Adrian Cantrill AWS Solutions Architect Associate Course

Introduction

Site Tools and features

Scenario - Animals4Life

Problems

Ideal Outcomes

AWS Accounts - The Basics

An AWS account is a container for identities and AWS resources

Setting it up

Pasted image 20230710123757.png
Pasted image 20230710123811.png

Cost Management

IAM Identity and Access Management

Pasted image 20230813155049.png
Each AWS account has a root user with full unrestricted access
IAM lets us restrict access to different users in a least privileged accessed way
IAM identities start with no permissions and can be granted permissions
Each account comes with its own IAM database.
IAM is a globally resilient service - any data is always secure across all AWS regions
The IAM you see is your own dedicated IAM. the IAM service is trusted fully.
Inside IAM you can create different identities.

IAM Basics

IAM lets you create three different types of identity objects:
- IAM users: represents humans or applications that need access to your account
- IAM groups: Collection of related users, eg dev team, finance, HR
- IAM roles: can be used by AWS services or for granting external access to your account.
IAM policies are documents that can be used to allow or deny access to AWS services only when attached to users, groups, or roles

IAM has three main jobs:

  1. It manages identities - it's an ID provider
  2. It authenticates the identities it manages
  3. It authorizes access based on policies

IAM is free, there are no costs associated with creating users, groups, or roles
there are limits on the quantities of users etc

IAM is a global service and is globally resilient

IAM allows or denies its identities on its AWS account
There is no direct control over external accounts or users
IAM lets you make use of identity federation and MFA

normal practice is to replace the root user with an IAM admin identity

IAM Access Keys

command line access is done via IAM access keys
they are a long-term credential.
They have to be explicitly changed
Am IAM user has 1 username and 1 password
An IAM user can have 0,1, or 2 keys which can be created, deleted, made inactive, or active and are defaulted to active

Access keys are made from two parts:

Rotating access keys is when you create a new access key and delete the old ones

IAM users are the only identity that uses access keys

Creating IAM access keys

This is done through the security console
you can deactivate and reactivate keys
AWS cli integration requires credential configuration in order to configure
AWS configure --profile iamadmin-general
our server - us-east-1

AWS Fundamentals

AWS Public vs Private Services

AWS services can be categorized into two types:

When thinking of networks, people generally thing in two zones:

The AWS public zone runs between the public internet zone and the AWS private zone.
Pasted image 20230814171428.png
Pasted image 20230814171349.png

AWS Global Infrastructure

AWS is a collection of individual infrastructure worldwide and consists of AWS regions and AWS edge locations

Regions

don't map directly on to continent or country. It contains a full deployment of AWS infrastructure (all services)
we can use this concept to design systems that are resilient to global disasters

Regions have 3 main benefits:

Regions are usually referred to by the region code or the region name eg ap-southeast-2 vs asia pacific (sydney)

Availability Zone

A lower level component that gives isolated infrastructure within a region
As a solutions architect we can deploy across multiple availability zones

Pasted image 20230814173011.png

Edge Locations

Edge locations are much smaller than regions and typically only have content distribution services as well as some types of edge computing.
They are more prevalent than regions

How To Define Service Resilience

Service resilience can be described in one of 3 ways:

  1. Globally Resilient: Relatively few of these, operates globally with a single product replicated across multiple regions. It would take the world to fail to experience a full outage. Eg IAM
  2. Region Resilient: Services that operate in a single region with one set of data per region. A db in Sydney is different from a db in N. Virginia. They normally replicate to multiple Availability Zones
  3. Availability Zone resilient services: if the AZ fails, the service will fail

Virtual Private Cloud Basics (VPC)

(Comes Up A Lot On Exams)
A VPC is a virtual network inside of AWS. When you create a VPC it's created inside 1 account and 1 region. They are regionally resilient

By default, VPC's are private and isolated unless configured otherwise
Services deployed in the VPC can communicate

Two types of VPC:

Every VPC is allocated a range of ip addresses (VPC CIDER)
Default VPC always has the same CIDR (172.31.0.0/16)
A VPC can be divided into subnets and each subnet is assigned to each availability zone. Default creates one subnet in each availability zone
Pasted image 20230814193944.png

These subnets also determine the start and end IP addresses
Pasted image 20230814194029.png

Default VPC facts

EC2 Elastic Compute Cloud Basics

Anything you need to deploy that needs compute requirements should be done on EC2

EC2 Key Facts & Features

Instance Lifestyle

An instance has a state attribute
The most important to remember right now are:

An instance is composed of:

