From 728087508da8d5c878f72993e13dcb7f085698c4 Mon Sep 17 00:00:00 2001 From: Tom Schlick Date: Tue, 11 Oct 2016 14:27:57 -0400 Subject: [PATCH 01/13] document IPv4 & IPv6 access to S3 --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0873645..d1beb14 100644 --- a/README.md +++ b/README.md @@ -639,6 +639,7 @@ S3 - [ObjectiveFS](https://objectivefs.com/) ([discussion](https://news.ycombinator.com/item?id=10117506)) is a commercial solution that supports filesystem features and concurrent clients. - If you are primarily using a VPC, consider setting up a [VPC Endpoint](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html) for S3 in order to allow your VPC-hosted resources to easily access it without the need for extra network configuration or hops. - **Cross-region replication:** S3 has [a feature](https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html) for replicating a bucket between one region and a another. Note that S3 is already highly replicated within one region, so usually this isn’t necessary for durability, but it could be useful for compliance (geographically distributed data storage), lower latency, or as a strategy to reduce region-to-region bandwidth costs by mirroring heavily used data in a second region. +- **IPv4 vs IPv6:** For a long time S3 only supported IPv4 at the default endpoint `https://BUCKET.s3.amazonaws.com`. However, [as of Aug 11, 2016](https://aws.amazon.com/blogs/aws/now-available-ipv6-support-for-amazon-s3/) it now supports both IPv4 & IPv6! To use both, have to enable *dualstack* either in your preferred api client or by directly using this url scheme `https://BUCKET.s3.dualstack.REGION.amazonaws.com`. ### S3 Gotchas and Limitations From 85d370180abd48da72f5ae295d77441673a7621e Mon Sep 17 00:00:00 2001 From: Tom Schlick Date: Tue, 11 Oct 2016 15:12:08 -0400 Subject: [PATCH 02/13] forgot a word --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d1beb14..06f5cfa 100644 --- a/README.md +++ b/README.md @@ -639,7 +639,7 @@ S3 - [ObjectiveFS](https://objectivefs.com/) ([discussion](https://news.ycombinator.com/item?id=10117506)) is a commercial solution that supports filesystem features and concurrent clients. - If you are primarily using a VPC, consider setting up a [VPC Endpoint](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html) for S3 in order to allow your VPC-hosted resources to easily access it without the need for extra network configuration or hops. - **Cross-region replication:** S3 has [a feature](https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html) for replicating a bucket between one region and a another. Note that S3 is already highly replicated within one region, so usually this isn’t necessary for durability, but it could be useful for compliance (geographically distributed data storage), lower latency, or as a strategy to reduce region-to-region bandwidth costs by mirroring heavily used data in a second region. -- **IPv4 vs IPv6:** For a long time S3 only supported IPv4 at the default endpoint `https://BUCKET.s3.amazonaws.com`. However, [as of Aug 11, 2016](https://aws.amazon.com/blogs/aws/now-available-ipv6-support-for-amazon-s3/) it now supports both IPv4 & IPv6! To use both, have to enable *dualstack* either in your preferred api client or by directly using this url scheme `https://BUCKET.s3.dualstack.REGION.amazonaws.com`. +- **IPv4 vs IPv6:** For a long time S3 only supported IPv4 at the default endpoint `https://BUCKET.s3.amazonaws.com`. However, [as of Aug 11, 2016](https://aws.amazon.com/blogs/aws/now-available-ipv6-support-for-amazon-s3/) it now supports both IPv4 & IPv6! To use both, you have to enable *dualstack* either in your preferred api client or by directly using this url scheme `https://BUCKET.s3.dualstack.REGION.amazonaws.com`. ### S3 Gotchas and Limitations From 9f839333fc2e71eb058635ca1570fb8937670b26 Mon Sep 17 00:00:00 2001 From: Trayton White Date: Tue, 11 Oct 2016 12:49:23 -0700 Subject: [PATCH 03/13] Update Redshift primitive data types to 12 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7c2887f..6803c88 100644 --- a/README.md +++ b/README.md @@ -1190,7 +1190,7 @@ Redshift ### Redshift Tips - Although Redshift is mostly Postgres-compatible, its SQL dialect and performance profile are different. -- Redshift supports only [11 primitive data types](https://docs.aws.amazon.com/redshift/latest/dg/c_Supported_data_types.html). ([List of unsupported Postgres types](https://docs.aws.amazon.com/redshift/latest/dg/c_unsupported-postgresql-datatypes.html)\) +- Redshift supports only [12 primitive data types](https://docs.aws.amazon.com/redshift/latest/dg/c_Supported_data_types.html). ([List of unsupported Postgres types](https://docs.aws.amazon.com/redshift/latest/dg/c_unsupported-postgresql-datatypes.html)\) - It has a leader node and computation nodes (the leader node distributes queries to the computation ones). Note that some functions [can be executed only on the lead node.](https://docs.aws.amazon.com/redshift/latest/dg/c_SQL_functions_leader_node_only.html) - Major 3rd-party BI tools support Redshift integration (see [Quora](https://www.quora.com/Which-BI-visualisation-solution-goes-best-with-Redshift)). - [Top 10 Performance Tuning Techniques for Amazon Redshift](https://blogs.aws.amazon.com/bigdata/post/Tx31034QG0G3ED1/Top-10-Performance-Tuning-Techniques-for-Amazon-Redshift) provides an excellent list of performance tuning techniques. From afc804d877bc6c5f99c29c73fd73befb3b165b60 Mon Sep 17 00:00:00 2001 From: Benjamin Bunk Date: Tue, 11 Oct 2016 16:40:44 -0400 Subject: [PATCH 04/13] Update README.md to fix typo in EMR section. Fix minor typo in EMR section. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7c2887f..b87746e 100644 --- a/README.md +++ b/README.md @@ -1216,7 +1216,7 @@ EMR ### EMR Basics - 📒 [Homepage](https://aws.amazon.com/emr/) ∙ [Release guide](http://docs.aws.amazon.com/ElasticMapReduce/latest/ReleaseGuide/) ∙ [FAQ](https://aws.amazon.com/emr/faqs/) ∙ [Pricing](https://aws.amazon.com/emr/pricing/) -- **EMR** (which used to stand for Elastic Map Reduce, but not anymore, since it now extends beyond map-reduce) is a service that offers managed deployment of [Hadoop](https://en.wikipedia.org/wiki/Apache_Hadoop), [HBase](https://en.wikipedia.org/wiki/Apache_HBase) and [Spark](https://en.wikipedia.org/wiki/Apache_Spark). It reduces reduces the management burden of setting up and maintaining these services yourself. +- **EMR** (which used to stand for Elastic Map Reduce, but not anymore, since it now extends beyond map-reduce) is a service that offers managed deployment of [Hadoop](https://en.wikipedia.org/wiki/Apache_Hadoop), [HBase](https://en.wikipedia.org/wiki/Apache_HBase) and [Spark](https://en.wikipedia.org/wiki/Apache_Spark). It reduces the management burden of setting up and maintaining these services yourself. ### EMR Alternatives and Lock-in From 18c775ded38ee193f9608b12d32903e48586c7c8 Mon Sep 17 00:00:00 2001 From: Gulam Shakir Date: Tue, 11 Oct 2016 17:03:25 -0400 Subject: [PATCH 05/13] Add S3 Infrequent Access calculator. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7c2887f..f2fcc81 100644 --- a/README.md +++ b/README.md @@ -579,7 +579,7 @@ S3 - Deletes are free. - **S3 Reduced Redundancy and Infrequent Access:** Most people use the Standard storage class in S3, but are other storage classes with lower cost: - [Reduced Redundancy Storage (RRS)](https://aws.amazon.com/s3/reduced-redundancy/) has lower durability (99.99%, so just four nines). That is, there’s a small chance you’ll lose data. For some data sets where data has value in a statistical way (losing say half a percent of your objects isn’t a big deal) this is a reasonable trade-off. - - [Infrequent Access (IA)](https://aws.amazon.com/s3/storage-classes/#Infrequent_Access) lets you get cheaper storage in exchange for more expensive access. This is great for archives like logs you already processed, but might want to look at later. + - [Infrequent Access (IA)](https://aws.amazon.com/s3/storage-classes/#Infrequent_Access) lets you get cheaper storage in exchange for more expensive access. This is great for archives like logs you already processed, but might want to look at later. To get an idea of the cost savings when using Infrequent