AWS - SAA Flashcards
https://www.youtube.com/watch?v=Ia-UEYYR44s
Introduction to S3
What is Object Storage(Object-based Storage)
Data storage architecture that manages data as objects, as opposed to other storage architectures:
-file systems which manages data as a file and file heirachy, and
-block storage which data as blocks within sectors and tracks.
S3 provides unlimited storage. No concern about underlying infrastructure. S3 console provides an interface for you to upload and access your data.
1.S3 Object: Objects contain your data. They are like files. Objects consist of: Key (name of the object), Value(sequence of bytes), Version ID (the version of the object), Metadata(additional info attached to object). S3 permits storage size of 0 bytes - 5 Terabytes.
2.S3 Bucket: Buckets hold objects. Buckets can also have folders which in turn hold objects. S3 is a universal namespace so bucket names must be unique.
S3 - Storage Classes
Trade Retrieval Time, Accessibility and Durability for Cheaper Strorage
Cheaper storage as you go down the list…
1.Standard(default): Fast! 99.99% Availability, 11 9’s Durability, Replicated across at least three AZs
2.Standard Infrequently Accessed (IA): Still Fast! Cheaper if you access files less than once a month. Additional retrieval fee is applied. 50% less than Standard (reduced availability)
- One Zone IA: Still Fast! Objects only exist in one AZ. Availability (99.5%), but cheaper than standard IA by 20% less (reduced durability). Data could be destroyed. A retrieval fee is applied.
- Glacier: For long-term cold storage. Retrieval of data can take minutes to hours, but the off is very cheap storage.
- Glacier Deep Archive: The lowest cost storage class. Data retrieval time is 12 hours.
S3 Guarantees: Platform is built for 99.99% availability. Amazon guarantee 99.9% availability. Amazon guarantees 11’ 9s of durability.
S3 - Security
All new buckets are PRIVATE by default
Logging per request can be turned on bucket. Log files are generated and saved in a different bucket (even a bucket in a different AWS account if desired).
Access control is configured using:
1. Bucket Policies - Use a policy to define complex rule access.
2. Access Control Lists - Legacy feature (but not deprecated) of controlling access to buckets and objects. Simple way of granting access
S3 - Encryption
Types of Encryption
Encryption In Transit: Traffic between your local host and S3 is achieved via SSL/TLS
Server Side Encryption (SSE) - Encryption At Rest: Amazon help you encrypt the object data:
S3 Managed Keys : (Amazon manages all the keys)
SSE-AES : S3 handles the key, uses AES-256 algorithm
SSE-KMS: Envelope encryption, AWS KMS and you manage the keys.
SSE-C: Customer provided key (you manage the keys)
Client-Side Encryption: You encrypt your files before uploading them to S3.
S3 - Data Consistency
New Objects vs Overwrite
New Objects (PUTS): Read After Write Consistency. When you upload a new S3 object you are able to read immediately after writing.
OVerwrite (PUTS) or Delete Objects (DELETES): Eventual Consistency. When you overwrite or delete an object an object, it takes time for S3 to replicate versions to AZs. If you were to read immediately, S3 may return you an old copy. You need to generally wait a few seconds before reading.
S3 - Cross Region Replication (CRR)
Cross Region Replication: When enabled, any object that is uploaded will be automatically replicated to another region(s). Provides higher durability and potential disaster recovery for objects.
Versioning must be turned on for both the source and destination buckets for CRR to function.
CRR can replicate to another AWS account.
S3 Versioning
S3 Versioning
- Store all versions of an object in S3
- Once enabled, it cannot be disabled. Only suspended on the bucket.
- Fully integrates with S3 Lifecycle rules
- MFA Delete feature provides extra protection against deletion of your data
S3 Lifecycle Management
S3 Lifecycle Management: Automate the process of moving objects to different storage classes or deleting objects all together
Can be used together with versioning
Can be applied to both current and previous versions
S3 -Transfer Acceleration
S3 - Transfer Acceleration: Fast and secure transfer of files over long distances between your end users and an S3 bucket.
