[AWS Experiment] 3 - Confusing Concepts in AWS

There are many confusing concepts among AWS services. Today I am going to introduce some services that similar, but have significantly different usages. Those services can be confusing either because of their names or because of their functionality, etc. Everything is just based on my own experience.

1. EC2 Instance Profile vs EC2 Meta Data vs EC2 User Data

• EC2 Instance Profiles allow you to attach an IAM role to an EC2 instance. An EC2 Instance cannot be assigned a Role directly, but it can be assigned an Instance Profile which contains a Role. More

• Instance Meta Data is data about your instance that you can use to configure or manage the running instance. More 1 More 2

• Instance User Data is used to bootstrap your EC2 instances using a bash script. This script can contain commands such as installing software/packages, download files from the Internet, or anything you want.

2. Read Replicas vs Multi AZ

• Both are data replication system, but the usage are a little bit different.

• Read Replicas are used to make sure that users can read data from other region or AZ fast (high availability). The replication process is asynchronous, so users using Read Replicas to read their data, might get an old data before it gets synced.

• One the other hand, Multi AZ is more like disaster recovery plan. The replication process is synchronous so there could be a little more latency but assures you can have exactly the same data even though your master DB is destroyed or became not available for some reasons.

• More 1, More 2

3. Policies vs Roles

• When I first started to use AWS services, especially EC2, the most confusing thing were the difference between roles and policies.
• Policies: When you attach a policy to a user or group of users, it allows or denies the users permission to perform the specified tasks on the specified resources.
• Roles: You can delegate permission to make API requests using IAM roles without creating and distributing your AWS credentials. Basically a set of policies. More
• It sounds clear enough not to get confused, but because of there are many pre-made and managed roles by AWS, for beginners, it is easy to get confused which one is which.

4. IAM:PassRole vs STS:AssumeRole

• When you "attach" a role to AWS services, you are actually "passing" a role to the service.

• By giving a role or user the IAM:PassRole permission, you are is saying "this entity (principal) is allowed to assign AWS roles to resources and services in this account".

• You can limit which roles a user or service can pass to others by specifying the role ARN(s) in the Resource field of the policy that grants them IAM:PassRole More

5. Read Capacity Units(RCU) vs Write Capacity Units(WCU) (not confusing but important)

• RCU and WCU is one of the most important concepts when it comes to DynamoDB.

• These two units are used to set the capacity of provisioned DynamoDB databases.

6. Network ACLs(NACL) vs NAT

• Names are confusing but they do very different things.

7. Security Groups vs AWS Network Firewall

• Security Groups(SG) already can control traffic. Then why do we need AWS Network Firewall? What are the difference between those two?

• AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).

• In short, SG controls traffic goes to EC2 instances and other services, while AWS Network Firewall is a dedicated service for VPC networking.

8. EC2 Instance Store

• The name sounds confusing, but it is just a type of EC2 volume (not EBS though).
• EC2 Instance Store is the disk that is physically attached to virtualization host. This is the closest (lowest latency) storage available to your instance (other than RAM). More
• Instance Store is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content. I personally got confused between Instance Store and cache, since it sounds like they are doing pretty much the same thing.
• You can specify instance store volumes for an instance only when you launch it.
• In short, EC2 Instance Store is fast disk but does not guarantee the data's persistenceMore

9. How can I find an ARN of single EC2 instance?

• Most of the AWS services display each product's ARN on their consoles. But on EC2 console, there is not ARN specifically mentioned.

• Basically we have to build it. You can find an Instance ID on the EC2 console.
  

arn:aws:ec2:<REGION>:<ACCOUNT_ID>:instance/<INSTANCE_ID>

10. Services that use their own policy rules (Resource-Based-Policies)

• Most of AWS services get permissions based on the roles get attached with each of them. But some of the services have their own policies other than their attached roles. More

• S3: S3 Bucket Policy
• Lambda: Lambda Resource Based Policies
• SNS: SNS Access Policy (Roles cannot be attached)
• SQS: SQS Access Policy (Roles cannot be attached)
• VPC Endpoint: VPC Endpoint Policy
• KMS: Key Policy

• AWS Policy Generator