Service Principal: Your App's Identity
A service principal is an application's identity in a specific security context, like a "robot user." It's the local instance that gets permissions, separate from the app's global blueprint. This is how CI/CD pipelines authenticate to cloud APIs.
RBAC: Manage Permissions with Roles, Not Users
RBAC manages permissions by assigning users to roles (e.g., "editor"), not by giving permissions directly. This simplifies security in large systems like AWS IAM. The footgun is creating overly broad roles that grant excessive, unintended access.
Cloud Direct Connect: A Private Lane to the Cloud
Think of Direct Connect as a private fiber-optic highway from your datacenter to the cloud, bypassing the public internet. It's for stable, high-bandwidth needs like large data transfers where public internet performance is too unpredictable or insecure.
VPC Peering: Connect Private Networks Securely
VPC peering connects two virtual networks as if they were one, letting them talk over private IPs. Use it to share files or access resources between VPCs across accounts or regions without going over the public internet.
Network ACLs: A Stateless Firewall for Subnets
A Network ACL (NACL) is a firewall for an entire cloud subnet, checking traffic as it enters or leaves. It's used for broad, stateless rules, like blocking a malicious IP from all instances.
Content Delivery Network (CDN): Serving Content from the Edge
A CDN is like a global chain of convenience stores for your website's assets. It caches copies closer to users for faster delivery, speeding up images, CSS, and video. The footgun: accidentally caching private user data and serving it to everyone.
Security Groups: Stateful Firewalls for Your Cloud Resources
A security group is a stateful firewall for your cloud resources, like a bouncer with an allow-list. Use it to let a web server accept traffic or a database talk to app servers. The footgun: opening SSH to the entire internet (0.0.0.0/0).
Cross-Region Replication (CRR): Geographic Data Copying
Cross-Region Replication automatically copies data to another geographic region, like a live backup. Use it for disaster recovery, lower latency for global users, or compliance. The footgun: it only copies *new* objects, not what's already in the bucket.
Block Storage Snapshots Are Incremental Backups
A snapshot is an incremental, point-in-time backup of a disk volume, saving only changed data blocks. Use it for disaster recovery to restore a volume's exact state. The footgun: deleting an older snapshot may not save money if a newer one needs its data.
AWS Dedicated Hosts: Your Own Physical Server in the Cloud
An AWS Dedicated Host is your own physical server in the cloud, providing single-tenant hardware. Use it for "bring your own license" (BYOL) software tied to physical cores, or for compliance rules that forbid multi-tenancy.
AWS Placement Groups: Control Where Your Instances Run
AWS Placement Groups let you control where EC2 instances run relative to each other. Use a Cluster group for low-latency HPC, or Spread/Partition groups to reduce correlated hardware failures. The main footgun is picking the wrong strategy for your workload.
Spot Instances: Trade Reliability for Huge Cost Savings
Spot Instances let you use spare AWS compute for up to 90% off. They're great for fault-tolerant jobs like batch processing or CI/CD. The footgun: AWS can reclaim your instance with a two-minute warning, so don't use them for critical workloads.
User Data Scripts: Day-One Instance Configuration
User data scripts are your instance's "Day One" instructions, automatically running commands like package installs on first boot. Use it to set up a web server or install agents without manual SSH.
AWS Reserved Instances: Commit to Compute, Save Big
Reserved Instances are like leasing a car instead of renting daily: commit to 1-3 years of compute for a steep discount. They're ideal for predictable, steady-state workloads. The footgun is buying inflexible Standard RIs when your needs might change.
Auto Scaling Groups: Elasticity and Self-Healing
An Auto Scaling Group (ASG) is like a thermostat for your servers, automatically adding or removing instances to match demand and replacing any that fail. Use it for web apps with variable traffic or services that need to self-heal from instance failures.
The Cloud's Shared Responsibility Model
Using the cloud means you share security duties with the provider. The split depends on the service: in IaaS, you manage the OS and up; in PaaS, just your app and data; in SaaS, mostly your data and users.
Cloud Scalability vs. Elasticity: Planned Growth vs. Real-Time Reaction
Think of scalability as adding lanes to a highway for long-term growth. Elasticity is opening a reversible lane only during rush hour. Scalability handles predictable demand, like a product launch; elasticity manages unpredictable spikes, like a viral post.