EC2 & IAM: Roles, Security, & Best Practices

Questions and Answers

What is the primary purpose of assigning IAM Roles to AWS services?

• To monitor the services' resource consumption.
• To grant permissions to AWS services to perform actions on your behalf. (correct)
• To manage the billing and costs associated with each service.
• To encrypt data transmitted between services.

Which IAM tool provides a list of all users in your AWS account and the status of their credentials?

• IAM Credentials Report. (correct)
• AWS Trusted Advisor.
• AWS Inspector.
• IAM Access Advisor.

Why is it recommended to avoid using the root account for everyday tasks?

• Using the root account increases the likelihood of accidental misconfigurations. (correct)
• AWS charges higher fees for actions performed using the root account.
• The root account can only be used for billing purposes.
• The root account has limited access to AWS services.

What is the purpose of the IAM Access Advisor?

To show the service permissions granted to a user and when those services were last accessed. (B)

In the shared responsibility model for IAM, what is AWS primarily responsible for?

Infrastructure security and global network security. (B)

What type of document are IAM Policies?

JSON documents that outline permissions for users or groups (B)

If a user needs to access AWS resources using the command-line interface (CLI), what is the recommended method for authentication?

Using Access Keys. (C)

What does EC2 stand for in the context of AWS?

Elastic Compute Cloud (A)

Which of the following is a key capability provided by Amazon EC2?

Renting virtual machines. (B)

What does the term 'bootstrapping' refer to in the context of EC2 User Data?

Launching commands when an EC2 instance starts. (C)

Which of the following actions can be automated using EC2 User Data?

Installing software. (B)

In the AWS naming convention for EC2 instance types (e.g., m5.2xlarge), what does the number '5' typically indicate?

The instance generation. (D)

Which type of EC2 instance is best suited for workloads that require high-performance processors, such as media transcoding and high-performance web servers?

Compute Optimized. (D)

For workloads that involve processing large datasets in memory, such as high-performance databases and distributed web-scale cache stores, which EC2 instance type is most appropriate?

Memory Optimized. (B)

If an application's connection is refused, which of the following should you check?

All of the above. (D)

Which of the following is a key characteristic of security groups in AWS?

Security groups act as a firewall for associated EC2 instances. (C)

What is the default behavior for inbound traffic to an EC2 instance, according to security groups?

All inbound traffic is blocked by default. (B)

Which port is commonly used for SSH to connect to a Linux instance?

22 (B)

Besides IP addresses, what other criterion can security group rules reference for allowing traffic?

Other Security Groups. (A)

For short-term workloads with predictable pricing, which EC2 purchasing option is most suitable?

On-Demand Instances. (C)

Which EC2 purchasing option provides the MOST significant discount but may result in losing your instance if the price exceeds your bid?

Spot Instances. (B)

For steady-state applications such as databases, which EC2 purchasing option is generally the most cost-effective?

Savings Plans. (A)

What is a key characteristic of EC2 Dedicated Hosts?

They allow you to use your existing server-bound software licenses and address compliance requirements. (A)

If you need to ensure that your EC2 instances run on hardware dedicated solely to your use and also need to address compliance, which purchasing option should you choose?

Dedicated Hosts. (D)

What is the primary benefit of using EC2 Capacity Reservations?

Ensuring access to EC2 capacity in a specific Availability Zone. (A)

As of February 1st, 2024, what is a key change regarding IPv4 addresses in AWS?

There is a charge for all Public IPv4 addresses created in your account. (D)

Which of the following falls under the customer's responsibility in the shared responsibility model for EC2?

Operating system patches and updates. (C)

If you need assistance configuring SSH on a Windows machine, which tool would you likely use?

PuTTY (A)

Which EC2 Purchasing Option is best represented by the analogy 'booking a hotel room at full price, whether you stay in it or not'?

Capacity Reservation (C)

You are tasked with launching a new EC2 instance that will host a public-facing website. Which of the following tasks is part of your responsibility, according to the Shared Responsibility Model?

