AWS Cloud Foundations & IAM PDF

AWS CLOUD FOUNDATIONS & Module 1 IAM AWS GLOBAL INFRASTRUCTURE The AWS infrastructure is built around Regions and Availability Zones (AZs). An AWS Region is a physical location in the world where AWS have multiple AZs. AZs consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. Each region is completely independent. Each Availability Zone is isolated, but the Availability Zones in a region are connected through low-latency links. REGIONS A region is a geographical area. Each region consists of 3 or more availability zones. Each Amazon Region is designed to be completely isolated from the other Amazon Regions. Each AWS Region has multiple Availability Zones and data centers. You can replicate data within a region and between regions using private or public Internet connections. You retain complete control and ownership over the region in which your data is physically located, making it easy to meet regional compliance and data residency requirements. AWS Cloud Availability Zones Availability Zone is a single Data Center or a group of Data Centers in a region. In an Availability Zone the Data Centers are located many miles apart from each other. Having them apart reduces the risk of them all going down if a disaster happens in the region. Simultaneously, have the Data Center(s) close enough to have low latency. https://aws.amazon.com/about-aws/global-infrastructure/ LOCAL ZONES AWS Local Zones place compute, storage, database, and other select AWS services closer to end-users. With AWS Local Zones, you can easily run highly demanding applications that require single-digit millisecond latencies to your end-users. Each AWS Local Zone location is an extension of an AWS Region where you can run your latency sensitive applications using AWS services AWS Local Zones provide a high-bandwidth, secure connection between local workloads and those running in the AWS Region, allowing you to seamlessly connect to the full range of in-region services through the same APIs and tool sets. AWS WAVELENGTH AWS Wavelength enables developers to build applications that deliver single-digit millisecond latencies to mobile devices and end-users. AWS developers can deploy their applications to Wavelength Zones, AWS infrastructure deployments that embed AWS compute and storage services within the telecommunications providers’ datacenters at the edge of the 5G networks, and seamlessly access the breadth of AWS services in the region. AWS Wavelength brings AWS services to the edge of the 5G network, minimizing the latency to connect to an application from a mobile device. AWS OUTPOSTS AWS Outposts bring native AWS services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility. You can use the same AWS APIs, tools, and infrastructure across on-premises and the AWS cloud to deliver a truly consistent hybrid experience. AWS Outposts is designed for connected environments and can be used to support workloads that need to remain on-premises due to low latency or local data processing needs. EDGE LOCATIONS AND REGIONAL EDGE CACHES Edge locations are Content Delivery Regional Edge Caches sit between your Network (CDN) endpoints for CloudFront. CloudFront Origin servers and the Edge Locations. There are many more edge locations than regions. A Regional Edge Cache has a larger cache-width than each of the individual Currently there are over 200 edge Edge Locations. locations. AWS SHARED RESPONISIBILITY MODEL AWS Shared Responsibility Model Security and compliance are a shared responsibility between AWS and the customer. Security ‘of’ the cloud AWS operates, manages, and controls the components from the software virtualization layer down to the physical security of the facilities where AWS services operate. AWS is responsible for protecting the infrastructure that runs all the services that are offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run the AWS Cloud services. Security ‘on’ the cloud The customer is responsible for the encryption of data at rest and data in transit. The customer should also ensure that the network is configured for security and that security credentials and logins are managed safely. Additionally, the customer is responsible for the configuration of security groups and the configuration of the operating system that run on compute instances that they launch (including updates and security patches). AWS RESPONSIBILITY :SECURITY OF THE CLOUD AWS is responsible for protecting The global infrastructure includes AWS Regions, Availability Zones, and edge locations. the global infrastructure that runs all the services that are offered in the AWS Cloud. AWS is responsible for the physical infrastructure that hosts your resources, including: Physical security of data centers with controlled, need-based access; located in nondescript facilities, with 24/7 security guards; two-factor authentication; access logging and review; video surveillance; and disk degaussing and destruction. Hardware infrastructure, such as servers, storage devices, and other appliances that AWS relies on. Software infrastructure, which hosts operating systems, service applications, and virtualization software. Network infrastructure, such as routers, switches, load balancers, firewalls, and cabling. AWS also continuously monitors the network at external boundaries, secures access points, and provides redundant infrastructure with intrusion detection. CUSTOMER RESPONSIBILITY “SECURITY IN THE CLOUD” Customer responsibilities: Amazon Elastic Compute Cloud (Amazon EC2) instance operating system Customer data  Including patching, maintenance Applications Applications, IAM  Passwords, role-based access, etc. Operating system, network, and firewall configuration Security group configuration OS or host-based firewalls Network traffic Client-side data Server-side protection  Including intrusion detection or prevention systems encryption and encryption (encryption, data integrity (file system or integrity, Network configurations authentication data) identity) Account management Customer-configurable  Login and permission settings for each user SERVICE CHARACTERISTICS AND SECURITY RESPONSIBILITY Software as a Infrastructure as Platform as a service (SaaS) a service (IaaS) service (PaaS) Software is centrally hosted Customer has more Customer does not need Licensed on a subscription to manage the model or pay-as-you-go flexibility over underlying infrastructure configuring networking basis. and storage settings AWS handles the Services are typically operating system, accessed via web browser, Customer is responsible database patching, mobile app, or application for managing more firewall configuration, programming interface aspects of the security and disaster recovery (API) Customer can focus on Customers do not need to Customer configures the managing code or data manage the infrastructure access controls that supports the service IAM – IDENTITY AND ACCESS MANAGEMENT Identity and Access Management (IAM) in Amazon Web Services (AWS) IAM manages Amazon