Pasted image 20230814204147.png

Terminating an instance is the only way to fully stop all charges

Amazon Machine Image (AMI)

an AMI is an image of an EC2 instance and can be used to create an EC2 instance, or be created from an EC2 instance

An AMI is similar to a server image and contains a few important things:

Connecting to EC2

EC2 can run different operating systems and you can connect via different methods, for instance, Windows connects via RDP on 3389, where as Linux uses SSH on port 22 and uses an SSH key

S3 Basics

S3 aka simple storage service
S3 is a global storage platform and is region based/resilient and can be accessed from anywhere
Your data doesn't leave the reason unless you configure it to
Data is replicated across AZ's
You choose the region when you create things in s3
S3 is a public service.
It's good for hosting large amounts of data
It scales from nothing to near unlimited levels
Can be accessed from:

S3 has two main things it delivers:

Objects

you can think of objects like files.
An object is made up of two things:

Objects also have a version id, metadata, access control, subresources
Pasted image 20230817150525.png

Buckets

Buckets are created in a specific AWS region.
your data in a bucket has a primary home region and it doesn't leave that region unless you configure it to leave that region.
By creating a bucket in a region, you can control the laws and regulations that apply to that data

A bucket is identified by it's name and the bucket name needs to be globally unique
Most AWS are unique in a region or unique in your account. Buckets though are different.

A bucket is infinitely expandable
A bucket has a flat structure, all objects in the bucket are stored at the same level. There are no folders
However, the UI displays it similarly to folders
Inside S3, there is no concept of file type based on the name.

"folders" in S3 are represented when you have a file type like /old/koala3.jpg. The UI presents this as a folder called "old" and inside of that Koala3.jpg.
Folders are often referred to as 'prefixes' in S3

Buckets are the default place to configure the way S3 works

Info

Bucket Names are Globally Unique
3-63 characters, all lower case, no underscores
must start with a lowercase letter or a number
can't be formatted like an IP address
Buckets 100 soft limit, 1000 hard limit per account
buckets can be "divided" using prefixes
Unlimited objects in a bucket, 0-5tb
key = name, value = data

S3 Patterns and Anti-Patterns

CloudFormation (CFN) Basics

CloudFormation is a tool that lets you create, update, and delete AWS resources based on a template

A CloudFormation Template is written in either JSON or YAML
All templates have a list of resources that tells CloudFormation what to do
The description area is used talk about useful information that should be relayed to users. If you have both a description and an AWS format version, the description must follow the format version

Metadata: Can control how things are presented in the UI (groupings, order, labels, etc)
Parameters: You can add fields here that prompt the user for more information such as "which size of instance to create" or "which region"
Mappings: Another optional section. Allows you to create look up tables
Conditions: Allow for decision making in the template such as things that will only occur if a condition is met. Ie "if the parameter is set to prod, do something specific"
Outputs: presented when a template is done being applied, such as the instance ID of an instance

How it works

CloudFormation starts with a template.
When you give a template to cloud formation, it creates a stack out of all of the logical resources from the template.

For any logical resources in the stack, CloudFormation makes a physical resource in your AWS account
Pasted image 20230817171930.png

CloudWatch Basics

Cloud watch is a core AWS support product and is used by almost all AWS services and does 3 main things
CloudWatch is a product that collects and manages operation data on your behalf
Cloud watch is 3 main products in one:

CloudWatch Core Concepts

Namespace: think of it like a container for monitor resources

Shared Responsibility Model

Pasted image 20230818164148.png
Most of AWS is in the IaaS column where the red is AWS responsibility, and the Blue is the Customer perspective

AWS is responsible for the security OF the cloud, where as you are responsible for the security IN the cloud.
AWS: Hardware/Global Infrastructure in regions, Availability Zones, and Edge Locations, compute, storage, DB, networking, and software that assists in these items
Customer: OS Upwards, Client Side data, encryption, network traffic protection. OS Config, firewall, platform, applications, identity, access management and customer data
Pasted image 20230818164553.png

High-Availability (HA) vs Fault-Tolerance (FT) vs Disaster Recovery

High-Availability

Aims to ensure an agreed level of operation performance, usually uptime, for a higher than normal period.

HA isn't aiming to stop failure. It's just meant to be online as often as possible, and when it fails, it's components can be fixed or replaced as quickly as possible. It is about maximizing a systems online time.

Say you have a requirement of 99.9% uptime...this means you can have only 8.77 hours of downtime per year

Think of this like an SUV going into the desert with a spare tire

Fault-Tolerance

Fault tolerance is the property that enables a system to continue operating properly in the event of the failure of some(one or more faults within) of its components

Designed to work through failure

Disaster Recovery

A set of policies, tools, and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster.