Applying the latest security patches to the instance's operating system. (A)

An organization is deploying a new application that requires predictable, high-performance compute resources for the next three years. Which EC2 purchasing option is MOST suitable for this scenario?

Reserved Instances. (C)

You are building a fault-tolerant application that can withstand instance interruptions without impacting functionality. Which of the following EC2 purchasing options would be the MOST cost-effective?

Spot Instances. (A)

A company has existing server-bound software licenses that they want to utilize in AWS. Which EC2 purchasing option would BEST allow them to leverage these licenses?

Dedicated Hosts. (A)

You have an EC2 instance in a private subnet that needs to access the internet to download software updates. Which of the following is the MOST secure and scalable way to allow this access?

Create a NAT Gateway in a public subnet and configure the route table. (D)

A development team wants to quickly launch a pre-configured EC2 instance with specific software installed, every time a new developer joins the team. Which service or feature would BEST automate this process?

EC2 Image Builder. (C)

An organization needs to ensure that their EC2 instances can scale dynamically based on demand while minimizing costs. Which AWS service would BEST accomplish this?

Amazon EC2 Auto Scaling. (D)

A company uses a mix of On-Demand and Reserved EC2 instances. They want to optimize their costs by automatically moving workloads from On-Demand to Reserved instances whenever possible. Which AWS service or feature would assist in this optimization?

AWS Compute Optimizer. (B)

You need to establish a secure and dedicated network connection between your on-premises data center and your AWS environment. Which AWS service would you use?

AWS Direct Connect. (D)

A financial services firm requires enhanced data protection for their sensitive data stored on EBS volumes attached to EC2 instances. Which of the following steps would BEST address this requirement?

Enable EBS encryption at rest using AWS KMS. (B)

Flashcards

IAM Roles

AWS service that needs to perform actions on your behalf, requiring assigned permissions.

IAM Credentials Report

A report listing account users and the status of their credentials.

IAM Access Advisor

Shows user permissions and last accessed services to revise policies.

Assign Users to Groups

Assigning permissions by grouping users, rather than individually.

Multi-Factor Authentication (MFA)

Enforcing Multi-Factor Authentication for increased security.

Using Roles for Permissions

Granting permissions to AWS services using IAM roles.

Access Keys

Accessing AWS programmatically using CLI or SDK.

Auditing Permissions

Reviewing permissions using IAM Credentials Report & IAM Access Advisor.

Never Share IAM users & Access Keys

Never disclose IAM user credentials or access keys.

Shared Responsibility (IAM)

AWS manages infrastructure (global network security); you manage users, groups, roles, and policies.

IAM Users

Mapped to a physical person, user has a password for AWS Console.

IAM Groups

Contain users only for simplified access management.

IAM Policies

JSON documents defining permissions for users or groups.

IAM Roles

For EC2 instances or AWS services to assume permissions.

AWS CLI

Command-line tool to manage AWS services.

AWS SDK

Programming language to manage AWS services.

Amazon EC2

Service allowing to rent virtual machines, store data, distribute load and scale services.

EC2 Definition

Infrastructure as a Service.

EC2 Virtual Machines

EC2 capability to rent virtual machines.

EC2 Virtual Drives

EC2 capability to store data on virtual drives using EBS.

General Purpose EC2 Instance

Balance of compute, memory and networking resources

Bootstrap script

Configure at first launch EC2 User Data

Security Groups

Is the fundamental of network security in AWS; controls traffic in/out of EC2.

EC2 Instance naming convention

EC2 Instance size defined by instance class, generation, and size within instance class

Bootstrapping

Means launching commands when a machine starts, runs at the instance first start

Operating System Options

Linux, Windows, or Mac OS

Security groups

Security Groups is a virtual firewall on EC2 instances to regulate ports, IP ranges, inbound/outbound.

Security Group Rules

Security groups filter IP / Port with Rules.

