๐Ÿ›ก๏ธ Domain 1-2: Design Secure Workloads and Applications

โœจ ํ•ต์‹ฌ ์ฃผ์ œ

  • ์‚ฌ๋žŒ, ๋„๊ตฌ, ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์ด ์•ˆ์ „ํ•˜๊ฒŒ AWS ์„œ๋น„์Šค์— ์ ‘๊ทผํ•˜๋„๋ก ์„ค๊ณ„
  • VPC ๋ณด์•ˆ ์•„ํ‚คํ…์ฒ˜ ๋ฐ ๋„คํŠธ์›Œํฌ ๊ณ„์ธต ๋ณด์•ˆ์ด ์ค‘์‹ฌ

๐ŸŒ Amazon VPC Fundamentals

  • VPC ์œ ํ˜•: Default VPC vs Custom VPC (์ดˆ๊ธฐ ๋ณด์•ˆ ์„ค์ • ๋‹ค๋ฆ„)
  • VPC ๋ฒ”์œ„: Regional ์„œ๋น„์Šค
  • Subnet: AZ ๋‹จ์œ„(= Zonal ์„œ๋น„์Šค)
  • ๊ตฌ์„ฑ ์š”์†Œ
    • Security Group (SG): ์ธ์Šคํ„ด์Šค ๋‹จ์œ„ ๊ฐ€์ƒ ๋ฐฉํ™”๋ฒฝ
    • NACL (Network ACL): ์„œ๋ธŒ๋„ท ๋‹จ์œ„ ๋„คํŠธ์›Œํฌ ํ•„ํ„ฐ
    • Route Table: ํŠธ๋ž˜ํ”ฝ ๋ผ์šฐํŒ… ์ œ์–ด
    • NAT Gateway: ํ”„๋ผ์ด๋น— ์„œ๋ธŒ๋„ท → ์•„์›ƒ๋ฐ”์šด๋“œ ์ธํ„ฐ๋„ท ์•ก์„ธ์Šค

๋„คํŠธ์›Œํฌ ์„ค๊ณ„ ๊ณ ๋ ค์‚ฌํ•ญ

  • Public Subnet ↔ Private Subnet ๊ตฌ๋ถ„
  • CIDR, ๋ผ์šฐํŒ…, ๋ณด์•ˆ ํ•„ํ„ฐ ์„ค๊ณ„
  • VPN, Direct Connect, Transit Gateway, VPC Peering, PrivateLink ํ™œ์šฉ

๐Ÿ”’ ์™ธ๋ถ€ ์—ฐ๊ฒฐ ๋ณด์•ˆ

  • VPN ์—ฐ๊ฒฐ
    • Site-to-Site VPN
    • Client VPN
  • Direct Connect: ์ „์šฉ์„ , ์•ˆ์ •์ ·๋ณด์•ˆ์  ์—ฐ๊ฒฐ
  • PrivateLink
    • ์„œ๋น„์Šค ๊ณต์œ  ์‹œ ์ธํ„ฐ๋„ท ๋…ธ์ถœ ์—†์ด ๋‹ค๋ฅธ VPC์—์„œ ์ ‘๊ทผ ๊ฐ€๋Šฅ
    • VPC Peering๋ณด๋‹ค ๋ณด์•ˆ์ ์ด๊ณ  ๊ด€๋ฆฌ ํšจ์œจ์ 

๐Ÿ“‚ ๋ฐ์ดํ„ฐ ๋ณด์•ˆ & ๊ฐœ์ธ ์ •๋ณด (PII)

  • Amazon Macie: ML ๊ธฐ๋ฐ˜ S3 ๋‚ด PII(๊ฐœ์ธ์ •๋ณด) ํƒ์ง€/๋ณดํ˜ธ
  • Amazon Cognito: ์ธ์ฆ·์ธ๊ฐ€ (User Pool, Identity Pool, Federation)
  • Amazon GuardDuty: ์œ„ํ˜‘ ํƒ์ง€ ์„œ๋น„์Šค

