website hosting and configuring it with the ACM certificate and S3 bucket./li> li>Updating Route 53 to point cfquickstart.com and www.cfquickstart.com to the new CloudFront distribution./li> /ol> br> ***Even though you may not have a static website to host, the Route 53 domain zone setup and Certificate Manager will be used later in the workshop.*** ol> li>b>Register Domain Name (Option 1)/b>br> img srcimages/image07.jpg>br>br> img srcimages/image08.jpg>br>br> Select the domain name and checkout. Fill out the contact information and requisite questions and submit. br>br> /li> li>b>Transfer Domain to AWS (Option 2)/b>br> Alternatively, if you already have a domain name and want to transfer it to Route 53, follow these steps.br> Create Hosted Zone in Route53.br> img srcimages/image10.jpg>br> After the Hosted Zone is created, take the Name servers given by AWS and update your registrars (Godaddy, Network Solutions, etc) name servers accordingly. Please make sure to add your DNS records accordingly before transferring to AWS Route 53. br> img srcimages/image11.jpg> br>br> /li> li>b>Create ACM Certificate/b>br> Within Certificate Manager, select Request certificate.br> img srcimages/image12.jpg>br> Select public certificate and click Next.br> img srcimages/image13.jpg>br> Enter your domain names (remember, *.cfquickstart.com will not work with the domain apex cfquickstart.com - so both will be needed to support apex and subdomains). Choose DNS Validation (what were using) or Email validation; whichever you can use to validate ownership of the domain. Click Request. br> img srcimages/image14.jpg>br> Once the Certificate is created, click the button “Create records in Route 53” and let it validate for you; or manually enter the provided CNAMEs in your DNS zone.br> img srcimages/image15.jpg>br> Hosting static website on S3 and CloudFront getting started documentation:br> a classblue hrefhttps://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.SimpleDistribution.html>https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.SimpleDistribution.html/a> br>br> /li> li>b>Create S3 Bucket/b>br> Under Amazon S3, click Create bucket and come up with a unique name for your bucket and leave all other options default while creatingbr> img srcimages/image16.jpg> br>br> /li> li>b>Create CloudFront Distribution/b>br> img srcimages/image17.jpg>br> During Creation: ol> li>Select your S3 bucket as the Origin domain/li> li>Select Origin Access Control/li> li>Create new OAC (accept defaults)/li> /ol> img srcimages/image18.jpg>br> In the S3 Bucket settings, Permissions tab, Click Edit to edit the Bucket Policy. Paste the copied policy from the CloudFront distribution and click Save changes.br> img srcimages/image19.jpg>br> Return to the CloudFront browser tab and continue setting up the distribution. br> Choose to not enable WAFbr> img srcimages/image20.jpg>br> Further down the form, add your domain name(s) in the Alternate domain name (CNAME) and select your ACM certificate.br> img srcimages/image21.jpg> br>br> /li> li>b>Update Route 53 DNS entries to point website to the new CloudFront distribution/b>br> In Route 53 for the hosted zone, click Create record.br> img srcimages/image22.jpg>br> Switch the entry to use an Alias and leave the Record type as an A record.br> img srcimages/image23.jpg>br> Click on Choose endpoint and select Alias to CloudFront distributionbr> img srcimages/image24.jpg>br> And select your CloudFront distribution.br> img srcimages/image25.jpg>br> Click “Add another record” and repeat the steps for a classblue hrefhttp://www.cfquickstart.com>www.cfquickstart.com/a> then click Create recordsbr> img srcimages/image26.jpg>br> Youre done! This has created a new static website on a new domain. br>br> /li> /ol> /div> div idpage3 classpages styledisplay:none> h3>AWS Marketplace/h3> Visit the Adobe ColdFusion 2023 Release listing - a classblue hrefhttps://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6>https://aws.amazon.com/marketplace/pp/prodview-ypcpaeaaxltu6/a>br>br> Click Continue to Subscribebr> img srcimages/image27.jpg>br> Then review the Terms and Conditions and click Accept Terms if it is acceptable to you.br>br> This enables you to pay as you go for ColdFusion licensing.br> img srcimages/image28.jpg>br> /div> div idpage4 classpages styledisplay:none> h3>CloudTrail/h3> CloudTrail provides an audit log of every access or change within AWS - whether or its in the AWS Console, CLI, or API call. Sending the CloudTrail logs to CloudWatch and S3 helps you maintain control of retaining this information.br>br> Visit AWS CloudTrail and click Create a trailbr>br> Give your trail a useful name and click Create trailbr> img srcimages/image29.jpg>br> Click into your new trail and click Edit on the CloudWatch Logs sectionbr> img srcimages/image30.jpg>br> Enable CloudWatch logs, create a new Log Group, and give the log group a useful name. Leave IAM role as New, give the role a useful name, and click Save changesbr> img srcimages/image31.jpg>br> /div> div idssm classpages styledisplay:none> h3>Session Manager Overview/h3> ul> li>Remote connect (Session Manager)/li> Quickly and securely access your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. li>Resource grouping (Resource Groups)/li> Make sense out of your AWS footprint by grouping your resources into