AWS TECHNICAL ESSENTIALS

AWS provides cloud computing services. The IT resources mentioned in the cloud
computing definition are AWS services. For the course's corporate directory
application, you will use AWS services to architect a scalable, highly available, and
cost-effective infrastructure to host the corporate directory application. That way, you
can get the app out into the world quickly, without managing heavy-duty physical
hardware. 

Six advantages of cloud computing

Pay as you go
–
Instead of investing in data centers and hardware before you know how you are going to use
them, you pay only when you use computing resources, and pay only for how much you use.

Benefit from massive economies of scale

–
By using cloud computing, you can achieve a lower cost than you can get on your own.
Because usage from hundreds of thousands of customers is aggregated in the cloud, AWS can
achieve higher economies of scale, which translates into lower pay as-you-go prices.

Stop guessing capacity

–
Eliminate guessing on your infrastructure capacity needs. When you make a capacity
decision prior to deploying an application, you often end up either sitting on expensive idle
resources or dealing with limited capacity. With cloud computing, these problems go away.
You can access as much or as little capacity as you need, and scale up and down as required
with only a few minutes notice.

Increase speed and agility

–
IT resources are only a click away, which means that you reduce the time to make resources
available to your developers from weeks to minutes. This results in a dramatic increase in
agility for the organization, since the cost and time it takes to experiment and develop is
significantly lower.

Realize cost savings

–
Companies can focus on projects that differentiate their business instead of maintaining data
centers. Cloud computing lets you focus on your customers, rather than on the heavy lifting
of racking, stacking, and powering physical infrastructure. This is often referred to as
undifferentiated heavy lifting.

Go global in minutes
–
Applications can be deployed in multiple Regions around the world with a few clicks. This
means that you can provide lower latency and a better experience for your customers at a
minimal cost.

Infrastructure, like data centers and networking connectivity, still exists as the
foundation of every cloud application. In AWS, this physical infrastructure makes up
the AWS Global Infrastructure, in the form of Regions and Availability Zones.

Regions are geographic locations worldwide where AWS hosts its data centers. AWS
Regions are named after the location where they reside. For example, in the United
States, the Region in Northern Virginia is called the Northern Virginia Region, and
the Region in Oregon is called the Oregon Region. AWS has Regions in Asia Pacific,
Canada, Europe, the Middle East, and South America, and we continue to expand to
meet our customers' needs.

Each AWS Region is associated with a geographical name and a Region code.
Here are examples of Region codes:

 us-east-1: The first Region created in the eastern US area. The geographical

name for this Region is N. Virginia.
 ap-northeast-1: The first Region created in the northeast Asia Pacific area.
The geographical name for this Region is Tokyo.

AWS Regions are independent from one another. Data is not replicated from one
Region to another, without explicit customer consent and authorization.

Choose the Right AWS Region

When you decide which AWS Region to host your applications and workloads,
consider four main aspects – latency, price, service availability, and compliance.

COMPLIANCE: Enterprise companies often must comply with regulations that require
customer data to be stored in a specific geographic territory. If applicable, choose a Region
that meets your compliance requirements.

LATENCY: If your application is sensitive to latency (the delay between a request for data
and the response), choose a Region that is close to your user base. This helps prevent long
wait times for your customers. Synchronous applications such as gaming, telephony,
WebSockets, and Internet of Things (IoT) are significantly affected by high latency.
Asynchronous workloads, such as ecommerce applications, can also suffer from user
connectivity delays.

PRICING: Due to the local economy and the physical nature of operating data centers, prices vary
from one Region to another. Internet connectivity, imported equipment costs, customs, real estate, and
other factors impact a Region's pricing. Instead of charging a flat rate worldwide, AWS charges based
on the financial factors specific to each Region.

SERVICE: Some services might not be available in some Regions. The AWS documentation provides
a table that shows the services available in each Region.