- Utilizes CloudFront’s distributed Edge Locations
- Instead of uploading to your bucket, users use a distinct URL for an Edge Location
- As data arrives at the Edge Location, it is automatically routed to S3 over a specifically optimized netowrk path. (Amazon’s backbone network)
S3 - Presigned URLS
Presigned URLS: Generate a URL which provides temporary access to an object to either upload or download object data. Presigned URLs are commonly used to provide access to private objects. AWS CLI or AWS SDK used to generate presigned URLs.
For example:
One has a web-application that needs to allow users to download files from a password protected part of the web-app. The web-app generates presigned url which expires after 5 seconds. The user downloads the file.
S3 - MFA Delete
MFA Delete: ensures users cannot delete objects unless they provide their MFA code.
MFA Delete can only be enables under these conditions:
1. The AWS CLI must be used to turn on MFA
2. The bucket must have versioning turned on
3. Only the bucket owner logged in as Root User can DELETE objects from bucket
S3 CheatSheet
- Simple Storage Service (S3) object-based storage: Store unlimited amount data without worry of underlying storage infrastructure
- S3 replicates data across at least 3 AZs to ensure 99.99% Availability and 11’9s of durability
- Objects contain your data
- Objects can be size anywhere from 0 Bytes up to 5 Terabytes
- Buckets contain objects. Buckets can also obtain folders which can in tun can contain objects.
- Bucket names are uniques across all AWS accounts. Like a domain name.
- When you upload a file to S3 successfully you’ll receive a HTTP 200 code
Lifecycle Management Objects can be moved between storage classes or objects can be deleted automatically based on a schedule
- Versioning: Objects are given a Version ID. When new objects are uploaded, the old objects are kept. You can access any object version. When you delete an object, the previous object is restored. Once versioning is turned on, it cannot be turn off, only suspended.
- MFA Delete: Enforce DELETE operations to require MFA token in order to delete an object. Must have versioning turned on to use. Can only turn on MFA Delete from AWS CLI. Root Account is only allowed to delete objects
- All new buckets are private by default
- Logging can be turned on a bucket to track operations performed on objects
- Access control is configured using Bucket Policies and Access Control Lists (ACL)
- Bucket Policies are JSON documents which let you write complex control access
- ACLs are the legacy method (not deprecated) where you grant access to objects and buckets with simple actions.
S3 CheatSheet
- Security in Transit: Uploading files is done over SSL
- SSE: Stands for Server Side Encryption. S3 has 3 options for SSE.
1. SSE-AES: S3 handles the key, uses AES-256 algorithm
2. SSE-KMS: Envelope encrption via AWS KMS and you manage the keys.
3. SSE-C: Customer provided key (you manage the keys) - Client-Side Encyption: You must encrypt your own files before uploading them to S3
S3 CheatSheet
- Cross Region Replication (CRR): Allows replication of files across regions for greater durability. Versioning must be turn on in the source and destination bucket. CRR can replicate to bucket in another AWS Account.
- Transfer Acceleration: Provide faster and secure uploads from anywhere in the world. Data is uploaded via distinct URL on Edge location. Data is then transported to S3 bucket via AWS backbone network.
- Presigned URLs: a URL generated via the AWS CLI and SDK. It provides temporary access to write or download object data. Presigned Urls are commonly used to access private objects.
S3 has 6 different Storage Classes:
* Standard: Fast! 99.9% Availability, 11 9’s durability, replicated across at least three AZs
* Intelligent Tiering: Uses ML to analyze object usage and determine the appropriate storage class. Data is moved to the most cost-effective access tier, without any performance impact or added overhead.
* Standard Infrequently Accessed (IA): Still Fast! Cheaper if you access files less than once a month. Additional retrieval fee is applied. 50% less than Standard (reduced availability)
* One Zone IA: Still Fast! Objects only exist in one AZ. Availability (99.5%), but cheaper than Standard IA by 20% less (Reduce durability). Data could get destroyed. A retrieval fee is applied.
* Glacier: For long-term cold storage. Retrieval of data can take minutes to hours but the off is very cheap storage.
* Glacier Deep Archive: The lowest cost storage class. Data retrieval time is 12 hours.
AWS Snowball: Petabyte-scale transfer service
Snowball:
Low Cost - Transfer of 100TB over high speed internet. Snowball can reduce that costs by 1/5th
Speed - Transfer of 100TB over 100 days can take over 100 days. Snowball can reduce that transfer time by completing that task in less than a week.