applications. li>Running tasks on group resources (Automation)/li> Use built-in automations or build your own to accomplish complex operational tasks at scale. li>Remote execution (Run Command)/li> Safe and secure remote execution across instances at scale without SSH or PowerShell. li>Parameter store/li> Centralized hierarchical store for managing secrets or plain-text data. li>OS patch management (Patch Manager)/li> Simplify your operating system patching process for Windows and Linux. /ul> /div> div idpage5 classpages styledisplay:none> h3>VPC (Network) Setup/h3> ol> li>b>Delete the default VPC/b>br> Under VPC, select the default VPC and select the Delete action and proceed to delete the VPC and included resources. /li> li>b>Choose your CIDR address range for your network/b>br> Use tools like a classblue hrefhttps://www.subnet-calculator.com>www.subnet-calculator.com/a> for help with ranges.br> We will use 10.0.0.0/16 for the VPC network and will use 10.0.###.0/24 for each subnet.br> 10.0.0.0/16 is the range 10.0.0.0-10.0.255.255br> img srcimages/image32.jpg>br> 10.0.1.0/24 is the range 10.0.1.0-10.0.1.255br> img srcimages/image33.jpg>br> /li> li>b>Create the VPC/b>br> Here is the final goal for the VPC we will be creating; including the breakdown of AZs, subnets, and CIDRs.br> img srcimages/image34.jpg>br> Under VPC, click Create VPC.br> Select VPC only to be able to manually build every component. Optionally, you can use VPC and more to setup most of the network components in one step automatically.br> img srcimages/image35.jpg>br> Submit the Create VPC form after inputting the VPC Name and CIDRbr> img srcimages/image36.jpg>br> After VPC is created, edit the VPC settings and make sure the DNS resolution and DNS hostnames are enabled and click Save. Both of these are required for you to use RDS and other services.br> img srcimages/image37.jpg>br> /li> li>b>Create the Subnets/b>br> Under VPC -> Subnets, click Create subnetbr> Select your VPC, give the Subnet a useful name (like Public a for the availability of the subnet and the AZ the subnet will reside), select an Availability Zone, and enter the subnets CIDR block.br> img srcimages/image38.jpg>br> Repeat the settings for the rest of the Subnets:br> Public b, us-east-1b, 10.0.1.0/24br> Private App a, us-east-1a, 10.0.100.0/24br> Private App b, us-east-1b, 10.0.101.0/24br> Private DB a, us-east-1a, 10.0.200.0/24br> Private DB b, us-east-1b, 10.0.201.0/24br> In the end, it should look like this:br> img srcimages/image39.jpg>br> /li> li> b>Internet Gateway/b>br> Under VPC -> Internet gateways, click Create internet gatewaybr> Give it a name and click Create internet gatewaybr> img srcimages/image40.jpg>br> After the Internet Gateway is created, select the gateway and select Actions Attach to VPCbr> Select your VPC and click Attach internet gatewaybr> img srcimages/image41.jpg>br> /li> li> b>NAT Gateways/b>br> We will be routing traffic based on the following diagram.br> img srcimages/image42.jpg>br> Under VPC -> NAT gateways, click “Create NAT gateway”br> Give it a name (like “NAT a” with the “a” designating the AZ) and select your subnet in AZ a. Click on Allocate Elastic IP then click “Create NAT gateway”br> img srcimages/image43.jpg>br> Repeat for the AZ b public subnet.br> /li> li> b>Network Routes/b>br> Under VPC -> Route tables, rename on the provided route table “Public Route”br> img srcimages/image44.jpg>br> Edit the routes for the “Public Route”. Add a 0.0.0.0/0 destination route and target it to “Internet Gateway”br> img srcimages/image45-1.png>br> Select your Internet Gateway and click Save Changes img srcimages/image45-2.png>br> Create another Route Table called “Private NAT a”, Edit the routes, add a 0.0.0.0/0 destination route and target it to “NAT Gateway” and select your “NAT a” NAT Gateway and click Save.br> img srcimages/image46.jpg>br> Repeat for “Private NAT b” with “NAT b”.br> Create another Route Table for “Private Only” with no additional routes than the default local.br> Click into “Private NAT a” and open the “Subnet associations” tab. Click “Edit subnet associations”, select “Private App a” and click “Save associations”.br> img srcimages/image47.jpg>br> Repeat for “Private NAT b” with “Private App b”br> Repeat for “Private Only” with “Private DB a” and “Private DB b”br> /li> /ol> /div> div idpage6 classpages styledisplay:none> h3>Security Groups/h3> ol> li> b>Define your Security Group goals/b>br> Only allow network traffic that is required for your systems to operate.br> img srcimages/image48.jpg>br> /li> li> b>Design Security Groups with as many references as possible/b>br> Security group rules can refer to other security groups by reference. Use this feature where possible.br> /li> li> b>Create primary security groups/b>br> Under EC2 -> Security Groups, Click “Create security group”.br> Add name, description, select your VPC, and define your inbound rules and click “Create security group” for each security group.br> ol> li>Load Balancerbr>br> Inbound traffic from anywhere on HTTPS/port 443br> img srcimages/image49.jpg>br> /li> li>VPN Clientbr>br> img srcimages/image50.jpg>br> /li> li>CF Application Serverbr>br> Allow inbound traffic from the LoadBalancer security group on HTTP/port 80. Start typing the LoadBalancer name in the “Source” field and select the associated security group.br> img srcimages/image51.jpg>br> Add another inbound rule for TCP port 8500 from the VPN Clients security group. This will allow you to connect to the CF Admin while connected over VPN (assuming you permitted 10.255.