Availability Zones
Inside every Region is a cluster of Availability Zones (AZs). An AZ consists of one or
more data centers with redundant power, networking, and connectivity. These data
centers operate in discrete facilities in undisclosed locations. They are connected using
redundant high-speed and low-latency links.

AZs also have a code name. Since they are located inside Regions, they can be
addressed by appending a letter to the end of the Region code name. For example:

 us-east-1a: An AZ in us-east-1 (N. Virginia Region)

 sa-east-1b: An AZ in sa-east-1 (São Paulo Region)

Therefore, if you see that a resource exists in us-east-1c, you can infer that the
resource is located in AZ c of the us-east-1 Region.

Scope AWS services

Depending on the AWS service you use, your resources are either deployed at the AZ,
Region, or Global level. Each service is different, so you must understand how the
scope of a service might affect your application architecture.

When you operate a Region-scoped service, you only need to select the Region you
want to use. If you are not asked to specify an individual AZ to deploy the service in,
this is an indicator that the service operates on a Region-scope level. For Region-
scoped services, AWS automatically performs actions to increase data durability and
availability.

On the other hand, some services ask you to specify an AZ. With these services, you
are often responsible for increasing the data durability and high availability of these
resources.

Maintain resiliency
To keep your application available, you must maintain high availability and resiliency.
A well-known best practice for cloud architecture is to use Region-scoped, managed
services. These services come with availability and resiliency built in. When that is
not possible, make sure your workload is replicated across multiple AZs. At a
minimum, you should use two AZs. That way, if an AZ fails, your application will
have infrastructure up and running in a second AZ to take over the traffic.

https://explore.skillbuilder.aws/learn/course/1851/play/45289/aws-technical-essentials-
104

Every action you make in AWS is an API call that is authenticated and authorized. In
AWS, you can make API calls to services and resources through the AWS
Management Console, AWS Command Line Interface (AWS CLI), or AWS software
development kits (SDKs).

The AWS Management Console

One way to manage cloud resources is through the web-based console, where you log
in and choose the desired service. This can be the easiest way to create and manage
resources when you first begin working with the cloud. Below is a screenshot that
shows the landing page when you first log in to the AWS Management Console. 

The services are placed in categories, such as Compute, Storage, Database, and
Analytics

On the upper-right corner is the Region selector. If you choose it and change the
Region, you will make requests to the services in the chosen Region. The URL
changes, too. Changing the Region setting directs your browser to make requests to a
different AWS Region, represented by a different subdomain.

The AWS Command Line Interface (AWS CLI)

Consider the scenario where you run tens of servers on AWS for your application’s
front end. You want to run a report to collect data from all the servers. You need to do
this programmatically every day because the server details might change. Instead of
manually logging in to the AWS Management Console and then copying and pasting
information, you can schedule an AWS CLI script with an API call to pull this data
for you.

The AWS CLI is a unified tool that you can use to manage AWS services. You can
download and configure one tool that you can use to control multiple AWS services
from the command line and automate them with scripts. The AWS CLI is open-
source, and installers are available for Windows, Linux, and macOS.

For example, if you run the following API call against a service using AWS CLI:

aws ec2 describe-instances

you will get the following response:

AWS SDKs
API calls to AWS can also be performed by running code with programming
languages. You can do this by using AWS software development kits (SDKs). SDKs
are open source and maintained by AWS for the most popular programming
languages, such as C++, Go, Java, JavaScript, .NET, Node.js, PHP, Python, and Ruby.

Developers commonly use AWS SDKs to integrate their application source code with
AWS services. For example, consider an application with a front end that runs in
Python. Every time the application receives a cat photo, it uploads the file to a storage
service. This action can be achieved in the source code by using the AWS SDK for
Python. Here is an example of code you can implement to work with AWS resources
using the Python AWS SDK.

