#Security
4 posts
-
CloudFront CDN in Practice (3) — Private Content, Edge Logic, Security, Monitoring
Protect private content with Signed URLs/cookies, run edge logic with CloudFront Functions vs Lambda@Edge, harden security with a custom domain (ACM), S3 OAC, and WAF, and monitor with cache hit ratio, CloudWatch, and logs plus cost optimization — advanced CloudFront operations
-
Understanding AWS Credential Federation — How IAM, STS, and OIDC Actually Fit Together
A foundational guide for engineers who followed a GitHub Actions OIDC tutorial but still aren't sure what STS really is, why it has no console page, what 'federation' actually means, or why the trust policy's sub condition matters so much. Covers IAM/STS/OIDC mechanics in depth, plus SAML, IAM Identity Center, and EKS IRSA as variants of the same pattern.
-
AWS Private EC2 Operations Guide Part 3: Connecting Without Bastion via SSM Session Manager — IAM Role, VPC Endpoint, and Port Forwarding
How to land a shell on a Private EC2 without ever opening port 22. The mechanics of SSM Session Manager (the agent polls AWS), the three prerequisites (Agent / IAM / network path), the cost trade-off between NAT Gateway and VPC Endpoints, and the port-forwarding pattern that securely reaches RDS without a VPN.
-
AWS Bastion Host Setup Guide
A complete guide to configuring SSH access to Private EC2 instances through a Bastion Host