*.* as a permitted connection within the CF Admin). Add any other ports you need to use while connected over VPN (RDP, SSH, HTTP, etc). /li> li>Database Serverbr>br> Add two inbound rules for MySQL/Aurora, one for CFApp and another VPN Client. This will allow the CF App Servers and VPN connections the ability to connect to the database.br> img srcimages/image52.jpg>br> /li> /ol> /li> /ol> /div> div idpage7 classpages styledisplay:none> h3>Create VPN/h3> ol> li>b>Prep VPN Authentication in IAM Identity Center/b>br> Create Application in IAM Identity Center, following these instructions:br> a classblue hrefhttps://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/>https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on//a>br> Complete the b>To create the VPN client SAML application/b> section and do not proceed past b>To create the VPN client self-service SAML application:/b>br />br /> Its buried in the instructions, but be sure to download the IAM Identity Center SAML metadata file during the Application creation process.br> img srcimages/image53.jpg>br> /li> li>b>Add IAM Identity Provider/b>br> In the AWS account that you are creating the Client VPN Endpoint, go to IAM -> Identity Providers and click “Add provider”br> Give the provider a name and choose the SAML metadata file you downloaded in the previous step.br> img srcimages/image54.jpg>br> /li> li>b>Client VPN Endpoint/b>br> Under VPC -> Client VPN endpoints, click “Create client VPN endpoint”br> Choose a Client IPv4 CIDR within the range of your VPC, but not used by one of your subnets. We are using 10.255.0.0/16br> Choose Federated authentication and select the AWSSSO option you created earlier in the IAM IDP.br> img srcimages/image55.jpg>br> Enable split-tunnel if you dont want all user traffic to route through the client VPN endpoint.br> img srcimages/image56.jpg>br> /li> li>b>Associate VPN Within the Network/b>br> In your new Client VPN Endpoint under the “Target network associations” tab, click “Associate target network”br> img srcimages/image58.jpg>br> /li> li>b>Setup Client/b>br> In your new Client VPN Endpoint, click on “Download client configuration”br> img srcimages/image59.jpg>br> /li> li>b>Install AWS VPN CLient/b>br> a classblue hrefhttps://aws.amazon.com/vpn/client-vpn-download/>https://aws.amazon.com/vpn/client-vpn-download//a>br> Open the AWS VPN Client application. Under File -> Manage Profiles, click “Add Profile”br> Click the profile the name “myVPN” and select the VPN Client Configuration File you just downloaded.br> img srcimages/image60.jpg>br> Test VPN Connectionbr> Select the VPN profile myVPN and click Connect. This will open your browser to the IAM Identity Center login page. If it does not open your browser and gets stuck in an endless Connect/Disconnect, then your Client VPN may be still associating with the network.br> img srcimages/image61.jpg>br> /li> /ol> /div> div idpage8 classpages styledisplay:none> h3>Create IAM Instance Role/h3> Your CF App Server needs AWS permissions to talk to AWS services for SSM connectivity, log reporting, etc. This permission is defined by the role you assign to the EC2 instance.br> Under IAM -> Roles, click “Create role”br> Select “AWS service” trusted entity type and “EC2 Role for AWS Systems Manager” Use case, click “Next”, and “Next”. Give a useful name to the role like “CFAppRole” and click “Create role”.br> img srcimages/image62.jpg>br> /div> div idpage9 classpages styledisplay:none> h3>Create Keypair/h3> Key Pairs are the security certificates that permit you to either access your servers or retrieve their passwords.br> Under EC2 -> Key Pairs, click “Create key pair” and give the key pair a name.br> For Windows servers:br> Select RSA as the type and choose .pem for the format.br> For Linux servers:br> Select RSA or ED25519 as the type (some newer Linux builds, such as Amazon Linux 2023, require ED25519 key pairs for SSH connectivity) and choose .pem or .ppk based on your needs (you can use tools to generate the other format).br> Click “Create key pair”.br> img srcimages/image63.jpg>br> This will immediately download the key pair file. Keep this file in a safe place as you will use it later. /div> div idpage10 classpages styledisplay:none> h3>EC2 - The Servers/h3> h4>Launch EC2 Instance/h4> Under AWS Marketplace -> Manage Subscriptions, click “Launch” on the Adobe ColdFusion (2023 Release) Windows.br> img srcimages/image64.jpg>br> Make sure the region is correct and click “Continue to launch through EC2”br> img srcimages/image65.jpg>br> On the Launch an instance page, set the following: ol> li> Give the instance a useful namebr> img srcimages/image66.jpg>br> /li> li> If you want to stay under the AWS Free Tier, keep the Instance Type t2.micro. For the server to be usable, change the Instance Type to t3a.large. For a thorough breakdown of instance types and their prices, please visit a classblue hrefhttps://instances.vantage.sh/>https://instances.vantage.sh//a> br> img srcimages/image67.jpg>br> /li> li> Choose the keypair you created earlier.br> img srcimages/image68.jpg>br> /li> li> Click Edit on the Network settings section.br> ul> li>Select