Port 22

Log into a Linux instance

Port 21

Upload files into a file share

Port 22 SFTP

Upload files using SSH

Port 80

Access unsecured websites

Port 443

Access secured websites

Port 3389

Log into a Windows instance

EC2 Instance Connect

Connect to EC2 instance within your browser, temporary key uploaded EC2 by AWS

On-Demand Instances

Short workload, predictable pricing, pay by second

Reserved Instances

Long workload

Savings plan Instances

Commitment to an amount of usage, long workload

Spot Instances

Short workload, cheap, can lose instances less reliable

Dedicated Hosts

Book an entire physical server, control instance placement

Capacity reservations

Reserve capacity in a specific AZ for any duration

Study Notes

• The following is a summary for EC2 & IAM

IAM Roles for Services

• Some AWS services need the ability to perform actions on your behalf
• To do this, permissions are assigned to AWS services with IAM Roles
• Common roles include EC2 Instance Roles, Lambda Function Roles, and Roles for CloudFormation

IAM Security Tools

• IAM Credentials Report is an account-level report that lists all the account's users and the status of their credentials
• IAM Access Advisor is a user-level tool that shows the service permissions granted to a user and when those services were last accessed. This information can be used to revise policies

IAM Guidelines & Best Practices

• Avoid using the root account except for initial AWS account setup
• There should be a one-to-one correspondence between a physical person and a single AWS user
• Assign users to groups and apply permissions at the group level
• Employ a strong password policy
• Enforce multi-factor authentication (MFA)
• Use Roles to grant permissions to AWS services
• Utilize Access Keys for Programmatic Access through the CLI/SDK
• Audit permissions of the AWS account using IAM Credentials Report and IAM Access Advisor
• Never share IAM users or Access Keys

Shared Responsibility Model for IAM

• AWS is responsible for the infrastructure's global network security
• AWS also handles configuration and vulnerability analysis and compliance validation
• The user is responsible for managing and monitoring Users, Groups, Roles, and Policies
• The user is responsible for configuring MFA on all accounts and regularly rotating keys
• The user is responsible to use IAM tools to apply appropriate permissions
• The user is responsible to analyze access patterns and review permissions

IAM Section – Summary

• Users map to a person and have a password for the AWS Console
• Groups contain only users
• Policies are JSON documents outlining permissions for users or groups
• Roles are for EC2 instances or AWS services
• Security measures include MFA and Password Policies
• The AWS CLI is used to manage AWS services via the command-line
• The AWS SDK is used to manage AWS services using a programming language
• Access Keys are used to access AWS using the CLI or SDK
• Audits involve IAM Credential Reports and IAM Access Advisor

Amazon EC2

• EC2, or Elastic Compute Cloud, is a central offering within AWS
• EC2 = Elastic Compute Cloud = Infrastructure as a Service
• EC2 mainly allow renting virtual machines (EC2), storing data on virtual drives (EBS), distributing load across machines (ELB), and scaling the services with an auto-scaling group (ASG)
• Understanding EC2 is fundamental to how the Cloud works

EC2 Sizing & Configuration Options

• Options include Operating System (OS) like Linux, Windows, or Mac OS and computational power & cores (CPU)
• You can define random-access memory (RAM) and storage space: network-attached (EBS & EFS) or hardware (EC2 Instance Store)
• Network card capabilities like speed and Public IP address can be configured
• Security configurations can be enforced through security groups
• A bootstrap script can be configured at first launch via EC2 User Data

EC2 User Data

• Instances can be bootstrapped using an EC2 User Data script
• Bootstrapping means launching commands when a machine starts
• The EC2 user data script runs only once at the instance's first start
• EC2 user data is used to automate boot tasks like installing updates and software, as well as downloading common files from the internet
• The EC2 User Data Script runs with the root user

Launching an EC2 Instance running Linux

• Instances can be launched using the AWS Console
• There is a focus on getting a first high-level approach to the various parameters
• A web server is launched using EC2 user data
• The running instance be be started, stopped, or terminated