Access (IA), you can use this [S3 Infrequent Access Calculator](http://www.gulamshakir.com/apps/s3calc/index.html) . - [Glacier](#glacier) is a third alternative discussed as a separate product. - See [the comparison table](#storage-durability-availability-and-price). - ⏱**Performance:** Maximizing S3 performance means improving overall throughput in terms of bandwidth and number of operations per second. From 3331c42aeeb89ec52fa050cde5fd0748fbc01834 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Tue, 11 Oct 2016 23:42:23 +0200 Subject: [PATCH 06/13] Added ALB Gotcha about unhealthy targets "If no Availability Zone contains a healthy target, the load balancer nodes route requests to all targets." source: http://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7c2887f..ae8c2fe 100644 --- a/README.md +++ b/README.md @@ -879,6 +879,7 @@ ALB - ALBs do not (yet) support routing based on HTTP “Host” header or HTTP verb. - Instances in the ALB's target groups have to either have a single, fixed healthcheck port (“EC2 instance”-level healthcheck) or the healthcheck port for a target has to be the same as its application port (“Application instance”-level healthcheck) - you can't configure a per-target healthcheck port that is different than the application port. - ALBs are VPC-only (they are not available in EC2 Classic) +- In a target group, if there is no healthy target, all requests are routed to all targets. An example: you add a target group containing a single service (with a long init phase maybe) as target to a listener, it does not pass health checks (yet), requests will still reach your (initializing) service. Elastic IPs ----------- From ae8d7b46138bb48ce6847041142c36b284c7381b Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Wed, 12 Oct 2016 00:15:53 +0200 Subject: [PATCH 07/13] Added ELB/ALB, alternatives to ECS section --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ae8c2fe..220e687 100644 --- a/README.md +++ b/README.md @@ -879,7 +879,6 @@ ALB - ALBs do not (yet) support routing based on HTTP “Host” header or HTTP verb. - Instances in the ALB's target groups have to either have a single, fixed healthcheck port (“EC2 instance”-level healthcheck) or the healthcheck port for a target has to be the same as its application port (“Application instance”-level healthcheck) - you can't configure a per-target healthcheck port that is different than the application port. - ALBs are VPC-only (they are not available in EC2 Classic) -- In a target group, if there is no healthy target, all requests are routed to all targets. An example: you add a target group containing a single service (with a long init phase maybe) as target to a listener, it does not pass health checks (yet), requests will still reach your (initializing) service. Elastic IPs ----------- @@ -983,11 +982,17 @@ ECS - Doesn’t support cross-region replication of images. - If you want fast fleet-wide pulls of large images, you’ll need to push your image into a region-local registry. - Doesn’t support custom domains / certificates. +- A container's health is monitored via [CLB](#clb) or [ALB](#alb). Those can also be used to address a containerized service. When using an ALB you do not need to handle port contention (i.e. services exposing the same port on the same host) since an ALB’s target groups can be associated with ECS-based services directly. ### ECS Tips - [This blog from Convox](https://convox.com/blog/ecs-challenges/) (and [commentary](https://news.ycombinator.com/item?id=11598058)) lists a number of common challenges with ECS as of early 2016. +### ECS Alternatives and Lock-in + +- [Kubernetes](https://kubernetes.io): Extensive container platform. Available as a hosted solution on Google Cloud (https://cloud.google.com/container-engine/) and AWS (https://tectonic.com/). +- [Nomad](https://www.nomadproject.io/): Orchestrator/Scheduler, tightly integrated in the Hashicorp stack (Consul, Vault, etc). + 🚧 [*Please help expand this incomplete section.*](CONTRIBUTING.md) Lambda From 5edafa05ca3a3771b2adc7277f43d8af956b1dfb Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Wed, 12 Oct 2016 01:00:19 +0200 Subject: [PATCH 08/13] Added ALB Gotcha about unhealthy targets --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 94dbace..70349ad 100644 --- a/README.md +++ b/README.md @@ -879,6 +879,7 @@ ALB - ALBs do not (yet) support routing based on HTTP “Host” header or HTTP verb. - Instances in the ALB's target groups have to either have a single, fixed healthcheck port (“EC2 instance”-level healthcheck) or the healthcheck port for a target has to be the same as its application port (“Application instance”-level healthcheck) - you can't configure a per-target healthcheck port that is different than the application port. - ALBs are VPC-only (they are not available in EC2 Classic) +- In a target group, if there is no healthy target, all requests are routed to all targets. An example: you add a target group containing a single service (with a long init phase maybe) as target to a listener, it does not pass health checks (yet), requests will still reach your (initializing) service. Elastic IPs ----------- From 80d80b3fb332e1ff17dc767d929194e98dd0beb6 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Wed, 12 Oct 2016 01:11:55 +0200 Subject: [PATCH 09/13] Addressed review comments. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 70349ad..fd6dfcb 100644 --- a/README.md +++ b/README.md @@ -879,7 +879,7 @@ ALB - ALBs do not (yet) support routing based on HTTP “Host” header or HTTP verb. - Instances in the ALB's target groups have to either have a single, fixed healthcheck port (“EC2 instance”-level healthcheck) or the healthcheck port for a target has to be the same as its application port (“Application instance”-level healthcheck) - you can't configure a per-target healthcheck port that is different than the application port. - ALBs are VPC-only (they are not available in EC2 Classic) -- In a target group, if there is no healthy target, all requests are routed to all targets. An example: you add a target group containing a single service (with a long init phase maybe) as target to a listener, it does not pass health checks (yet), requests will still reach your (initializing) service. +- In a target group, if there is no healthy target, all requests are routed to all targets. For example, if you point a listener at a target group containing a single service that has a long initialization phase (during which the health checks would fail), requests will reach the service while it is still starting up. Elastic IPs ----------- From b1495a329fd40d71303a86ddceb74790b79674fb Mon Sep 17 00:00:00 2001 From: Gulam Shakir Date: Tue, 11 Oct 2016 19:24:30 -0400 Subject: [PATCH 10/13] S3 Infrequent Access calculator - fix whitespace. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f2fcc81..e1f1471 100644 --- a/README.md +++ b/README.md @@ -579,7 +579,7 @@ S3 - Deletes are free. - **S3 Reduced Redundancy and Infrequent Access:** Most people use the Standard storage class in S3, but are other storage classes with lower cost: - [Reduced Redundancy Storage (RRS)](https://aws.amazon.com/s3/reduced-redundancy/) has lower durability (99.99%, so just four nines). That is, there’s a small chance you’ll lose data. For some data sets where data has value in a statistical way (losing say half a percent of your objects isn’t a big deal) this is a reasonable trade-off. - - [Infrequent Access (IA)](https://aws.amazon.com/s3/storage-classes/#Infrequent_Access) lets you get cheaper storage in exchange for more expensive access. This is great for archives like logs you already processed, but might want to look at later. To get an idea of the cost savings when using Infrequent Access (IA), you can use this [S3 Infrequent Access Calculator](http://www.gulamshakir.com/apps/s3calc/index.html) . + - [Infrequent Access (IA)](https://aws.amazon.com/s3/storage-classes/#Infrequent_Access) lets you get cheaper storage in exchange for more expensive access. This is great for archives like logs you already processed, but might want to look at later. To get an idea of the cost savings when using Infrequent Access (IA), you can use this [S3 Infrequent Access Calculator](http://www.gulamshakir.com/apps/s3calc/index.html). - [Glacier](#glacier) is