Subnet “Private App a”/li> li>Select existing security group CFAppbr> img srcimages/image69.jpg>br> /li> /ul> /li> li> Under Advanced Details.br> ul> li>Change the IAM instance profile to the IAM role we created earlierbr> img srcimages/image70.jpg>br> /li> li>Change the Metadata version to “V1 and V2 (token optional)”br> img srcimages/image71.jpg>br> /li> /ul> li> Click “Launch instance”br> (Optional) Repeat for the second instance and place it in “Private App b”br> /li> /li> /ol> /div> div idpage11 classpages styledisplay:none> h3>RDS - The Database/h3> h4>Launch Database/h4> ol> li> Under RDS -> Subnet groups, click “Create DB subnet group”br> Give it a useful name, choose your VPC, AZs 1a and 1b, and select your private DB subnets (its easiest to identify by IP CIDR). Click “Create” br> img srcimages/image72.jpg>br> /li> li> Under RDS click “Create database”br> /li> li> Select the Aurora MySQL engine type.br> img srcimages/image73.jpg>br> /li> li> Name the DB Cluster, change the credentials to be “Self managed” and check the “Auto generate password”br> img srcimages/image74.jpg>br> /li> li> Choose burstable classes and select the t3.medium or t4g.medium type. Make sure an Aurora Replica will be created.br> img srcimages/image75.jpg>br> /li> li> Select the DB Subnet group we created previously. Select “Choose existing” security group and select the Database security group we created previously. br> img srcimages/image76.jpg>br> /li> li> Uncheck the DevOps Guru and Enhanced Monitoring br> img srcimages/image77.jpg>br> /li> li> Click “Create database” /li> /ol> Once the database is created, you will be given a hostname each for the writer and reader instances. You will use this hostname to configure your datasource in ColdFusion.br> img srcimages/image78.jpg> h4>Deleting the RDS Cluster/h4> When you are ready to delete the RDS cluster, you need to modify the cluster and disable “Deletion protection” and apply it immediately. img srcimages/image79.png> Once you do that, delete each individual instance. Once all instances are deleted, you can delete the cluster. /div> div idpage12 classpages styledisplay:none> h3>Load Balancer/h3> h4>Example components of the ALB/h4> img srcimages/image80.jpg> h4>Create Target Group/h4> Under EC2 -> Target Groups, click “Create target group”br> Choose the “Instances” type.br> img srcimages/image81.jpg>br> Give the Target group a useful name.br> Protocol : Port should be HTTP 80 or HTTPS 443. This is the port in which your server is listening (regardless of how the end user will connect)br> img srcimages/image82.png>br> Choose a health check protocol and path that makes sense for your application. Well leave it as HTTP and / respectively.br> Click Next.br> Check the instances you want to add to this Target Group and click “Include as pending below”.br> img srcimages/image82-1.png>br> Click “Create target group”br> h4>Create ALB/h4> Under EC2 -> Load Balancer, click “Create load balancer”br> Create an “Application Load Balancer”br> img srcimages/image83.jpg>br> Give the Load Balancer a useful name.br> Select your VPC and your AZs and choose your Public subnets in each.br> img srcimages/image84-1.png>br>br> Choose your LoadBalancer security group we created previously. img srcimages/image84-2.png>br>br> Make sure your listener is using HTTPS : 443 and select the Target Group we created previously. img srcimages/image86-1.png>br>br> Select the “From ACM” for the server certificate and select your ACM certificate from earlier. img srcimages/image86-2.png>br>br> Check the “Include WAF security protections behind the load balancer” img srcimages/image87.jpg>br>br> Click “Create load balancer” /div> div idpage13 classpages styledisplay:none> h3>DNS/h3> h4>Configure the DNS for ALB/h4> Under Route 53 -> Hosted Zones, click on your hosted zone and click “Create record”br> Enter www (or whatever you want) into the subdomain, enable the Alias toggle, select the “Route traffic to” to be “Alias to Application and Classic Load Balancer”, choose your Region, and select your ALB from the dropdown menu.br> Click “Create records”.br> img srcimages/image88.jpg>br> With a Route 53 alias, you can even point the domain apex (e.g. cfquickstart.com without any subdomain) to your load balancer. Normally this requires an IP address due to DNS standards. /div> div idpage14 classpages styledisplay:none> h3>Final Network Diagram/h3> img srcimages/image89.jpg>br> /div> div idpage15 classpages styledisplay:none> h3>Administration/h3> ol> li>b>Quotas/b>br> If you run into service limits as you start consuming more AWS services, you may be hitting a usage restriction that can be increased.br> Visit “Service Quotas”br> For example, drilling into the EC2 quotas and filtering for “demand”, we can see the vCPU usage we are Utilizing and how much we are limited. On this page, you can select and request an increase in your service limits if they are Adjustable.br> img srcimages/image90.jpg>br> /li> li>b>SSM Connection Demonstration/b>br> Under EC2 -> Instances. Click on your instance then click “Connect” (or right click and click “Connect”)br> img srcimages/image92.jpg>br>br> On the first tab (“Session Manager”), if you click Connect you will open a new browser window with access to the Powershell (Windows) or shell (Linux).br> img srcimages/image93.png>br>br> On