Move data onto AWS via physical briefcase computer
Snowball features and limitations:
* E-link display (shipping information)
* Tamper and weather proof
* Data is encrypted end-to-end (256-bit encryption)
* Uses Trusted Platform Module (TPM)
* For security purposes, data transfers must be completed within 90 days of snowball being prepared.
* Snowball can import and export from S3.
Comes in two sizes:
* 50 TB (42 TB of usable space)
* 80 TB (72 TB of usable space)
TPM: specialized chip on an endpoint service that stores RSA encryption keys specific to host system for hardware authentication.
Snowball Edge: Petabyte-scale data transfer service
Snowball Edge: Similar to snowball but with more storage and local processing.
Move data onto AWS via physical briefcase computer
More storage and on-site compute capabilities.
Snowball Edge Features and limitations:
* LCD display (shipping information and other functionality)
* Can undertake local processing and edge-computing workloads
* Can use in a cluster in groups of 5 to 10 devices
* Three options for device configurations
* storage optimized (24 CPUs)
* compute optimized (54 CPUs)
* GPU optimized (54 CPUs)
Snowball Edge come in two sizes:
* 100 TB (83 TB of usable space)
* 100 TB Clustered (45 TB per node)
Snowmobile
Snowmobile: 45-foot long ruggedized shipping container, pulled by semi-trailer truck. Transfer up to 100PB per snowmobile.
AWS personnel will help connect on-premise network to the snowmobile. When data is complete, they’ll drive it back to AWS to import into S3 or Glacier.
Security Features:
* GPS tracking
* Alarm monitoring
* 24/7 video surveillance
* an escort security vehicle while in transit (optional)
Snowball & Snowball Edge & Snowmobile CheatSheet
- Snowball and Snowball Edge is a rugged container (briefcase) which contains a storage device
- Snowmobile is a 45-foot long ruggedized shipping container, pulled by a semi-trailer truck.
- Snowball and Snowball Edge is a for peta-scale migration. Snowmobile is for exabyte-scale migragtion.
- Low cost: Thousands of dollars to transfer 100TB over high speed internet. Snowball is 1/5th.
- Speed: 100 TB over 100 days to transfer over high speed internet. Snowball takes less than a week.
- Snowball comes in two sizes: 50 TB (42 TB of usable space) and 80 TB (72 TB of usable space)
- Snowball Edge comes in two sizes: 100 TB (83 TB of usable spaces) and 100 TB Clustered (45 TB per node)
- Snowmobile comes in one size: 100PB
- One can bothe export and import data using Snowball and Snowmobile
- One can import S3 and Glacier
- Snowball Edge can undertake local processing and edge-computing workloads
- Snowball Edge can come in a cluster of groups of 5 to 10 devices
- Snowball Edge provides three options for device configurations: storage optimized (24 vCPUs), compute optimized (54 vCPUs) and GPU optimized (54 v CPUs)
VPC
Virtual Private Cloud
Provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
Introduction to VPC
Think of a AWS VPC as your own personla data center. Gives you control over your virtual networking environment
From the outside to inside:
- The internet
- Internet Gateway (IGW)
- Router
- Router Table
- NACL
- Public subnet
- Security group
- EC2 Instance
- NAT
- Private Subnet
- RDS DB
- VPC
- Region
Core Components
Core components: Combining these components and services makes up VPC
- Internet Gateway (IGW)
- Virtual Private Gateway (VPN Gateway)
- Routing Tables
- Network Access Control Lists (NACLs)-stateless
- Security Groups (SG) - Stateful
- Public Subnets
- Private Subnets
- NAT Gateway
- Customer Gateway
- VPC Endpoints
- VPV Peering
VPC Key Features.
- VPCs are Region Specific, they do not span regions
- Can create up to 5 VPC per region
- Every region comes with a default VPC
- Can have 200 subnets per VPC
- Can use IPv4 Cldr Block and in addition to a IPv6 Cldr Blocks(the address of the VPC)
- Cost nothing: VPC’s, route tables, NACLs, Internet Gateways, Security Groups and Subnets, VPC Peering
- Some things cost money: NAT Gateway, VPC Endpoints, VPN Gateway, Customer Gateway
- DNS hostnames (should your instance have domain name addresses)
Default VPC
AWS has a default VPC in every region so one can immediately deploy instances
- Create a VPC with a size 1/16 IPv4 CIDR block (172.31.0.0/16)
- Create a size /20 default subnet in each availability zone
- Create an Internet Gateway and connect it to your default VPC
- Create a default security group and associate it with your default VPC
- Create a default network access control list (NACL) and associate it with your default VPC.