a third alternative discussed as a separate product. - See [the comparison table](#storage-durability-availability-and-price). - ⏱**Performance:** Maximizing S3 performance means improving overall throughput in terms of bandwidth and number of operations per second. From c76dc13bf32c92775b09a806d34235ac42d26193 Mon Sep 17 00:00:00 2001 From: Glynn Forrest Date: Tue, 11 Oct 2016 23:34:57 +0100 Subject: [PATCH 11/13] Spotify is a google cloud customer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The guide previously mentions "It’s not common to switch once you’re up and running, but it does happen: Spotify migrated from AWS to Google Cloud." --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9428a1e..dd6d605 100644 --- a/README.md +++ b/README.md @@ -158,7 +158,7 @@ General Information - **Combining AWS and other cloud providers:** Many customers combine AWS with other non-AWS services. For example, legacy systems or secure data might be in a managed hosting provider, while other systems are AWS. Or a company might only use S3 with another provider doing everything else. However small startups or projects starting fresh will typically stick to AWS or Google Cloud only. - **Hybrid cloud:** In larger enterprises, it is common to have [hybrid deployments](https://aws.amazon.com/enterprise/hybrid/) encompassing private cloud or on-premises servers and AWS — or other enterprise cloud providers like [IBM](https://www.ibm.com/cloud-computing/solutions/hybrid-cloud)/[Bluemix](http://www.ibm.com/cloud-computing/bluemix/hybrid/), [Microsoft](https://www.microsoft.com/en-us/cloud-platform/hybrid-cloud)/[Azure](https://azure.microsoft.com/en-us/overview/azure-stack/), [NetApp](http://www.netapp.com/us/solutions/cloud/hybrid-cloud/), or [EMC](http://www.emc.com/en-us/cloud/hybrid-cloud-computing/index.htm). - **Major customers:** Who uses AWS and Google Cloud? - - AWS’s [list of customers](https://aws.amazon.com/solutions/case-studies/) includes large numbers of mainstream online properties and major brands, such as Netflix, Pinterest, Spotify, Airbnb, Expedia, Yelp, Zynga, Comcast, Nokia, and Bristol-Myers Squibb. + - AWS’s [list of customers](https://aws.amazon.com/solutions/case-studies/) includes large numbers of mainstream online properties and major brands, such as Netflix, Pinterest, Spotify (moving to Google Cloud), Airbnb, Expedia, Yelp, Zynga, Comcast, Nokia, and Bristol-Myers Squibb. - Google Cloud’s [list of customers](https://cloud.google.com/customers/) is large as well, and includes a few mainstream sites, such as [Snapchat](http://www.businessinsider.com/snapchat-is-built-on-googles-cloud-2014-1), Best Buy, Domino’s, and Sony Music. ### Which Services to Use From 25860101237a72153eb658406526361db168c02e Mon Sep 17 00:00:00 2001 From: Tom Schlick Date: Tue, 11 Oct 2016 20:01:03 -0400 Subject: [PATCH 12/13] link to enabling dualstack in api clients --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 06f5cfa..fb4ecb1 100644 --- a/README.md +++ b/README.md @@ -639,7 +639,7 @@ S3 - [ObjectiveFS](https://objectivefs.com/) ([discussion](https://news.ycombinator.com/item?id=10117506)) is a commercial solution that supports filesystem features and concurrent clients. - If you are primarily using a VPC, consider setting up a [VPC Endpoint](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html) for S3 in order to allow your VPC-hosted resources to easily access it without the need for extra network configuration or hops. - **Cross-region replication:** S3 has [a feature](https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html) for replicating a bucket between one region and a another. Note that S3 is already highly replicated within one region, so usually this isn’t necessary for durability, but it could be useful for compliance (geographically distributed data storage), lower latency, or as a strategy to reduce region-to-region bandwidth costs by mirroring heavily used data in a second region. -- **IPv4 vs IPv6:** For a long time S3 only supported IPv4 at the default endpoint `https://BUCKET.s3.amazonaws.com`. However, [as