the second tab shown (“RDP Client”), this is where you can retrieve the generated password for Windows.br>br> You can click to download an RDP shortcut file that will assist you in opening an RDP connection to the server. If you click on “Get password”, you will be able to upload your KeyPair pem file that you downloaded earlier, and click “Decrypt password” to retrieve the password.br> img srcimages/image94.jpg>br>br> img srcimages/image95.png>br>br> Alternatively, you can click on the “Connect using Fleet Manager” option, then you will be able to click “Fleet Manager Remote Desktop” img srcimages/image96-1.png>br>br> Then, you can select Authentication type “Key pair” and upload your PEM file and click “Connect”. img srcimages/image96-2.png>br>br> At this point, you connect to your servers desktop through your web browser:br> img srcimages/image97.jpg>br> /li> li>b>AWS Config/b>br> Visit AWS Config and either manually “Set up AWS Config” or click “1-click setup”. This will monitor your AWS resources and be able to log how configurations change over timervers desktop through your web browser:br> /li> li>b>GuardDuty/b>br> Visit GuardDuty and get started with all features to enable it. This uses ML to identify suspicious activity within your account and alert you accordingly.br> /li> li>b>Detective/b>br> Visit Detective and click “Get started” to enable it. This collects log data from AWS resources and applies ML and other tools to help you investigate root causes of security issues or suspicious activities.br> /li> li>b>Cloudwatch/b>br> Visit CloudWatch to view your logs, see your AWS service metrics, and set alarms.br> img srcimages/image98.jpg>br> /li> li>b>Security Hub/b>br> Visit Security Hub to configure automated security checks to identify and remediate security issuesbr> /li> /ol> /div> div idpage16 classpages styledisplay:none> h3>Advanced Topics/h3> Below are a sample of the advanced topics. List of other topics can be found on the agenda. ol> li>b>AWS Inspector/b>br> Vulnerability management by continually scanning your instances through agent or agentless methods. /li> li>b>DHCP Option Sets/b>br> Under VPC, you can create a custom DHCP Option Set to assign to your VPC. This lets you override various settings on resources running in your VPC, including the unqualified domain lookup value (e.g. a setting of company.local as the domain name means if you ping “theServerName”, itll automatically look up DNS entry for theservername.company.local), the NTP (time sync servers), the DNS server, and more.br> img srcimages/image99.jpg>br> /li> li>b>VPC Peering/b>br> VPC Peering allows you to connect a pair of VPCs either within the same AWS Account or with an external AWS Account. Peering is free and charges only apply for data transfer for peerings that cross AZs and Regions. CIDR blocks cannot overlap between VPCs and network traffic is not transitive (cannot hop across more than one peering connection).br> img srcimages/image100.jpg>br> /li> li>b>VPC Flow Logs/b>br> Each VPC has the option to enable flow logs. This logs network packet communications handled by your VPC. VPC flow logs can generate a lot of log records, but it is a useful tool to understand traffic flow, server compromise traffic, and data exfiltration.br> img srcimages/image101.jpg>br> /li> /ol> /div> div idglossary classpages styledisplay:none> h3>Glossary/h3> ul> li>b>AWS Certificate Manager (ACM)/b>br>AWS Certificate Manager is a web service for provisioning, managing, and deploying Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services./li>li>b>Amazon Machine Image (AMI)/b>br>An Amazon Machine Image (AMI) is an encrypted machine image stored in Amazon EBS or Amazon S3. AMIs function similarly to a template of a computers root drive. They contain the operating system and can also include software and layers of your application, such as database servers, middleware, and web servers. /li>li>b>Amazon Resource Name (ARN)/b>br>Amazon Resource Name is a standardized way to refer to an AWS resource (for example, arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob)./li>li>b>Aurora/b>br>Amazon Aurora is a fully managed MySQL-compatible relational database engine that combines the speed and availability of commercial databases with the simplicity and cost-effectiveness of open-source databases./li>li>b>Auto Scaling/b>br>AWS Auto Scaling is a fully managed service that you can use to quickly discover the scalable AWS resources that are part of your application and to configure dynamic scaling./li>li>b>Auto Scaling group (ASG)/b>br>A representation of multiple EC2 instances that share similar characteristics, and that are treated as a logical grouping for the purposes of instance scaling and management./li>li>b>Availability Zone (AZ)/b>br>A distinct location within a Region thats insulated from failures in other Availability Zones, and provides inexpensive, low-latency network connectivity to other Availability Zones in the same Region./li>li>b>Backup/b>br>AWS Backup is a managed backup service that you can use to centralize and automate the backup of data across AWS services in the cloud and on premises./li>li>b>Billing and Cost Management/b>br>AWS Billing and Cost Management is the AWS Cloud computing model where you pay for services on demand and use as much or as little as you need. While