DR is designed to keep the crucial parts of your system safe

High-Availability - Minimize Any Outage
Fault-Tolerance - Operate through Faults
Disaster Recovery - Used when the above two don't work

Route53 Fundamentals

Route53 is AWS's managed DNS service
Provides two main services:

Register Domains

Has relationships with all major domain registries

Hosted Zones

Zone Files hosted in AWS on four managed name servers. Can be public and accessible from anywhere. Can also be private and only accessible from within a vpc
A hosted zones stores records(recordsets)

DNS Record Types

A&AAAA

Given a DNS zone, these records map host names to IP addresses. A record maps to IPv4, AAAA maps to IPv6

CNAME

Canonical Name lets you create equivalent of DNS shortcuts. Host to Host records. Lets say we have an A record called server pointing to an IPv4 address. Creating CNAME for ftp, mail, and www all point to the A record (this often shows up as a trick question in exams)

TXT

Text records allow you to add arbitrary information to a domain. This can be something such as proving domain ownership.

MX

MX records are used as part of email services. MX records have two main parts, a priority and a value. The value can be just a host, but if you include a '.' it's a fully qualified domain name. It could be inside the zone or outside the zone. An MX record looks at the to address and then does an MX query on the domain.
Lower values on the priority field are actually higher priority
The server gets the result of the query back then connects to the other server via SMTP. MX records facilitate email

NS

Name server records are how the name delegation happens for the name servers. Points from www.com to the actual server. How delegation works end to end in DNS

TTL (Time to Live)

Measured in seconds
Using TTL we can indicate how long records are cached for

IAM, Accounts, and AWS Organizations

IAM Identity Policies

IAM policies get attached to IAM identities in AWS
Policies allow you to either allow or deny access to AWS resources

Identity Policies are created using JSON
A policy block is just one or more "statements"
Pasted image 20230822201734.png

AWS knows which resource or resources you are trying to interact with, then works though all the statements and sees which apply to a particular identity

Statements

A statement must match the action and resource

Statement Priorities

  1. Explicit Deny. Explicit Denies always take priority
  2. Explicit Allow
  3. Default - Implicit Deny. With the exception of the account root user, they have no access
    "If they're not allowed access, they have no access"
    DENY, ALLOW, DENY

There may be multiple policies involved.
When a given identity accesses a resource, it gathers all the statements that apply and evaluates them all at the same time, but the same rule applies, DENY, ALLOW, DENY.
Pasted image 20230822203113.png

Inline Policies

Applying JSON to each account individually...3 separate policies
Generally used in exceptions or special circumstances

Managed Policies

One policy created as it's own object, then you attach to any identity that you wanted to gain those access rights.
Managed policies should be used for normal default rights
Benefits:

IAM Users and ARN's

IAM Users are an identity used for anything requiring long-term AWS access. For example, Humans, Applications, or service accounts

IAM starts with a "principals".
A principal is a person or application that makes a request to IAM in order to interact with resources. IAM authenticates against an identity in IAM and then authorizes the principal

Authentication is done with:

Once a principle has gone through the authentication process, it is now an "Authenticated Identity"

AWS then knows which IAM policies apply to that identity
Pasted image 20230824133654.png

ARN's - Amazon Resource Names

Uniquely identify resources within any AWS accounts.

Pasted image 20230824133935.png
The top ARN references an actual bucket, the bottom ARN references anything in the bucket, but not the bucket itself

Info

You can only ever have 5000 IAM users per account
An IAM user can be a member of a max of 10 groups

Simple Identity Permissions in AWS

IAM Groups

IAM groups are containers for Users
There are no credentials for IAM groups, and you cannot log into an IAM group
They're used solely for organizing users
A user can be a member of multiple groups
Pasted image 20241120115959.png

Groups can have both managed and inline policies
When thinking about allow/denies, for someone with a group policy and individual policy, you need to apply the sam deny allow deny rule to them

There is no limit for number of users in a group
There is no built in all users group in IAM
you cannot nest groups

there is a limit of 300 groups/account but this can be increased via support

Groups are not a true identity, they can't be referenced as a principal in a policy

IAM Roles

A role is one type of identity that exists in an AWS account (the other is USER)
A role is best suited for an unknown number of principles, not just one
Pasted image 20241121114956.png

Roles are generally used on a temporary basis
IAM users can have attached roles
IAM roles have two types that can be attached, the trust policies and the permissions policies
If someone assumes a role, they are assigned temporary security credentials
The credentials are checked against permission policies
sts:AssumeRole is a secure token system used to assume roles.
Pasted image 20241121115245.png