Security and the AWS Shared

Responsibility Model
When you work with the AWS Cloud, managing security and compliance is a shared
responsibility between AWS and you. To depict this shared responsibility, AWS
created the shared responsibility model. The distinction of responsibility is commonly
referred to as security OF the cloud versus security IN the cloud. 
AWS responsibility
AWS is responsible for security of the cloud. This means AWS protects and secures
the infrastructure that runs the services offered in the AWS Cloud. AWS is
responsible for:

 Protecting and securing AWS Regions, Availability Zones, and data

centers, down to the physical security of the buildings
 Managing the hardware, software, and networking components that
run AWS services, such as the physical servers, host operating
systems, virtualization layers, and AWS networking components

The level of responsibility AWS has depends on the service. AWS classifies services
into three categories. The following table provides information about each, including
the AWS responsibility.

Note: Container services refer to AWS abstracting application containers behind the

scenes, not Docker container services. This enables AWS to move the responsibility
of managing the platform away from customers.
Customer responsibility
Customers are responsible for security in the cloud. When using any AWS service,
you’re responsible for properly configuring the service and your applications, in
addition to ensuring that your data is secure.

Your level of responsibility depends on the AWS service. Some services require you
to perform all the necessary security configuration and management tasks, while other
more abstracted services require you to only manage the data and control access to
your resources. Using the three categories of AWS services, you can determine your
level of responsibility for each AWS service you use.
Due to the varying levels of effort, customers must consider which AWS services they
use and review the level of responsibility required to secure each service. They must
also review how the shared security model aligns with the security standards in their
IT environment, in addition to any applicable laws and regulations.

A key concept is that customers maintain complete control of their data and are
responsible for managing the security related to their content. For example, you are
responsible for the following:

 Choosing a Region for AWS resources in accordance with data sovereignty

regulations
 Implementing data-protection mechanisms, such as encryption and scheduled
backups
 Using access control to limit who can access to your data and AWS resources

https://aws.amazon.com/compliance/shared-responsibility-model/

AWS root user

When you first create an AWS account, you begin with a single sign-in identity that
has complete access to all AWS services and resources in the account. This identity is
called the AWS root user and is accessed by signing in with the email address and
password that you used to create the account.

AWS root user credentials

The AWS root user has two sets of credentials associated with it. One set of
credentials is the email address and password used to create the account. This allows
you to access the AWS Management Console. The second set of credentials is called
access keys, which allow you to make programmatic requests from the AWS
Command Line Interface (AWS CLI) or AWS API.

Access keys consist of two parts:

 Access key ID, for example, A2lAl5EXAMPLE

 Secret access key, for example, wJalrFE/KbEKxE

Similar to a user name and password combination, you need both the access key ID
and secret access key to authenticate your requests via the AWS CLI or AWS API.
Access keys should be managed with the same security as an email address and
password.
Delete your keys to stay safe
If you don't have an access key for your AWS account root user, don't create one
unless you absolutely need to. If you have an access key for your AWS account root
user and want to delete the keys, follow these steps:

1. In the AWS Management Console, go to the My Security

Credentials page, and sign in with the root user’s email address and
password.
2. Open the Access keys section.
3. Under Actions, choose Delete.
4. Choose Yes.

Multi-factor authentication (MFA)

When you create an AWS account and first log in to the account, you use single-factor
authentication. Single-factor authentication is the simplest and most common form of
authentication. It only requires one authentication method. In this case, you use a user
name and password to authenticate as the AWS root user. Other forms of single-factor
authentication include a security pin or a security token.

MFA on AWS
If you enable MFA on your root user, you must present a piece of identifying
information from both the something you know category and the something you have
category. The first piece of identifying information the user enters is an email and
password combination. The second piece of information is a temporary numeric code
provided by an MFA device.

Enabling MFA adds an additional layer of security because it requires users to use a
supported MFA mechanism in addition to their regular sign-in credentials. Enabling
MFA on the AWS root user account is an AWS best practice.
Supported MFA devices
AWS supports a variety of MFA mechanisms, such as virtual MFA devices, hardware
devices, and Universal 2nd Factor (U2F) security keys. For instructions on how to set
up each method, check out the Resources section. 
IAM
AWS Identity and Access Management (IAM) is an AWS service that helps you
manage access to your AWS account and resources. It also provides a centralized
view of who and what are allowed inside your AWS account (authentication), and
who and what have permissions to use and work with your AWS resources
(authorization).