resources are active under your account, you pay for the cost of allocating those resources. You also pay for any incidental usage associated with those resources, such as data transfer or allocated storage./li>li>b>CIDR block/b>br>Classless Inter-Domain Routing. An internet protocol address allocation and route aggregation methodology./li>li>b>CloudFormation/b>br>AWS CloudFormation is a service for writing or changing templates that create and delete related AWS resources together as a unit./li>li>b>CloudFront/b>br>Amazon CloudFront is an AWS content delivery service that helps you improve the performance, reliability, and availability of your websites and applications./li>li>b>CloudTrail/b>br>AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements that the AWS service returns./li>li>b>CloudWatch/b>br>Amazon CloudWatch is a web service that you can use to monitor and manage various metrics, and configure alarm actions based on data from those metrics./li>li>b>CloudWatch Logs/b>br>Amazon CloudWatch Logs is a web service for monitoring and troubleshooting your systems and applications from your existing system, application, and custom log files. You can send your existing log files to CloudWatch Logs and monitor these logs in near-real time./li>li>b>Command Line Interface (CLI)/b>br>AWS Command Line Interface is a unified downloadable and configurable tool for managing AWS services. Control multiple AWS services from the command line and automate them through scripts./li>li>b>Config/b>br>AWS Config is a fully managed service that provides an AWS resource inventory, configuration history, and configuration change notifications for better security and governance. You can create rules that automatically check the configuration of AWS resources that AWS Config records./li>li>b>Control Tower/b>br>AWS Control Tower is a service used to set up and govern a secure, multi-account AWS environment./li>li>b>DB parameter group/b>br>A container for database engine parameter values that apply to one or more DB instances./li>li>b>Detective/b>br>Amazon Detective is a service that collects log data from your AWS resources to analyze and identify the root cause of security findings or suspicious activities. The Detective behavior graph provides visualizations to help you to determine the nature and extent of possible security issues and conduct an efficient investigation./li>li>b>Directory Service/b>br>AWS Directory Service is a managed service for connecting your AWS resources to an existing on-premises Microsoft Active Directory or to set up and operate a new, standalone directory in the AWS Cloud./li>li>b>Database Migration Service (DMS)/b>br>AWS Database Migration Service is a web service that can help you migrate data to and from many widely used commercial and open-source databases./li>li>b>Elastic Block Store (EBS)/b>br>Amazon Elastic Block Store is a service that provides block level storage volumes or use with EC2 instances./li>li>b>Elastic Load Balancing (ELB)/b>br>Elastic Load Balancing is a web service that improves an applications availability by distributing incoming traffic between two or more EC2 instances. There are four types of ELB services – Classic Load Balancer, Application Load Balancer (ALB), Network Load Balancer (NLB), and Gateway Load Balancer (GLB)./li>li>b>Elastic Compute Cloud (EC2)/b>br>Amazon Elastic Compute Cloud is a web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers. /li>li>b>Elastic IP address (EIP)/b>br>A fixed (static) IP address that you have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with your account, not a specific instance. They are elastic because you can easily allocate, attach, detach, and free them as your needs change. Unlike traditional static IP addresses, Elastic IP addresses allow you to mask instance or Availability Zone failures by rapidly remapping your public IP addresses to another instance./li>li>b>Elastic Network Interface (ENI)/b>br>An elastic network interface is additional network interface that can be attached to an instance. Elastic network interfaces include a primary private IP address, one or more secondary private IP addresses, an Elastic IP Address (optional), a MAC address, membership in specified security groups, a description, and a source/destination check flag. You can create an elastic network interface, attach it to an instance, detach it from an instance, and attach it to another instance. /li>li>b>ElastiCache/b>br>Amazon ElastiCache is a web service that simplifies deploying, operating, and scaling an in-memory cache in the cloud (Redis, Memcached). The service improves the performance of web applications by providing information retrieval from fast, managed, in-memory caches, instead of relying entirely on slower disk-based databases./li>li>b>EventBridge/b>br>Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources and routes that data to targets such as AWS Lambda. You can set up routing rules to determine where to send your data to build application architectures that react in real time to all of your data sources./li>li>b>GovCloud/b>br>AWS GovCloud (US) is an isolated AWS Region that hosts sensitive workloads in the cloud, ensuring that this work meets the US governments regulatory and compliance requirements. The AWS GovCloud (US) Region adheres to United States International