- Associate the default DHCP options set for your AWS account with your default VPC
- When you create a VPC, it automaically has a main route table
VPC: Default Everywhere IP
0.0.0.0/0 is know as default. It represents all possible IP addresses
- When we specify 0.0.0.0/0 in our route table for IGW, we allow internet access
- When we specificy 0.0.0.0/0 in our security groups inbound rules, we are allowing all traffic from the internet access (our public resources)
When you see 0.0.0.0/0, just think of giving access from anywhere or the internet.
VPC Peering
VPC Peering allow connection between one VPC and another over a direct network route using private IP addresses
- Instances on peered VPCs behave just like they are on the same network
- Connect VPCs across same or different AWS accounts and regions
- Peering uses a star configuration: 1 central VPC, 4 other VPCs
- No Transitive Peering (peering must take place directly between VPCs). Needs a one-to-one connect to immediate VPC
- No overlapping CIDR Blocks
Route Tables
Route tables are used to determine where network traffic is directed.
Each subnet of VPC must be associated with a route table.
A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
Internet Gateway (IGW)
The internet Gateway allows VPC access to the internet.
IGW does 2 things:
1. Provide a target in VPC route tables for internet-routable traffic
- Perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
To route out to the internet, you need to add a route in your route tables. Add the internet gateway and set the destination to be 0.0.0.0/0
Bastion/ Jumpbox
Bastions are EC2 instances which are security-harden. They’re designed to help you gain access to your EC2 instances via SSH or RCP that are in private subnet.
Bastions, also known as Jump boxes because you’re jumping from one box to access another.
NAT Gateways/Instances are only intended for EC2 instances to gain outbound access to the internet for things such as security updates.
NATs cannot/should not be used as Bastions
System Manager’s Session Manager replaces the need for Bastions.
Direct Connect
AWS Direct Connect: For establishing dedicated network connections from on-premises locations to AWS. Very fast network. Lower bandwidth 50M-500M or higher bandwidth 1GB or 10GB.
- Helps reduce network costs and increase bandwidth throughput (great for high traffic networks)
- Provides a more consistent network experience than a typical internet-based connection. (reliable and secure)
VPC Endpoints
VPC Endpoints allow private connection of VPC to other AWS services & VPC endpoint services. Two types: interface and gateway endpoints
- Eliminates the need for an internet Gateway, NAT device, VPN connection, or AWS Direct Connect connections.
- Instances in the VPC do not require a public address to communicate with service resources.
- Traffic between your VPC and other services does not leave the AWS network.
- Horizontally scaled, redundant, and highly available VPC component.
- Allows secure communication between instances and services - without adding availability risks or bandwidth constraints on your traffic.
Interface Endpoints
Are elastic network interfaces (ENI) with a private IP address
Entry point for traffic going to a suppored service
Interface Endpoints are powered by AWS PrivateLink. Access services hosted on AWS easily and securely by keeping your network traffic within the AWS network. Paid service.
Interface Endpoints support the following AWS Services:
API Gateway, CloudFormation,
CloudWatch, Kinesis, Sagemaker,
Codebuild, AWS Config, EC2 API, ELB API,
AWS KMS, Secrets Manager, Security
Token Service, Service Catalog, SNS, SQS,
Systems Manager, Marketplace Partner
Services, Endpoint Services in other AWS accounts.
Gateway Endpoints
Is a gateway that is a target for a specific route in a route table used for traffic destined for a supported AWS service. Free.
AWS Gateway Endpoint currently only supports 2 services eg. Amazon S3 and DynamoDB
VPC Flow Logs
VPC Flow Logs: Allows the capture of IP traffic information in-and-out of Network Interfaces within a VPC.
Flow Logs can be created for:
1. VPC
2. Subnets
3. Network Interface
All log data is stored using Amazon CloudWatch Logs.
After a Flow Log is created, it can be viewed in detail withing CloudWatch Logs. It can only be edited, not deleted.
What main info does VPC FLow Logs contain?
Source and destination IP addresses
VPC FLow Logs Cheatsheet
- VPC Flow Logs monitor the in-and-out traffic of your Network Interfaces within a VPC
- Flow Logs can be turned on at the VPC, subnet or Network Interface level
- VPC Flow Logs cannot be tagged like other AWS resources
- One cannot chage the configuration of a flow log after it’s created.
- One cannot enable flow log for VPCs which are peered with another VPC unless they are in the same account
- VPC Flow Logs can be delivered to an S3 or CloudWatch Logs
- VPC Flow Logs contains the source and destination IP addresses (not hostnames)
- Some instance traffic is not monitored:
1. Instance traffic generated by contacting the AWS DNS servers
2. WIndows license activation traffic from instances
3. Traffic to and from the instance metadata address (169.254.169.254)
4. DHCP Traffic
5. Any traffic to the reserved IP address of the default VPC router.
NACLs
Network Access Control List: An (option) layer of security that acts as a firewall for controlling traffic in and out of subnet(s)
- VPC automatically get a default NACL
- Each NACL contains a set of rules that can allow or deny traffic into (inbound) and out of (outbound) subnets
- Rule # detemines the order of evaluation from lowest to highest. The highest rule # can be 32766 and its recommended to work in 10 or 100 increments.
- Subnets are associated with NACLs. Subnets can only belong to a single NACL.
- One can allow or deny traffic. One could block a single IP address (cannot be done with security groups)
NACLs- Use Case
We determine there is a malicious actor at a specific IP address trying to access our instances so we block their IP
We never need to SSH into instances, so we we add a DENY for these subnets. This is just an additional measure in case our Security Group SSH port was left open.
NACLs CheatSheet
- Network Access List is commonly known as NACL
- VPCs are automatically given a default NACL which allows all outbound and inbound traffic
- Each subnet within a VPC must be associated with a NACL
- Subnets can only be associated with one NACL at a time. Associating a subnet with a new NACL will remove the previous association.
- If a NACL is not explicitly associated with a subnet, the subnet will automatically be associaed with the default NACL
- NACL has inbound and outbound rules (just like Security groups)
- Rule can either allow or deny traffic (unlike security groups which can only allow).
- NACLs are STATELESS (any allowed inbound traffic is allow outbound)
- When you create a NACLs, it will deny all traffic by default.
- NACLs contain a numbered list of rules that gets evaluated in order from lowest to highest.
- If one needs to block a single IP address, you could via NACLs (security groups cannot deny)
Security Groups
Security Groups: A virtual firewall that control the traffic to and from EC2 instances.
- Security Groups are associated with EC2 instances.
- Each Security Group contains a set of rules that filter traffic coming into (inbound) and out of (outbound) EC2 instances.
- Provide security at the protocol and port access level.
- There are no “Deny” rules. All traffic is blocked by default unless a rule specifically allows it.
- Multiple instances across multiple subnets can belong to security group.
Security Groups - Use Case
- One can specify the source to be an IP range or a specific IP (/32 is a specific IP Address)
- Once can specify the source to be another security group.
- An instance can belong to multiple security groups, and rules are permissive (instead of restrictive). It means if you have one security group which has no Allow and you addd an allow to another, then it will Allow.
Security Groups -Limits
- One can have up to 10,000 security groups in a region (default)
- One can have 60 inbound rules and 60 outbound rules per security group.
- 16 security groups per Elastic Network Interface (default is 5)
For more capacity beyond this limits, one must contact AWS with a formal request.
Security Groups CheatSheet
- Security Groups acts as a firewall at the instance level
- Unless allowed specifically, all inbound traffic is blocked by default
- One can specifiy the source to be either an IP range, single IP address or another security group
- Security groups are STATEFUL (if traffic is allowed inbound, it is also allowed outbound)
- Any changes to a security group take effect immediately
- EC2 instances can belong to multiple security groups
- Security groups can contain multiple EC2 instances
- One cannot block specific IP addresses with security groups. For this action, one needs a Network Access Control List (NACL)
- One can have up to 10,000 security group per region (default is 2,500)
- Once can have 60 inbound and 60 outbound rules per security group
- One can have 16 security groups associated with an ENI (default is 5)
Network Address Translation (NAT)
Network Address Translation: is the method of re-mapping one IP address space into another
If one has a private network and needs help to gain outbound access to the internet, one needs to use NAT gateway to remap the private IPs.