With IAM, you can share access to an AWS account and resources without sharing
your set of access keys or password. You can also provide granular access to those
working in your account, so people and services only have permissions to the
resources they need. For example, to provide a user of your AWS account with read-
only access to a particular AWS service, you can granularly select which actions and
which resources in that service they can access.

IAM features
To help control access and manage identities in your AWS account, IAM offers many
features to ensure security.

 IAM is global and not specific to any one Region. You can see and
use your IAM configurations from any Region in the AWS
Management Console.
 IAM is integrated with many AWS services by default.
  You can establish password policies in IAM to specify complexity
requirements and mandatory rotation periods for users.
 IAM supports MFA.
 IAM supports identity federation, which allows users who already
have passwords elsewhere – for example, in your corporate network
or with an internet identity provider – to get temporary access to
your AWS account.
 Any AWS customer can use IAM; the service is offered at no
additional charge.

IAM user
An IAM user represents a person or service that interacts with AWS. You define the
user in your AWS account. Any activity done by that user is billed to your account.
Once you create a user, that user can sign in to gain access to the AWS resources
inside your account.

You can also add more users to your account as needed. For example, for your cat
photo application, you could create individual users in your AWS account that
correspond to the people who are working on your application. Each person should
have their own login credentials. Providing users with their own login credentials
prevents sharing of credentials.

IAM user credentials

An IAM user consists of a name and a set of credentials. When you create a user, you
can provide them with the following types of access:

 Access to the AWS Management Console

 Programmatic access to the AWS Command Line Interface (AWS
CLI) and AWS application programming interface (AWS API)

To access the AWS Management Console, provide the user with a user name and
password. For programmatic access, AWS generates a set of access keys that can be
used with the AWS CLI and AWS API. IAM user credentials are considered
permanent, which means that they stay with the user until there’s a forced rotation by
admins.

When you create an IAM user, you can grant permissions directly at the user level.
This can seem like a good idea if you have only one or a few users. However, as the
number of users increases, keeping up with permissions can become more
complicated. For example, if you have 3,000 users in your AWS account,
administering access and getting a top-level view of who can perform what actions on
which resources can be challenging.

IAM groups
An IAM group is a collection of users. All users in the group inherit the permissions
assigned to the group. This makes it possible to give permissions to multiple users at
once. It’s a more convenient and scalable way of managing permissions for users in
your AWS account. This is why using IAM groups is a best practice.

If you have an application that you’re trying to build and you have multiple users in
one account working on the application, you might organize the users by job function.
For instance, you might organize your IAM groups by developers, security, and
admins. You could then place all your IAM users into their respective groups.

This provides a way to see who has what permissions in your organization. It also
helps you scale when new people join, leave, and change roles in your organization.

Consider the following examples:

 A new developer joins your AWS account to help with your application. You
create a new user and add them to the developer group, without thinking about
which permissions they need.
 A developer changes jobs and becomes a security engineer. Instead of editing
the user’s permissions directly, you remove them from the old group and add
them to the new group that already has the correct level of access.

Keep in mind the following features of groups:

 Groups can have many users.

 Users can belong to many groups.
 Groups cannot belong to groups.

The root user can perform all actions on all resources inside an AWS account by
default. This is in contrast to creating new IAM users, new groups, or new roles. New
IAM identities can perform no actions inside your AWS account by default until you
explicitly grant them permission.

The way you grant permissions in IAM is by using IAM policies.

IAM policies
To manage access and provide permissions to AWS services and resources, you create
IAM policies and attach them to IAM users, groups, and roles. Whenever a user or
role makes a request, AWS evaluates the policies associated with them. For example,
if you have a developer inside the developers group who makes a request to an AWS
service, AWS evaluates any policies attached to the developers group and any policies
attached to the developer user to determine if the request should be allowed or denied.