Traffic in Arms Regulations (ITAR), Federal Risk and Authorization Management Program (FedRAMP) requirements, Department of Defense (DOD) Cloud Security Requirements Guide (SRG) Levels 2 and 4, and Criminal Justice Information Services (CJIS) Security Policy requirements./li>li>b>GuardDuty/b>br>Amazon GuardDuty is a continuous security monitoring service. Amazon GuardDuty can help to identify unexpected and potentially unauthorized or malicious activity in your AWS environment./li>li>b>Identity and Access Management (IAM)/b>br>AWS Identity and Access Management is a web service that Amazon Web Services (AWS) customers can use to manage users and user permissions within AWS./li>li>b>IAM Identity Center/b>br>AWS IAM Identity Center is a cloud-based service that brings together administration of users and their access to AWS accounts and cloud applications. You can control single sign-on access and user permissions across all your AWS accounts in AWS Organizations./li>li>b>Instance Type/b>br>A specification that defines the memory, CPU, storage capacity, and usage cost for an instance. Some instance types are for standard applications, whereas others are for CPU-intensive, memory-intensive applications. /li>li>b>Internet Gateway/b>br>Connects a network to the internet. You can route traffic for IP addresses outside your Amazon VPC to the internet gateway. /li>li>b>Key Management Service (KMS)/b>br>AWS Key Management Service is a managed service that simplifies the creation and control of encryption keys that are used to encrypt data./li>li>b>Key Pair/b>br>A set of security credentials that you use to prove your identity electronically. A key pair consists of a private key and a public key./li>li>b>AWS Management Console/b>br>AWS Management Console is a graphical interface to manage compute, storage, and other cloud resources./li>li>b>AWS Marketplace/b>br>AWS Marketplace is a web portal where qualified partners market and sell their software to AWS customers. AWS Marketplace is an online software store that helps customers find, buy, and immediately start using the software and services that run on AWS./li>li>b>Multi-AZ deployment/b>br>A primary DB instance that has a synchronous standby replica in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to the standby replica./li>li>b>Multi-Factor Authentication (MFA)/b>br>An optional AWS account security feature. After you enable AWS MFA, you must provide a six-digit, single-use code in addition to your sign-in credentials whenever you access secure AWS webpages or the AWS Management Console. You get this single-use code from an authentication device that you keep in your physical possession./li>li>b>NAT gateway/b>br>A Network Address Translation (NAT) device, managed by AWS, that performs network address translation in a private subnet, to secure inbound internet traffic. A NAT gateway uses both NAT and port address translation./li>li>b>Network ACL/b>br>An optional layer of security that acts as a firewall for controlling traffic in and out of a subnet. You can associate multiple subnets with a single network ACL, but a subnet can be associated with only one network ACL at a time./li>li>b>Organizations/b>br>AWS Organizations is an account management service that you can use to consolidate multiple AWS accounts into an organization that you create and centrally manage. /li>li>b>Relational Database Service (RDS)/b>br>Amazon Relational Database Service is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks./li>li>b>Redis/b>br>A fast, open-source, in-memory key-value data structure store. Redis comes with a set of versatile in-memory data structures with which you can easily create a variety of custom applications./li>li>b>Region/b>br>A named set of AWS resources thats in the same geographical area. A Region is comprised of at least three Availability Zones. AWS Regions are divided into partitions. AWS commercial Regions are in the AWS partition, China Regions are in the AWS-cn partition, and AWS GovCloud (US) Regions are in the AWS-us-gov partition./li>li>b>Reserved Instance/b>br>A pricing option for EC2 instances that discounts the on-demand usage charge for instances that meet the specified parameters. Customers pay for the entire term of the instance, regardless of how they use it./li>li>b>Route 53/b>br>Amazon Route 53 is a web service that you can use to create a new DNS service or to migrate your existing DNS service to the cloud./li>li>b>Route Table/b>br>A set of routing rules that controls the traffic leaving any subnet thats associated with the route table. You can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time./li>li>b>Simple Storage Service (S3)/b>br>Amazon S3 is storage for the internet. You can use it to store and retrieve any amount of data at any time, from anywhere on the web./li>li>b>Security Group/b>br>A named set of allowed inbound network connections for an instance. (Security groups in Amazon VPC also include support for outbound connections.) Each security group consists of a list of protocols, ports, and IP address ranges. A security group can apply to multiple instances, and multiple groups can regulate a single instance. /li>li>b>Security Hub/b>br>AWS Security Hub is a service that provides a comprehensive view of the security state of your AWS resources. Security Hub collects security data