AWS Cloud Overview, IAM, & AWS CLI

Question 1

AWS Region

Answer 1

cluster of data centers

💡 TIP: Most AWS services are region-scoped

Question 2

How to choose an AWS Region?

Answer 2

• 🔐 Compliance with data governance & legal requirements: data never leaves a region without your explicit permission
• 📍 Proximity to customers: reduced latency
• ✅ Available services within a Region: new services & features are NOT available in every region
• 💰 Pricing: priving varies region to region & transparent on service pricing page

Question 3

AWS Availability Zone (AZ)

Answer 3

one or more discrete data centers with redundant power, networking, & connectivity

usually 3, min is 3, max is 6

Question 4

What are some benefits of Availability Zones (AZs)?

Answer 4

• AZs are separate from each others, so that they’re isolated from disasters
• AZs are connected with high bandwidth, ultra-low latency networking

Question 5

AWS Points of Presence (Edge Locations)

Answer 5

content is delivered to end users with lower latency

Amazon has 400+ Points of Presence in 90+ cities across 40+ countries

Question 6

IAM

Answer 6

Identity & Access Management;
Global service

Question 7

Root account

Answer 7

created by default;
should NOT be used or shared

Question 8

IAM User

Answer 8

IAM Identity to represent people within your organization;
can be grouped

Question 9

IAM User Group

Answer 9

group of IAM users;
only contain users, NOT other groups

users don’t have to belong to group & user can belong to multiple groups

Question 10

IAM Policy

Answer 10

JSON documents that define a set of permissions for making requests to AWS services and can be used by IAM Users, User Groups, & IAM Roles

💡 TIP: Apply the least privilege principle

Question 11

IAM Policy Structure

Answer 11

• Version: policy language version, always include “2012-10-17”
• Id: identifier for the policy (optional)
• Statement: one or more individual statements

Question 12

IAM Policy Statement Structure

Answer 12

• Sid: identifier for the statement (optional)
• Effect: whether the statement allows or denies access (i.e. Allow, Deny)
• Principal: account/user/role to which this policy applied to
• Action: list of actions this policy allows or denies (i.e. s3:GetObject)
• Resource: list of resources to which the actions applied to
• Condition: conditions for when this policy is in effect (optional)

Question 13

AWS Managed Policy

Answer 13

standalone policy that is created and adminstered by AWS
(i.e. IAMReadOnlyAccess)

Question 14

Inline Policy

Answer 14

policy created for a single IAM identity (a user, group, or role)

💡 TIP: If a policy could apply to more than one entity, it’s better to use. a managed policy

Question 15

Multi Factor Authentication (MFA)

Answer 15

password you know + security device you own

✨ Best Practice: Root Accounts & IAM users (at a minimum) should be protected with MFA

Question 16

What is the main benefit of MFA?

Answer 16

if a password is stolen or hacked, the account is not compromised

Question 17

How can users access AWS?

3 ways

Answer 17

• AWS Management Console: protected by password + MFA
• AWS Command Line Interface (CLI):
• AWS Softwarde Developer Kit (SDK): for code; protected by access keys

✨ Best Practice: Access Keys are secret, just like a password. Don’t share them

Access Key ID ~= username, Secret Access Key ~= password

Question 18

AWS Command Line Interface (CLI)

Answer 18

tool that enables you to interact with AWS services using commands in your command-line shell (i.e. terminal)

alternative to using AWS Management Console

Question 19

AWS Software Development Kit (SDK)

Answer 19

language specific APIs (set of librariers) that enable you to access & manage AWS services programatically;
embedded within your application

Question 20

IAM Role

Answer 20

IAM Identity that defines a set of permissions for making requests to AWS services, and will be used by an AWS service
(i.e. EC2 Instance Roles, Lambda Function Roles)

Question 21

What IAM Security Tools does AWS provide?

Answer 21

• IAM Credentials Report (account-level)
• IAM Access Advisor (user-level)

Question 22

IAM Credentials Report

Answer 22

• account-level
• report that lists all your account’s users & status of their various credentials

Question 23

IAM Access Advisor

Answer 23

• user-level
• shows the service permissions granted to a user & when those services were last accessed

💡TIP: Helpful information to audit and revise policies (i.e. least priviledge principle)

Question 24

What are some IAM User & Group best practices?

Answer 24

• Don’t use the root account except for AWS account setup
• One physical user = One AWS user
• Assign users to groups & assign permissions to groups
• Create a strong password policy
• Use & enforce the use of Multi Factor Authentication (MFA)

Question 25

What are some IAM Permissions & Security best practices?

Answer 25

• Create & use Roles for giving permissions to AWS services
• Use Access keys for Programmatic access (CLI/SDK)
• Audit permissions of your account using IAM Credentials Report & IAM Access Advisor
• NEVER share IAM users & Access Keys
• Grant least privilege

Question 26

AWS CloudShell

Answer 26

browser-based shell in the AWS Management Console to securely interact with your AWS services (via the AWS CLI);
Not available in all regions

alternative to using the AWS CLI via your local terminal