๐Ÿ”‘ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ๋ณด์•ˆ

  • Secrets ๊ด€๋ฆฌ
    • AWS Secrets Manager: ์ž๋™ Credential Rotation, Secret ์ €์žฅ
    • SSM Parameter Store: ์„ค์ •๊ฐ’/๋น„๋ฐ€ ๊ด€๋ฆฌ (Secrets Manager๋ณด๋‹ค ๋‹จ์ˆœ)
  • ๋ฐฉํ™”๋ฒฝ & ๋ณดํ˜ธ ์„œ๋น„์Šค
    • AWS WAF: ALB, API Gateway, CloudFront์— ์ ์šฉ ๊ฐ€๋Šฅ
    • AWS Shield:
      • Standard (๋ฌด๋ฃŒ, ๊ธฐ๋ณธ DDoS ๋ณดํ˜ธ)
      • Advanced (์ถ”๊ฐ€ DDoS ๋ณดํ˜ธ, SLA ๋ณด์žฅ)

๐Ÿ” ๊ธฐํƒ€ ๋ณด์•ˆ ์„œ๋น„์Šค ํ†ตํ•ฉ

  • IAM Identity Center (SSO)
  • AWS Systems Manager Parameter Store
  • Amazon CloudWatch & CloudTrail (์ถ”์ /๋ชจ๋‹ˆํ„ฐ๋ง)

๐Ÿ“Œ ์‹œํ—˜ ๋Œ€๋น„ ํ•ต์‹ฌ ์ฒดํฌ

  • VPC = Regional / Subnet = Zonal
  • SG vs NACL ์ฐจ์ด (์ƒํƒœ ์ €์žฅ ์—ฌ๋ถ€, ์ ์šฉ ๋‹จ์œ„)
  • Private Subnet ↔ NAT GW ↔ ์ธํ„ฐ๋„ท ์•„์›ƒ๋ฐ”์šด๋“œ ๊ตฌ์กฐ
  • PrivateLink vs VPC Peering → ๋Œ€๊ทœ๋ชจ ํ™•์žฅ ์‹œ PrivateLink ์„ ํƒ
  • Macie → PII ๋ณดํ˜ธ
  • Cognito → Federation & User Pool
  • Secrets Manager vs Parameter Store ์ฐจ์ด
  • WAF ๋ฐฐํฌ ๊ฐ€๋Šฅํ•œ ๋ฆฌ์†Œ์Šค ๊ธฐ์–ต (ALB, API GW, CloudFront)
  • Shield Standard vs Shield Advanced ์ฐจ์ด

๐Ÿ“Š ์‹œ๊ฐํ™” ๋‹ค์ด์–ด๊ทธ๋žจ

 
flowchart TD A[Secure Workloads & Applications] A --> B[VPC Security] B --> B1[Default vs Custom VPC] B --> B2[SG / NACL / Route Tables] B --> B3[Subnet (Public vs Private)] B --> B4[NAT GW, IGW] A --> C[Secure Connections] C --> C1[Site-to-Site VPN] C --> C2[Client VPN] C --> C3[Direct Connect] C --> C4[PrivateLink] A --> D[Data Security] D --> D1[Amazon Macie - PII] D --> D2[Encryption / Keys] D --> D3[Backup & DR] A --> E[App Security Services] E --> E1[Secrets Manager] E --> E2[Parameter Store] E --> E3[AWS WAF] E --> E4[AWS Shield] A --> F[Identity & Monitoring] F --> F1[Amazon Cognito] F --> F2[IAM Identity Center] F --> F3[GuardDuty] F --> F4[CloudWatch & CloudTrail]

โœ… ์ •๋ฆฌ

  • VPC ๋ณด์•ˆ ์„ค๊ณ„ ๋Šฅ๋ ฅ์ด ํ•ต์‹ฌ (SG, NACL, ์„œ๋ธŒ๋„ท, NAT, PrivateLink)
  • ๋ฐ์ดํ„ฐ ๋ณดํ˜ธ ์„œ๋น„์Šค (Macie, Cognito, GuardDuty ๋“ฑ) ์ˆ™์ง€
  • ๋น„๋ฐ€ ๊ด€๋ฆฌ ์ฐจ์ด์  (Secrets Manager vs Parameter Store)
  • ๋„คํŠธ์›Œํฌ ๋ณด์•ˆ (VPN, Direct Connect, PrivateLink ํ™œ์šฉ)
  • WAF/Shield์˜ ํŠน์ง•๊ณผ ๋ฐฐํฌ ๊ฐ€๋Šฅํ•œ ์„œ๋น„์Šค ๊ตฌ๋ถ„

'AWS > AWS SAA-C03' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[AWS SAA-C03] - Domain 1 Review_ 3. Determine Appropriate Data Security Controls  (0) 2025.08.30
[AWS SAA-C03] - Domain 1 Review_ 1. Introduction  (0) 2025.08.30

+ Recent posts

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”