VPC Network Architecture

Questions and Answers

In the given network architecture, what is the primary purpose of associating a 'Public-RT' (Route Table) with the public subnets?

• To enable direct routing of traffic from the internet to resources within the public subnets. (correct)
• To facilitate communication between private subnets, bypassing the need for a NAT gateway.
• To route traffic originating from the private subnets directly to the internet.
• To isolate the public subnets from the internet, enhancing security.

Given the network configuration, if an EC2 instance in the private subnet (10.150.3.0/24) needs to access the internet, what component is required?

• A VPN connection to a remote network.
• A NAT gateway or instance in the public subnet, along with appropriate routing in the Private-RT. (correct)
• An internet gateway attached directly to the private subnet.
• A direct association with the Public-RT.

What is the significance of having subnets in different availability zones (eu-west-3a and eu-west-3b)?

• It primarily reduces the cost of data transfer within the VPC.
• It enhances the security of the subnets by isolating them logically.
• It simplifies network administration and troubleshooting.
• It improves fault tolerance and high availability by distributing resources across physically isolated locations. (correct)

In this architecture, which subnet should the bastion host be placed in and why?

Public subnet (10.150.0.0/24 or 10.150.1.0/24) to allow direct SSH access from the internet. (D)

Given the CIDR block of the VPC is 10.150.0.0/16, what is the maximum number of usable IP addresses available within this VPC?

65,534 (B)

Flashcards

What is a subnet?

A range of IP addresses within a VPC.

What is a route table?

Controls network traffic routing between subnets and the internet.

What is a public subnet?

A subnet with a direct route to the internet, often used for resources that need to be publicly accessible.

What is a private subnet?

A subnet without a direct route to the internet, typically used for resources that should not be directly accessible from the outside.

What are Availability Zones(AZ)?

Distinct locations within a region designed to be isolated from failures.

Study Notes

AWS Account Overview

• Requires a unique email address
• IAM can be used to create users, groups, roles and policies
• It is an IAM best practice to create individual users and not use the root account
• The root user has full control over the account

Authorization and Authentication

• Authorization: IAM principals then create resources across AWS Regions
• Authentication: IAM principals authenticate to IAM using the console, API, or CLI
• All AWS identities and resources are created within the AWS account

Creating an AWS Free Tier Account

• A credit card is needed for setting up the account and paying any bills
• A unique email address is required for this account
• Check if you can use a dynamic alias with an existing email address
• An AWS account name/ alias necessary
• Phone needed to receiving an SMS verification code

Account Configuration

• Configure Account Alias
• Enable access to billing for Identity and Access Management(IAM) users
• Update billing preferences
• Create a billing alarm
• Confirm SNS subscription

Installation of Tools

• Install the AWS Command Line Interface (CLI)
• Install Visual Studio Code
• Launch AWS CloudShell

AWS Identity and Access Management (IAM)

• IAM Principals must be authenticated to send requests, with a few exceptions
• A principal is a person or application that can make a request for an action or operation on an AWS resource
• AWS determines whether to authorize the request, i.e. whether to allow or deny it
• Actions are authorized on AWS resources
• A principal may consist of a user, role, federated user, or application user
• Identity-based and resource based policies are used
• IAM controls access to Console / CLI / API access to AWS

IAM Users, Groups, Roles and Policies

• Roles are used for delegation and should be assumed
• The user gains the permissions applied to the group through the policy
• Policies define the identities or resources with permissions
• Identity-based policies can be applied to users, groups and roles

IAM Users

• Avoid using the root user account and enable MFA
• Up to 5000 individual user accounts can be created
• Users can be authenticated via username/password for console or access keys for API/CLI
• Users have no permissions by default

IAM Groups

• All Groups are collections of users, and users can be members of up to 10 groups
• The goal is to apply permissions to the group the user belongs to

IAM Role

• An IAM role is an IAM identity that has specific permissions
• Roles are assumed by users, applications and services
• The AWS Security Token Service’s (STS) AssumeRole API is a common operation to temporarily adopt a role
• The identity "becomes" the role and gains the roles' permissions once assumed

IAM Policies

• Policies describe the actions a principal can perform and with what effect

IAM Users vs. IAM Root user

• The IAM root user uses email address login details and has Full - Unrestricted permissions
• The IAM user has friendly name + AWS account ID or Alias with IAM Permissions Policy

IAM Authentication Methods

• For John , username is John and password has been set as Eo28720*! and there is an MFA Token: (optional)
• Access Key ID set as AKIAXP4J2EKUQIQJTJLV and Secret access key is given as wimJ GpewNMRHFi9ud0pJwh7NBX4F6i

Multi-Factor Authentication

• Something user knows: Password like EJPx!*21p9%
• Something you have: Virtual MFA as Google Authenticator on your smart phone
• Physical tokens are purchased from third parties

AWS Security Token Service (STS)