of Aug 11, 2016](https://aws.amazon.com/blogs/aws/now-available-ipv6-support-for-amazon-s3/) it now supports both IPv4 & IPv6! To use both, you have to enable *dualstack* either in your preferred api client or by directly using this url scheme `https://BUCKET.s3.dualstack.REGION.amazonaws.com`. +- **IPv4 vs IPv6:** For a long time S3 only supported IPv4 at the default endpoint `https://BUCKET.s3.amazonaws.com`. However, [as of Aug 11, 2016](https://aws.amazon.com/blogs/aws/now-available-ipv6-support-for-amazon-s3/) it now supports both IPv4 & IPv6! To use both, you have to [enable dualstack](http://docs.aws.amazon.com/AmazonS3/latest/dev/dual-stack-endpoints.html) either in your preferred API client or by directly using this url scheme `https://BUCKET.s3.dualstack.REGION.amazonaws.com`. ### S3 Gotchas and Limitations From fc4c6185e6c5746cdf99bc74e28f33c24d0b758e Mon Sep 17 00:00:00 2001 From: chris-griffin Date: Tue, 11 Oct 2016 20:24:43 -0400 Subject: [PATCH 13/13] Update SSL/TLS info for static website hosting --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 115f843..e437658 100644 --- a/README.md +++ b/README.md @@ -609,9 +609,9 @@ S3 - S3 has a [static website hosting option](http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) that is simply a setting that enables configurable HTTP index and error pages and [HTTP redirect support](http://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-page-redirect.html) to [public content](http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html) in S3. It’s a simple way to host static assets or a fully static website. - Consider using CloudFront in front of most or all assets: - Like any CDN, CloudFront improves performance significantly. - - 🔸SSL is only supported on the built-in amazonaws.com domain. S3 does support serving these sites through a [custom domain](http://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.html), but [not over SSL on a custom domain](http://stackoverflow.com/questions/11201316/how-to-configure-ssl-for-amazon-s3-bucket). + - 🔸SSL is only supported on the built-in amazonaws.com domain for S3. S3 supports serving these sites through a [custom domain](http://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.html), but [not over SSL on a custom domain](http://stackoverflow.com/questions/11201316/how-to-configure-ssl-for-amazon-s3-bucket). However, [CloudFront allows you to serve a custom domain over https](http://docs.aws.amazon.com/acm/latest/userguide/gs-cf.html). Amazon provides free SNI SSL/TLS certificates via Amazon Certificate Manager. [SNI does not work on very outdated browsers/operating systems](https://en.wikipedia.org/wiki/Server_Name_Indication#Support). Alternatively, you can provide your own certificate to use on CloudFront to support all browsers/operating systems. - 🔸If you are including resources across domains, such as fonts inside CSS files, you may need to [configure CORS](https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html) for the bucket serving those resources. - - Since pretty much everything is moving to SSL nowadays, and you likely want control over the domain, you probably want to set up CloudFront your own certificate in front of S3 (and to ignore the [AWS example on this](http://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.html) as it is non-SSL only). + - Since pretty much everything is moving to SSL nowadays, and you likely want control over the domain, you probably want to set up CloudFront with your own certificate in front of S3 (and to ignore the [AWS example on this](http://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.html) as it is non-SSL only). - That said, if you do, you’ll need to think through invalidation or updates on CloudFront. You may wish to [include versions or hashes in filenames](https://abhishek-tiwari.com/post/CloudFront-design-patterns-and-best-practices) so invalidation is not necessary. - **Permissions:** - 🔸It’s important to manage permissions sensibly on S3 if you have data sensitivities, as fixing this later can be a difficult task if you have a lot of assets and internal users.