If one has two networks which have conflicting network addresses, one can use NAT to make addresses more agreeable.
NAT Instance Vs NAT Gateways
NATs have to run within a public subnet
NAT instances (legacy) are individual EC2 instances. Communitiy AMIs exists to launch NAT instances.
NAT Gateways: is a managed service which launches redundant instances within the selected AZ. One NAT gateway per AZ. Modern way of working with instances.
NAT Instance and NAT Gateway CheatSheet
- When creating a NAT instance you must disable source and destination checks on the instance.
- NAT instances must exist in public subnet.
- Route out of the private subnet to the NAT instance.
- The size of NAT instance determines how much traffic can be handled.
- High availability can be achieved using Autoscaling Groups, multiple subnets in different AZs, and automate failover between them using a script.
- NAT Gateways are redundant inside an Availability Zone (can survive failure of EC2 instance)
- One can only have 1 NAT Gateway inside 1 Availability Zone (cannot span AZs)
- Starts at 5 Gbps and scales all the way up to 45 Gbps.
- NAT Gateways are the preferred setup for enterprise systems.
- There is no requirement to patch NAT Gateways, and there is no need to disable source/destination checks for the NAT Gateway (unlike NAT instances)
- NAT Gateways are automatically assigned a public IP address
- Route Tables for the NAT Gateway must be updated
- Resources in multiple AZs sharing a Gateway will lose internet access if the Gateway goes down, unless you create a Gateway in each AZ and configure route tables accordingly.
Identity Access Management (IAM)
IAM: Identity Access Management
Manages access of AWS users and resources
IAM -Core Components
IAM allows management of access of users and resources
IAM Identities:
IAM Users - End users who log into the console or interact with AWS resources programmatically
IAM Groups - Groups users into permission levels eg. Administrators, Developers, Auditors
IAM Roles - Associate permissions to a Role that’s assigned to users or groups
IAM Policies - JSON documents which grant permissions for a specific user, group, or role to access services. Policies are attached to IAM Identities
IAM - Core Components
Roles
A user can belong to a group. Roles can be applied to groups to quickly add and remove permissions en-masse to users.
A user can have a role directly attached .
A policy can be directly attached to a user (Inline Policy)
Roles can have many policies attached
Various AWS resources allow attachment of roles directly to them.
IAM - Managed vs Customer vs Inline Policy
Managed vs Customer vs Inline Policy
Managed Policies: AWS-managed policy which cannot be edited (read only). Labeled with an orange box.
Customer Managed Policies: Customer-created policy that is editable. Not labeled with symbols.
Inline Policies: A policy directly attached to the user.
IAM - Policies
Version: policy language version.
Statement: container for the policy element; allowed to have multiple
Sid (statement identifier): a way of labeling statements.
Effect: set whether the policy with Allow or Deny
Prinicipal: account, user, role or federated user who requires permission for denial or access
Action: list of actions that the policy allows denies
Resource: the resource to which the action(s) applies
Condition (optional): circumstances under which policy grants permission
IAM - Password Policy
IAM - Password Policy
In IAM, one can set a password policy. To set mininimum requirements of a password and rotate passwords so users have to update their passwords after X days.
IAM - Access Keys
IAM - Access Keys
Allows users to interact with AWS service programmatically via the AWS CLI or AWS SDK
Two Access keys per user allowed
IAM - MFA
IAM - MFA
Multi-factor authentication (MFA) can be turned on per user.
The user has to turn on MFA themselves. Administrator cannot directly enforce users to have MFA.
The administrator account could create a policy requiring MFA to access certain resources.
IAM CheatSheet
Identity Access Management: used to manage access to users and resources
IAM: universal system (applied to all regions at the same time). Free service.
Root account: account initially created when AWS is set up (full administrator)
New IAM accounts: No permissions by default until granted
New users get assigned an Access Key Id and Secret when first created for programmatic access
Access Keys are only used for CLI and SDK (cannot access console)
Access Keys are only shown once when created. If lost, they must be deleted/recreated again.