Web Services (AWS) users and their access to AWS accounts and services. It controls the level of access a user can have over an AWS account & set users, grant permission, and allows a user to use different features of an AWS account. Identity and access management is mainly used to manage users, groups, roles, and Access policies The account we created to sign in to Amazon web services is known as the root account and it holds all the administrative rights and has access to all parts of the account. How IAM Works? IAM verifies that a user or service has the necessary authorization to access a particular service in the AWS cloud. We can also use IAM to grant the right level of access to specific users, groups, or services. What Does IAM Do? IAM Policies IAM Policies can manage access for AWS by attaching them to the IAM Identities or resources IAM policies defines IAM entities permissions of AWS identities and AWS resources when a user or any resource makes a request to AWS will validate Attach to IAM user one of these policies and confirms whether the request to be allowed or to be denied. IAM policy IAM group AWS policies are stored in the form of JSON format the number of policies to be attached to particular IAM identities IAM role depends upon no.of permissions required for one IAM identity. IAM identity can have multiple policies attached to them. An IAM policy is a formal statement of permissions that will be granted to an entity. Policies can be attached to any IAM entity. Entities include users, groups, roles, or resources. For example, you can attach a policy to AWS resources that will block all requests that do not come from an approved Internet Protocol (IP) address range. Policies specify what actions are allowed, which resources to allow the actions on, and what the effect will be when the user requests access to the resources. The order in which the policies are evaluated has no effect on the outcome of the evaluation. All policies are evaluated, and the result is always that the request is either allowed or denied. When there is a conflict, the most restrictive policy applies. There are two types of IAM policies. Identity-based policies are permissions policies that you can attach to a principal (or identity) such as an IAM user, role, or group. These policies control what actions that identity can perform, on which resources, and under what conditions. Identity-based policies can be further categorized as: Managed policies – Standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account Inline policies – Policies that you create and manage, and that are embedded directly into a single user group or role. Resource-based policies are JSON policy documents that you attach to a resource, such as an S3 bucket. These policies control what actions a specified principal can perform on that resource, and under what conditions. Specifies who has access to the resource and what actions they can perform on it The policies are inline only, not managed Resource-based policies are supported only by some AWS services { "Version": "2012-10-17", Explicit allow gives users access to a specific DynamoDB table and… "Statement":[{ "Effect":"Allow", "Action":["DynamoDB:*","s3:*"], "Resource":[ "arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name", "arn:aws:s3:::bucket-name", …Amazon S3 buckets. "arn:aws:s3:::bucket-name/*"] Explicit deny ensures that the users cannot use any other AWS actions or }, resources other than that table and those buckets. { "Effect":"Deny", "Action":["dynamodb:*","s3:*"], "NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name”, "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*"] An explicit deny statement takes precedence over } an allow statement. ] } Is the permission Is the permission explicitly denied ? No explicitly allowed ? No Deny Implicit deny Yes Yes Deny Allow IAM policies enable you to fine-tune privileges that are granted to IAM users, groups, and roles. When IAM determines whether a permission is allowed, IAM first checks for the existence of any applicable explicit denial policy. If no explicit denial exists, it then checks for any applicable explicit allow policy. If neither an explicit deny nor an explicit allow policy exists, IAM reverts to the default, which is to deny access. This process is referred to as an implicit deny. The user will be permitted to take the action only if the requested action is not explicitly denied and is explicitly allowed. What Does IAM Do? IAM Identities IAM Identities assists us in controlling which users can access which services and resources in the AWS Console and also we can assign policies to the users, groups, and roles. The IAM Identities can be created by using the Root user IAM Identities Classified As IAM Users IAM Groups IAM Roles What Does IAM Do? Root user The root user will automatically be created and granted unrestricted rights. We can create an admin user with fewer powers to control the entire Amazon account. IAM Users We can utilize IAM users to access the AWS Console and their administrative permissions differ from those of the Root user and if we can keep track of their login information. Example With the aid of IAM users, we can accomplish our goal of giving a specific person access to every service available in the Amazon dashboard with only a limited set of permissions, such as read-only access. Let’s say user-1 is a user that I want to have read- only access to the EC2 instance and no additional permissions, such as create, delete, or update. What Does IAM Do? IAM Groups A group is a collection of users, and a single person can be a member of several groups. With the aid of groups, we can manage permissions for many users quickly and efficiently. AWS account IAM group: IAM group: IAM group: Admins Developers Testers Carlos Salazar Li Juan Zhang Wei Márcia Oliveira Mary Major John Stiles Richard Roe Li Juan What Does IAM Do? IAM Roles While policies cannot be directly given to any of the services accessible through the Amazon dashboard, IAM roles are similar to IAM users in that they may be assumed by anybody who requires them. By using roles, we can provide AWS Services access rights to other AWS Services. IAM Features Free of cost: IAM feature of the Aws account is free to use & charges are added only when you access other Amazon web services using IAM users. Have Centralized control over your Aws account: Any new creation of users, groups, or any form of cancellation that takes place in the Aws account is controlled by you, and you have control over what & how data can be accessed by the user. Grant permission to the user: As the root account holds administrative rights, the user will be granted permission to access certain services by IAM. Multifactor Authentication: Additional layer of security is implemented on your account by a third party, a six-digit number that you have to put along with your password when you log into your accounts.

AWS Cloud Foundations & IAM PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue