Fundamentals: IAM EC Flashcards
region
cluster of data centres.
Most AWS services are region-skoped
you can use a service in a specific region. If you use the same service in another region, you will not have your data being replicated or synchronized. So you will have to recreate your data in a different region
availability zones
each region can have many of them, 3, 2 or 6 usually. 6 is max
ap-southeast-2a
ap-southeast-2b
each is one or more discrete data centres with redundant power, networking and connectivity
they are separate from each other and isolated from disasters, but they are connected with high-bandwidth, ultra-low latency networking
Anything that ends with a letter is an AZ
EC2 vs IAM
EC2 regional service
IAM global service, no selection of region required
region table
shows which services are available in which region
IAM
Identity and access management: users, groups, roles
root account
account with which you create your AWS account, should never be used afterwards or shared, has the most power
only for initial setup
IAM policies
written in JSON, define what - users - groups - roles can or cannot do
a user can belong to one or more groups
users inherit permissions
from groups. We can add permissions to both users and groups, but it is better to assign them only to groups, these will be inherited by users anyway
roles are only
for internal usage within AWS resources and services. Roles are given to machines whereas Users are for physical persons
IAM has a global view meaning
users, groups and roles are defined across regions
MFA
multifactor authentication for root account and users, recommended
managed policies
pre-defined policies created by IAM
least privilege principle
best practice to give minimal permissions for users to perform their jobs
IAM federation
big enterprises usually integrate their own repo of users (Active Directory) with IAM, so users can log into AWS with their company credentials
uses SAML standard
one IAM user
per physical person
one IAM role
per application
EC2 capabilities
- launch virtual machines in the cloud
- store data on virtual drives (EBS)
- distribute load across machines (ELB = load balancing)
- scaling the services using an auto-scaling group (ASG)
AMI
Amazon machine image
Subnet in EC2 config says
if you’ve created your own VPC, you can define your own IP address range and create subnets, create subnets, configure route tables, and configure network gateways.
So if you’ve done this - in the dropdown you’ll see a list of configured subnets to choose from (subnet = range of IP addresses in your VPC that can be used to isolate different EC2 resources from each other or from the internet. Network gateway has IP through which the subnet is accessible from the outside world)
If you haven’t done that, Amazon has assigned a default VPC to you, and in this list you can select an AZ (availability zone) you are going to have VM in
Each subnet resides in only one AZ
VPC
virtual private cloud
if you’ve created your own VPC, you can define your own IP address range and create subnets, create subnets, configure route tables, and configure network gateways.
Storage of EC2 machine is
EBS volume
To ssh into the launched machine
- you need to configure security group defined with type ssh before launching the machine
- you need to define a key pair just before launching to use it to access
EC2 instance connect
allows you to connect to your EC2 instance directly from browser in any OS