from AWS accounts and services and helps you analyze your security trends to identify and prioritize the security issues across your AWS environment./li>li>b>Service Quotas/b>br>A service for viewing and managing your quotas easily and at scale as your AWS workloads grow. Quotas, also referred to as limits, are the maximum number of resources that you can create in an AWS account./li>li>b>Service Role/b>br>An IAM role that grants permissions to an AWS service so it can access AWS resources. The policies that you attach to the service role determine which AWS resources the service can access and what it can do with those resources./li>li>b>Simple Email Service (SES)/b>br>Amazon Simple Email Service is a simple and cost-effective email solution for applications. /li>li>b>Shield/b>br>AWS Shield is a service that helps to protect your resources—such as Amazon EC2 instances, Elastic Load Balancing load balancers, Amazon CloudFront distributions, and Route 53 hosted zones—against DDoS attacks. AWS Shield is automatically included at no extra cost beyond what you already pay for AWS WAF and your other AWS services. For added protection against DDoS attacks, AWS offers AWS Shield Advanced. /li>li>b>Simple Notification Service (SNS)/b>br>Amazon Simple Notification Service is a web service that applications, users, and devices can use to instantly send and receive notifications from the cloud./li>li>b>Systems Manager (SSM)/b>br>AWS Systems Manager is the operations hub for AWS and hybrid cloud environments that can help achieve secure operations at scale. It provides a unified user interface for users to view operations data from multiple AWS services and automate tasks across their AWS resources./li>li>b>Trusted Advisor/b>br>AWS Trusted Advisor is a web service that inspects your AWS environment and makes recommendations for saving money, improving system availability and performance, and helping to close security gaps./li>li>b>Virtual Private Cloud (VPC)/b>br>Amazon Virtual Private Cloud is a web service for provisioning a logically isolated section of the AWS Cloud virtual network that you define. You control your virtual networking environment by selecting your own IP address range, creating subnets and configuring route tables and network gateways./li>li>b>VPC endpoint/b>br>A feature that you can use to create a private connection between your Amazon VPC and another AWS service without requiring access over the internet, through a NAT instance, a VPN connection, or Direct Connect. /li>li>b>Virtual Private Network (VPN)/b>br>AWS Virtual Private Network provides functionality that establishes encrypted connections between your network or device, and AWS. AWS VPN is comprised of two services: AWS Client VPN and AWS Site-to-Site VPN./li>li>b>Web Application Firewall (WAF)/b>br>AWS WAF is a web application firewall service that controls access to content by allowing or blocking web requests based on criteria that you specify. For example, you can filter access based on the header values or the IP addresses that the requests originate from. AWS WAF helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources./li>li>b>WorkSpaces/b>br>Amazon WorkSpaces is a managed, secure desktop computing service for provisioning cloud-based desktops and providing users access to documents, applications, and resources from supported devices./li>/ul> /div> /div> /div> script srcjs/jquery.min.js>/script> script srcjs/popper.js>/script> script srcjs/bootstrap.min.js>/script> script srcjs/main.js>/script> script> $(document).ready(function(){ $(.navitem).click(function(){ $(li).removeClass(active); $(this).parent().addClass(active); }); $(.homeSubmenu).click(function(){ $(.pages).hide(); $(#home).show(); }); $(.gettingStarted).click(function(){ $(.pages).hide(); $(#page1).show(); }); $(.budgets).click(function(){ $(.pages).hide(); $(#budgets).show(); }); $(.workshop).click(function(){ $(.pages).hide(); $(#page2).show(); }); $(.aws).click(function(){ $(.pages).hide(); $(#page3).show(); }); $(.cloudtrail).click(function(){ $(.pages).hide(); $(#page4).show(); }); $(.ssm).click(function(){ $(.pages).hide(); $(#ssm).show(); }); $(.glossary).click(function(){ $(.pages).hide(); $(#glossary).show(); }); $(.iaas).click(function(){ $(.pages).hide(); $(#page5).show(); }); $(.priceestimator).click(function(){ $(.pages).hide(); $(#page1a).show(); }); $(.security).click(function(){ $(.pages).hide(); $(#page6).show(); }); $(.vpn).click(function(){ $(.pages).hide(); $(#page7).show(); }); $(.iam).click(function(){ $(.pages).hide(); $(#page8).show(); }); $(.keypair).click(function(){ $(.pages).hide(); $(#page9).show(); }); $(.ec2).click(function(){ $(.pages).hide(); $(#page10).show(); }); $(.rds).click(function(){ $(.pages).hide(); $(#page11).show(); }); $(.loadbalancer).click(function(){ $(.pages).hide(); $(#page12).show(); }); $(.dns).click(function(){ $(.pages).hide(); $(#page13).show(); }); $(.final).click(function(){ $(.pages).hide(); $(#page14).show(); }); $(.administration).click(function(){ $(.pages).hide(); $(#page15).show(); }); $(.advanced).click(function(){ $(.pages).hide(); $(#page16).show(); }); }); /script> /body>/html>
View on OTX
|
View on ThreatMiner
Please enable JavaScript to view the
comments powered by Disqus.
Data with thanks to
AlienVault OTX
,
VirusTotal
,
Malwr
and
others
. [
Sitemap
]