Always MFA for Root Accounts
Users must enable MFA on their own, Administrator cannot turn it on for each user
IAM allows one to set minimum password requirements or rotate passwords.
IAM Identities as Users, Groups, and Roles
IAM Users : End users who log into console or interact with AWS resources programmatically
IAM Groups: Group up users to share permission levels eg. Administrators, Developers, Auditors
IAM Roles: Associate permissions to a Role and then assign to Users or Groups
IAM Policies: JSON documents which grant permissions for a specific user, group, or role to access services. Policies are attached to IAM Identities.
Managed Policies: policies provided by AWS. Cannot be edited.
Customer Managed Policies: policies created by customer. Can be edited.
Inline Polices: policies which are directly attached to a user
Amazon Cognito
Amazon Cognito:
Decentralized managed authentication. Sign-up, sign-in integration for apps. Social identity, provider eg. Facebook, Google.
Introduction to Amazon Cognito
Cognito Identity Pools: provide temporary credentials for users to access AWS Services
Cognito Sync: syncs users data and preferences across all devices
Cognito User Pools: user directory with authentication to IpD to grant access to app.
Web Identity Federation and IpD
Web Identity Federation: To exchange identity and security information between an identity provider (IdP) and an application
Identity Provider (IdP): a trusted provider of user identity that allows authentication to access other services. Identity Providers: Facebook, Amazon, Google, Twitter, GitHub, LinkedIn
Technology behind the Identit Providers:
SAML : Security Assertion Markup Language
SSO: Single Sign On
OpenID Connect (OIDC) OAuth: Used for web
Cognito User Pools
User Pools: are user directories used to manage the actions for web and mobile apps such as: sign-up, sign-in, account recovery, account confirmation.
Allows users to sign-in directly to the User Pool, or using Web Identity Federation.
Uses AWS Cognito as the identity broker between AWS and the identity provider.
Successful user authentication generates a JSON Web Token (JWTs).
User Pools can be thought of as the account used to access the system (ie. email address and password)
Cognito user pools permits the ff:
- Choose what attributes
- Choose password requirements
- Apply MFA
- Restrict whether users are allowed to sign up on their own or require admin verification
- Analytics with Pinpoint for user campaigns
- Trigger custom log via Lambdas after actions such as after signup
Cognito Identity Pools
Identity pools: provide temporary AWS credentials to access services eg. S3, DynamoDB. Can be perceived as the actual mechanism authorizing access to AWS resources.
Steps for creating identity pools involve:
- Choose who to provide access to
- Use the SDK to get temporary credentials
Cognito Sync
Cognito Sync: sync user data and preferences across devices with one line of code.
Cognito uses:
- push synchronization to push updates and synchronize data
- Simple Notification (SNS) to send notifications to all user devices when data in the cloud changes.
Cognito CheatSheet
Cognito is decentralized managed authentication system. When one needs to easily add authentication to mobile and desktop app, think Cognito.
User Pools: user directory, allows users to authenticate using OAuth to IpD such as Facebook, Google, Amazon to connect to web-applications. Cognito User Pool is in itself a IpD
User Pools use JWTs to persist authentication
Identity Pools: provide temporary AWS credential to access services eg. S3, DynanoDB
Cognito Sync: can sync user data and preferences across devices with one line of code (powered by SNS)
Web Identity Federation: exchange identity and security information between an identity provider (IdP) and an application
Identity Provider (IdP): a trusted provider for user identity that permits authentication to access other services. eg. Facebook, Twitter, Google, Amazon
OIDC; a type of identity provider that uses Oauth
SAML: a type of identity provider which uses single sign-on
AWS Command Line Interface (CLI)
CLI: Command Line Interface
Control multiple AWS services from the command line and automate them through scripts.
AWS CLI
AWS CLI: Allows interaction with AWS from anywhere by simply using a command line.
One can perform the CLI perform actions such as:
-List buckets, upload data S3
-Launch, stop, start and terminate EC2 instances
-Update security groups, create subnets etc.
Important AWS CLI flages to know:
- Easily switch between AWS accounts using –profile
- Change the –output between json, table and text
