Ksama Arora

AWS Solutions Architect Associate (SAA-C03)

Contents

• Overview: AWS Cloud Overview
• AWS IAM: AWS Identity and Access Management (IAM)

AWS Cloud Overview - Regions and AZ

AWS Global Infrastructure:

• AWS Regions
• AWS Availability Zones
• AWS Data Centers
• AWS Edge Locations/Points of Presence

AWS Regions

A region is a cluster of data centers, which are present all around the world. Names can be us-east-1, eu-west-3

Choice of AWS region depends on 4 factors:

• Compliance with data governance and legal requirements: data never leaves a region without your explicit permission
• Proximity to customers: reduce latency
• Availabile services within a Region: new services and new features aren’t available in every Region
• Pricing: pricing varies region to region and is transparent in the service pricing page

AWS Availability Zones:

Each region has many availability zones AZs (min=3 and max=6). Each AZ is one or more discrete data centers with redundant power, networking, and connectivity. These are separate from each other, so that they are isolated from disasters. They are connected with high bandwidth, ultra-low latency networking and thus all of them when linked together, forms a region.

AWS Points of Presence (Edge Location)

Amazon has 400+ points of presence (400+ edge locations and 10+ regional caches) in 90+ cities across 40+ countries. Content is delivered to end users with low latency

AWS Identity and Access Management (IAM)

It is a global service as we are going to create users and assign them to groups. Groups only contain users. Some users don’t belong to a group. Also a user can belong to multiple groups.

IAM: Permissions

To allow users to use AWS account, permissions have to be given to them. Users or Groups can be assigned JSON documents called policies. These policies define the permissions of the users. In AWS, you apply the least privilege principle: don’t give more permissions than a user needs.

IAM Users and Groups Hands On

IAM POLICIES

Assume 3 groups, Developers, Audit Team and Operations containing respective users as shown. All the users inherit the policy from their respective user groups. User not under any group, gets assigned an inline policy (i.e. policy assigned to only one user).

IAM Policy Structure

Consists of:

• Version: policy language version, always include “2012-10-17”
• Id: an identifier for the policy (optional)
• Statement: one or more individual statements (required)

Statement consists of

• Sid: an identifier for the statement (optional)
• Effect: whether the statement allows or denies access (Allow, Deny)
• Principal: account/user/role to which the policy is applied to
• Action: list of actions this policy allows or denies
• Resource: list of resources to which the actions applied to
• Condition: conditions for when this policy is in effect (optional)

{
    "Version": "2012-10-17",
    "Id": "S3-Account-Permissions",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": ["arn:aws:iam::123456789012:root"]
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": ["arn:aws:s3:::mybucket/*"]
        }
    ]
}

IAM Policy Hands On

IAM Multi-Factor Authentication Overview

IAM - Password Policy

In AWS you can set up a password policy:

• Set a minimum password length
• Include uppercase and lowercase letters, numbers, non-alphanumeric characters
• Allow all IAM users to change their own passwords
• Require users to change their password after sometime (password expiration)
• Prevent password re-use Password policy is helpful prevent against brute-force attacks on your account. Stronger the password, higher the security for your account.

Multi-Factor Authentication (MFA)

This is useful because even if a password is stolen or hacked, the account (root account/IAM users) is not compromised.

“MFA = password you know + security device you own (for MFA generating token)”

The following are the MFA device options in AWS:

1. Virtual MFA Device:
   • Support for multiple tokens on a single device
   • Examples:
     • Google Authenticator (Phone Only)
     • Authy (Multi-Device)
2. Universal 2nd Factor (U2F) Security Key:
   • Supports multiple root and IAM users using a single security key
   • Example:
     • Yubikey by Yubico (Third Party)
3. Hardware Key Fob MFA Device:
   • Provided by Gemalto (Third Party)
4. Hardware Key Fob MFA Device AWS GovCloud (US):
   • Provided by SurePassID (Third Party)

IAM MFA Hands On

AWS Access Keys, CLI and SDK

3 Methods to access AWS:

• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLI): protected by access keys
  • It is a tool that enables you to interact with AWS services using commands in command-line shell.
  • Direct access to public APIs of AWS services. You can develop scripts to manage your resources.
  • It is open source and is an alternative to using AWS Management Console.
• AWS Software Developer Kit (SDK): for code: protected by access keys
  • This enables you to access and manage AWS services programmatically.
  • It supports
    • SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++)
    • Mobile SDKs (Android, iOS, ..)
    • IoT Device SDKs (Embedded C, Arduino, ..).
  • Example: AWS CLI is built on AWS SDK for Python.

Note: Access keys are generated through the AWS Console, and should not be shared. Users manage their own access keys.

AWS Access Keys, CLI and SDK Hands On

IAM Roles for AWS Services

In AWS, some services need to perform actions on your behalf. To facilitate this, you assign permissions to these services using IAM Roles.

Example: EC2 Instance

Consider an EC2 instance, which functions like a virtual server. If this instance needs to perform actions within AWS, it requires specific permissions. These permissions are granted through an IAM Role. By assigning an IAM Role to the EC2 instance, you allow it to execute actions according to the permissions defined in that role.

Common Roles: EC2 Instance Roles, Lambda Function Roles, Roles for CloudFormation

IAM Roles Hands On

IAM Security Tools

1. IAM Credentials

• At account level
• This credentials report contains a list of all account users and the status of various credentials

2. IAM Access Advisor:

• At user-level
• Shows service permissions granted to a user and when those services were last accessed i.e. if a user accesses a service, it specifies which policy granted permission and when last accessed