• Credentials include AccessKeyld; Expiration; SecretAccessKey; and Session Token.
• Temporary credentials are returned
• Trust policies control who can assume the role
• EC2 attempts to assume role (sts:AssumeRole API call)
• Temporary credentials are used with identity federation, delegation, cross-account access, and IAM roles

Identity-Based IAM Policies

• JSON permissions policy documents control what actions an identity perform upon various resources, and under what circumstances.
• Managed policies may either be AWS managed, for instance roles like AdministratorRoles, or customer managed where they are created by the AWS customer
• Managed policies are standalone, and can be attached to multiple users, groups, or roles
• A single policy is an inline policy having 1:1 relation with the user/group/role

Resource-Based Policies

• Trust Policy is also an example of a resource- based policy
• Permissions Policy is an identity-based policy

Role-Based Access Control (RBAC)

• RBAC assigns permissions to roles/groups through policies, to which users are attached to
• Groups are organized by job function
• The best practice is to grant the minimum permissions required

Attribute-Based Access Control (ABAC)

• Grants access using a key/value paired tag where Permissions are granted to resources when the tag matches a certain value

Permissions Boundary

• Policy makes sure that full control of S3, CloudWatch, EC2, and IAM is allowed
• The permissions boundary sets the maximum permissions which the entity can have it attached to

Privilege Escalation

• Lindsay initially is assigned IAM access only
• Then she creates an X user with AdministratorAccess
• Lindsay can now login with the X-User and gain all access to the AWS account, this poses a security risk of privilege escalation

Preventing Privilege Escalation

• Lindsay gets IAM access only and cannot launch AWS resources
• A Permissions Boundary gets added to her permissions
• X-User gets the role and Lindsay will no have more roles than X-User
• This prevents the problem because user create by Lindsay are same or less priviledged

IAM Policy Evaluation

• Evaluation starts with Deny, evaluating all applicable policies, checking whether there is explicit Deny or Allow, resource based, identity based policy, and IAM permissions boundary.
• Finally , decision are of 2 kind which is to Allow or Deny

Authorizing Requests to AWS

• Authentication- AWS authenticates the principal that requires any request
• Process request context- action/ resource/ principal/ environment data
• AWS will process an IAM policy and return either allowed/ deny

Types of Policy

• Identity-based policies are attached to users, groups, or roles
• Resource-based policies are attached to a resource, defining permissions for a principal accessing the resource
• IAM permissions boundaries set the maximum permissions an identity-based policy can grant an IAM entity
• AWS Organizations service control policies (SCP) specify the maximum permissions for an organization or OU
• Session policies are used with AssumeRole API actions

Evaluating Policies within an AWS Account

• Identity-based policy and resource-based policy are considered for Effective Permissions
• Identity-based policy and Permissions-boundary are considered
• Identity-based policy and Organization SCP are considered

Determination Rules

• By default, all requests are implicitly denied (though the root user has full access)
• An explicit allow in an identity-based or resource-based policy overrides this default
• If a permissions boundary, Organizations SCP, or session policy is present, it might override the allow with an implicit deny
• An explicit deny in any policy overrides any allows

IAM Policy Structure

• An IAM policy is a JSON document of one or more statements
• The Effect element can be set to Allow or Deny
• Action (API calls) are specified
• Resource impacted by the action is configured with arn

IAM Policy Examples

• The AdministratorAccess policy uses wildcards (*) to allow all actions on all resources.
• The NotIpAddress and SourceIp in IAM is used to filter and deny access by specifying a range.
• A resource-based policy contains a principal element as part of its definition
• The policy condition element requires that SSL/TLS encryption is used

Using Role Based Access Control (RBAC)

• Job function policies include Roles and Permissions where an AWS Managed Policy is attached to a role, with closely aligned job functions in the IT industry
• The billing management policy is attached to the group

Attribute-Based Access Control (ABAC)

• A tag key is used when using attribute
• DBAdmins are associated to a department to grant permission

Use PermissionsBoundary.json File

• The JSON file is from a course
• Policiy will make enforce the following:
• IAM principals cant alter the permissions boundary access to the related services
• IAM principals must set a boundary to any created principals
• IAM admins cannot create priviledges
• The IAM principals cannot be create if with same or more permissions

Privilege Escalation

• Linsday assign permissions to AWS IAM only and cannot launch AWS resources
• The person is now able to login with the X-User account and gain permission to the AWS account

AWS IAM Access Analyzer

• The Analyzer identifies shared resources in an account/ organization with external entity
• Access Analyzer analyzes Amazon Simple Storage Service buckets as well as the following:
• AWS Identity and Access Management roles
• AWS Key Management Service keys
• AWS Lambda functions and layers
• Amazon Simple Queue Service queues

AWS IAM Best Practices

• Lock away the AWS account root user access keys
• Create individual IAM users
• Use groups when assigning permissions
• Grant least privilege
• Get started using permissions with AWS managed policies
• Used customer managed policies instead of inline policies
• Use access levels to review IAM permissions
• Enable MFA and configure a strong password policy
• Use roles for applications that run on EC2 instances
• Remove unnecessary credentials; don't share access keys, but rotate credentials regularly
• For extra security, use policy conditions and monitor activity in your AWS account