EC2 Instance Types - Overview

• Varying types of EC2 instances can be used that are optimised for different use cases
• AWS has the following naming convention: m5.2xlarge
• m is the instance class
• 5 is the generation (AWS improves them over time)
• 2xlarge is the size within the instance class

EC2 Instance Types – General Purpose

• General Purpose EC2 instances are great for a diversity of workloads such as web servers or code repositories
• They balance compute, memory, and networking
• The t2.micro is an EC2 instance of type General Purpose

EC2 Instance Types – Compute Optimized

• Compute Optimized EC2 instances are great for compute-intensive tasks that require high performance processors
• They're useful for tasks such as batch processing workloads, media transcoding, high performance web servers and computing, scientific modeling and machine learning, and dedicated gaming servers

EC2 Instance Types – Memory Optimized

• Memory Optimized EC2 instances have fast performance for workloads that process large data sets in memory
• They're useful for tasks such as high performance, relational/non-relational databases, distributed web scale cache stores, in-memory databases optimized for BI, and applications performing real-time processing of big unstructured data

EC2 Instance Types – Storage Optimized

• Storage Optimized EC2 instances are optimized for storage-intensive tasks that require high, sequential read and write access to large data sets on local storage
• Use cases include high frequency online transaction processing (OLTP) systems, relational & NoSQL databases, cache for in-memory databases, data warehousing applications, and distributed file systems

EC2 Instance Types: example

• t2.micro has 1 vCPU, 1 GiB memory, EBS-Only storage, and Low to Moderate network performance
• t2.micro is part of the AWS free tier (up to 750 hours per month)

Introduction to Security Groups

• Security Groups are the fundamental aspect of network security in AWS
• They control how traffic is allowed into or out of EC2 Instances
• Security groups only contain allow rules
• Security groups rules can reference rules by IP or by security group

Security Groups Deeper Dive

• Security groups act as a "firewall" on EC2 instances
• They regulate access to Ports, authorized IP ranges for IPv4 and IPv6, control of inbound network traffic, and control of outbound network traffic

Security Groups Good to Know

• Security Groups can be attached to multiple EC2 instances
• They are locked down to a specific region / VPC combination
• Security Groups live "outside" the EC2 instance, blocking traffic before it reaches the instance
• There should be one separate security group maintained for secure shell (SSH) access
• Application inaccessibility (time out) indicates a security group issue
• A "connection refused" error likely indicates an application error
• As a default, all inbound traffic is blocked and all outbound traffic is authorized

Classic Ports to Know

• Port 22 is for SSH (Secure Shell) to log into a Linux instance
• Port 21 is for FTP (File Transfer Protocol) to upload files into a file share
• Port 22 is also for SFTP (Secure File Transfer Protocol) to upload files using SSH
• Port 80 is for HTTP to access unsecured websites
• Port 443 is for HTTPS to access secured websites
• Port 3389 is for RDP (Remote Desktop Protocol) to log into a Windows instance

SSH Summary Table

• SSH, Putty, and EC2 Instance Connect are tools use for Linux, Mac and Windows EC2 instances

SSH Troubleshooting

• SSH often presents problems
• For issues, review past lessons, read troubleshooting guides, and try EC2 Instance Connect
• Success with any of SSH, Putty, or EC2 Instance Connect is acceptable

How to SSH into EC2 Instance Linux / Mac OS X

• You can SSH into an EC2 instance using Linux or Mac systems
• SSHs function is to control the machine using the command line
• Modify the OpenSSH configuration using ~/.ssh/config

How to SSH into EC2 Instance Windows

• You can SSH into an EC2 instance using Windows
• SSH is an important function that allows you to control a remote machine using the command line
• Configure all the required parameters using the free tool Putty

