What is VPC?

What is Subnet?

VPC Subnet high availability

What is Network Access Control List(NACLs)?

  • Requires minimal configuration
  • Management of encryption keys managed by AWS
  • All you need to do is to upload your data and S3 will handle all other aspects
  • Allow S3 to use the Key Management Service to generate data encryption keys
  • Gives greater flexibility of key management: disable, rotate, and apply access controls to the CMK
  • Gives you the opportunity to provide your own Master keys
  • Your customer provided key would be sent with your data to S3, where S3 would then perform…

  • Stores and generates encryption keys
  • Can be used by AWS to encrypt your data
  • Uses HSMs that are managed by AWS
  • Less management control than CloudHSM
Nadtakan Futhoem — Sr. Software Engineer

Customer Master Keys(CMK)

  • This key can encrypt data up to 4KB in size
  • It is typically used in relation to your DEKs
  • The CMK can generate, encrypt and decrypt this DEK
  • These are used by other AWS services that interact with KMS to encrypt data
  • They can only be used the service that created them within a particular region
  • They are created on the first time you implement encryption using that service
  • These provide the ability to implement greater flexibility
  • You can perform…

  • S3 may use the KMS to enable S3 to offer and perform server-side encryption using SSE-KMS
  • KMS contains the keys to decrypt your private data
  • Administrators at AWS don’t have access to your keys within KMS
  • All administrative actions require dual authentication by two Amazon administrators
  • It’s our responsibility to administer our own encryption keys
  • The KMS service is for encryption at rest
  • To encrypt data while in transit you would need to use a…

Relational Database Service(RDS)
  • During the creation of your RDS database, you may enable encryption at the Configure Advanced Settings screen
  • Keys can be issued by KMS using AES-256
  • It’s not possible to set encryption after your database being created. It has to be done during a creation.

Encryption an exiting database

  • Create a snapshot of your unencrypted database
  • Create an encrypted copy of the snapshot
  • Use the encrypted snapshot to create a new database
  • Finally, your database…

  • You can encrypt at rest or in transit or both
  • They exist as a separate entity within EMR
  • By default, the instances within a cluster don’t encrypt data at rest
  • The instances within EMR are created from pre-configured AMIs (Amazon Machine Images)
  • You must use EMR version 5.7.0 or later to use custom AMIs and encrypt the root device volume for specific compliance reasons.

EMR encryption with EBS

  • Unencrypted data can be read by anyone who has access to it whether this data is stored at rest or sit in between two locations in transit. It knows as plaintext or clear text data.
  • The data is plain to see and can be seen and understood by any recipient. There is no problem with that as long as the data is not sensitive in any way and doesn’t need to be restricted.
  • However, on the other hand, if you do have data that sensitive and you need to ensure the contents of this data are only viewable by a…


  • Pull service — message stays in the queue until it gets pulled
  • Standard Queues — Ordering is not guaranteed
  • FIFO Queues — get a message in the right order but might not be a good fit for high throughput


  • Push service — 1:M
  • Pub/Sub service
  • SMS — but not support two-way messages and MMS
  • HTTP
  • SMTP
  • Mobile push
  • Time-sensitive update
  • Only support integration with Standard Queue NOT FIFO
  • Support CloudTrail, CloudWatch
  • Common use case: Autoscaling sends another SNS to another application layer or another consumer
  • Notification monitoring
  • Workflow system
  • Publishing many consumers
  • Support high throughput


  • M:M — sending messages to…

Dynamodb v3 updateItem error
  1. Make sure your key format is correct by including the type of your key. For example: PK: { S: `USER#1234` }
  2. Make sure ExpressionAttributeValues is also including the type of your key. For example: “:title”: { S: body.title }

Nadtakan Futhoem

Founder of Nadtakan.com & Serverless Cloud developer. Follow me on Twitter https://twitter.com/NadtakanF

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store