AWS Organizations

• AWS organizations allows consolidation of multiple AWS accounts into an organization that you create and manage
• Organization is available in two feature sets of consolidated billing/ all features
• Includes root accounts and organizational units
• Used consolidated billing which includes Paying Account which is independent
• Users the Linked Account which all accounts are independent; AWS SSO using on-prem SSO

Control Tagging for AWS API Actions

• Enabled in management account to apply to members
• A service control policy controls tagging and available API actions.
• All users in the management account are not restricted, but service control do grant the allowed permissions
• It will control MAXIMUM permission available

Account Configuration and Usage

• Can create organization and assume a specific role with `sts:AssumeRole
• Roles can have full permissions

Service Control Policies (SCPs))

• SCPs control the maximum available permissions
• Tag policies applied to enforce tag standardization
• In the sample dev accounts can use only T2-micro EC2 instances.
• Sample Prods cannot use above T2-micro or larger instances

Use Case of Cross Account Access

• Account A allows to access a bucket
• Policy allows user to assume the role
• Account B allows the user to assume the role in account A
• Account A policy requires Trust Policy- external ID

Cross Account Access to 3rd Party

• A external ID exists that must met requirements
• Account B policy allows to use the role in account A

Cross Account Access Delegation

• Instance profile needs to be trusted to AWS STS with delegation
• The credentials returned are temporary

VPN VPC Refresher

• Logical isolated portion within a region used for VPC
• Subnets are used and created inside the AZ
• Launch your EC2 inside VPC's subnets
• Internet Gateway allows to connect to VPC/ Internet
• The VPC router takes care of routing within / outside the VPC
• Route Tables configure the VPC router

Features of Amazon VPC Components

• Private network
• Subnets
• Internet Gateway
• Router interconnects
• Peer Connection is a direct connection
• Used for AWS and customer gateway, as well as Direct Connect, subnet / instance firewall

Amazon Virtual Private Cloud

• The VPC is a virtual network dedicated to an AWS account
• The VPC is analogously isolated from the organization's other virtual networks
• Provides full control to other networking environment where you launch from resources , such as AWS instances.

IPv4 considerations

• Must follow guidelines of address range to be considered valid
• Follow rules around setting up and determining the address type for subnet masks to ensure no problems creating them.
• Bigger CIDR block = more flexibility
• Smaller subnets are OK for most use cases.
• Remember the IPv4 restrictions and plan for the future

Secondary CIDR

• Make sure the secondary CIDR block doesn't overlap
• Local route is needed to configure to the tables and added
• The route must not added for an address

Using IPv4 in a VPC

• Each VPC has separate IP address and create multivariable per region

Using IPv6 in the VPC

• A /64 address range would be used with the IPv6 and AWS to assign a /56

VPC Best Practices

• To enable high availability (HA), use multiple AZs
• Control traffic using Security Groups and NACLs
• Use IAM policies to control access
• The VPC Flow is used to monitor traffic and use AWS service in your VPC

More VPC Bst Practices

• Use AWS Privatelink to keep traffic private
• Use private subnets for the instances and don't have public access
• Use an Egress-Only IGW when you want outbound ONLY access for IPv6 applications
• Isolate tiers using subnets and infrastructure using separate VPCs

Create VPC and test launch

• Subnets and assign a route to an Internet gateway and public access

Stateful and Stateless Firewalls

• Stateful vs stateless where stateful firewalls allows the traffic to be fully automatic and stateless doesn't
• Web server (10.2.1.10)
• src/dest Port: 80, with firewall between / Client(10.1.1.1 / 65188)

Security Groups and Network ACLs

• 2 firewalls to secure all ports
• Security groups apply the instance level where a network ACL

Security and Network ACL

• Used to allow the rules
• Type protocol will follow as separate route define what will be out bounds

NACLS Inbound/ Outbound

• Explicit order and processed in ordered for use
• Process is more efficient and to enable the process

Configuration Management

• Evaluation the AWS resources that are needed
• Managed/ not attach ports need a network ACL check / not use / restricted

Configure Security Group for AWS

• AWS cloud and enable as an additional security that is wanted

VPC Connection

• To maintain the connection ensure to use a private connection / or connection to a network

VPC Endpoint

A created interface ensures that it is to one of several services and used private by IP

Direct Connecting

• Connection allows to AWS directly (1Gbps or 10Gbps), but DX port must to be allocated in a DX location
• The customer router is connected to DX local

AWS VPC benefits

• Connect an AWS account to a data office, and can be used / cost

EC2s and Private Links

• Traffic to the EC2s is public , create a private link and ensure that services dont access anything from interent

Description

Explore the purpose of public route tables and the necessity of components like NAT Gateways for enabling internet access from private subnets. Understand the importance of availability zones for network resilience. Determine the maximum number of usable IP addresses within a VPC.