EC2 Instance Connect

• It connects to EC2 instances through a browser
• Key file download is not required
• Provides temporary key uploaded onto EC2 by AWS
• Works only out-of-the-box with Amazon Linux 2
• Port 22 needs to be kept open

EC2 Instances Purchasing Options

• On-Demand Instances are used for short workloads, with predictable pricing paid by the second
• Reserved Instances are used for long workloads with commitment for 1 or 3 years
• Savings Plans provide commitment to an amount of usage for 1 or 3 years, suitable for long workloads
• Spot Instances are used for short workloads and are cheap, but instances may be lost and are less reliable
• Dedicated Hosts book an entire physical server and control instance placement
• Dedicated Instances ensure that no other customers share the hardware
• Capacity Reservations reserve instance capacity in a specific AZ for any duration

EC2 On Demand

• Allows paying for what is used
• Linux or Windows is billed per second, after the first minute
• All other operating systems are billed per hour and have the highest cost but no upfront payment
• There is no long-term commitment
• On Demand is suitable for short-term and uninterrupted workloads where behavior can't be predicted

EC2 Reserved Instances

• There is a discount of up to 72% compared to On-demand
• Specific instance attributes (Instance Type, Region, Tenancy, OS) can be reserved
• A reservation Period of 1 or 3 years is required
• There are Payment Options for No, Partial, and All Upfront
• A Reserved Instance Scope can be Regional or Zonal
• It is suitable for steady-state usage applications
• Reserved Instances can be bought and sold in the Reserved Instance Marketplace
• Convertible Reserved Instances allow changing EC2 instance family, OS, scope and tenancy

EC2 Savings Plans

• These give discounts based on long-term usage (up to 72% same as RIs)
• In this plan there is a commit to a certain type of usage at a set hourly price for 1 or 3 years
• Any usage beyond EC2 Savings Plans is billed at the On-Demand price
• They are locked to a particular instance family & AWS region
• Flexibility is offered across Instance Size, OS, and Tenancy

EC2 Spot Instances

• This provides a discount of up to 90% compared to On-demand
• Available instances can be lost at any time if the maximum price is less than the current spot price
• It is the most cost-efficient instance in AWS
• Suitable and efficient for workloads that are resilient to failure such as batch and data analysis jobs, image processing, distributed workloads, and workloads with variable start and end times
• Not suitable for critical jobs or databases

EC2 Dedicated Hosts

• EC2 Dedicated Hosts is a physical server with EC2 instance capacity fully dedicated to your use
• It addresses compliance requirements and enables use of existing server-bound software licenses
• There is an On-demand option which pays per second for active Dedicated Host and a Reserved plan for 1 or 3 years
• It is the most expensive option
• Useful for software with complicated licensing models (BYOL)
• Useful for companies with strong regulatory or compliance needs

EC2 Dedicated Instances

• Instances run on hardware dedicated to your infrastructure and account
• Hardware may be shared with other instances in the same account
• There is no control over instance placement and the hardware can move after Stop / Start

EC2 Capacity Reservations

• Capacity Reservations can reserve On-Demand instances capacity in a specific AZ for any duration
• Consistent access to EC2 capacity when requires is provided
• There is no time commitment or billing discounts
• The reservation can be combined with Regional Reserved Instances and Savings Plans to benefit from billing discounts
• Charging occurs at the On-Demand rate
• It is suitable for short-term, uninterrupted workloads needs to be in a specific AZ

AWS charges for IPv4 addresses

• As of Feb 1st 2024, all public IPv4 addresses incur charges
• Cost $0.005 per hour of Public IPv4 (~ $3.6 per month)
• For new accounts, there is a free tier of 750 hours of Public IPv4
• No free tier is available for other services

Shared Responsibility Model for EC2

• AWS is responsible for global network security, isolation on physical hosts, hardware replacement, and compliance validation
• The user is responsible for Security Groups rules, operating system patches and updates, software and utilities installed on the EC2 instance, IAM Roles assigned to EC2 & IAM user access management, and data security on the instance