IAM policy examples

Most policies are stored in AWS as JSON documents with several policy elements.
The following example provides admin access through an IAM identity-based policy.

This policy has four major JSON elements: Version, Effect, Action, and Resource.

 The Version element defines the version of the policy language. It specifies the

language syntax rules that are needed by AWS to process a policy. To use all
the available policy features, include "Version": "2012-10-17" before
the "Statement" element in your policies.
 The Effect element specifies whether the statement will allow or deny access.
In this policy, the Effect is "Allow", which means you’re providing access to a
particular resource.
 The Action element describes the type of action that should be allowed or
denied. In the example policy, the action is "*". This is called a wildcard, and
it is used to symbolize every action inside your AWS account.
 The Resource element specifies the object or objects that the policy statement
covers. In the policy example, the resource is the wildcard "*". This represents
all resources inside your AWS console.

Putting this information together, you have a policy that allows you to perform all
actions on all resources in your AWS account. This is what we refer to as an
administrator policy.

The next example shows a more granular IAM policy.

After looking at the JSON, you can see that this policy allows the IAM user to change their
own IAM password (iam:ChangePassword) and get information about their own user
(iam:GetUser). It only permits the user to access their own credentials because the resource
restricts access with the variable substitution ${aws:username}.

Policy structure
When creating a policy, each of the elements shown in the table are required in the policy
statement.

https://docs.aws.amazon.com/en_us/IAM/latest/UserGuide/introduction.html

https://docs.aws.amazon.com/en_us/IAM/latest/UserGuide/access.html
Lock down the AWS root user
–
The root user is an all-powerful and all-knowing identity in your AWS account. If a
malicious user were to gain control of root-user credentials, they would be able to access
every resource in your account, including personal and billing information. To lock down the
root user, you can do the following:
 Don’t share the credentials associated with the root user
 Consider deleting the root user access keys
 Enable MFA on the root account

Follow the principle of least privilege

–
Least privilege is a standard security principle that advises you to grant only the necessary
permissions to do a particular job and nothing more. To implement least privilege for access
control, start with the minimum set of permissions in an IAM policy and then grant additional
permissions as necessary for a user, group, or role.

Use IAM appropriately

–
IAM is used to secure access to your AWS account and resources. It simply provides a way
to create and manage users, groups, and roles to access resources in a single AWS account.
IAM is not used for website authentication and authorization, such as providing users of a
website with sign-in and sign-up functionality. IAM also does not support security controls
for protecting operating systems and networks.

Use IAM roles when possible

–
Maintaining roles is more efficient than maintaining users. When you assume a role, IAM
dynamically provides temporary credentials that expire after a defined period of time,
between 15 minutes and 36 hours. Users, on the other hand, have long-term credentials in the
form of user name and password combinations or a set of access keys.

User access keys only expire when you or the account admin rotates the keys. User login
credentials expire if you applied a password policy to your account that forces users to rotate
their passwords.

Consider using an identity provider

–
If you decide to make your cat photo application into a business and begin to have more than
a handful of people working on it, consider managing employee identity information through
an identity provider (IdP). Using an IdP, whether it's an AWS service such as AWS Single
Sign-On or a third-party identity provider, provides a single source of truth for all identities in
your organization.
You no longer have to create separate IAM users in AWS. You can instead use IAM roles to
provide permissions to identities that are federated from your IdP. For example, you have an
employee, Martha, who has access to multiple AWS accounts. Instead of creating and
managing multiple IAM users named Martha in each of those AWS accounts, you could
manage Martha in your company’s IdP. If Martha moves in the company or leaves the
company, Martha can be updated in the IdP, rather than in every AWS account in the
company.

Consider AWS Single Sign-On

–
If you have an organization that spans many employees and multiple AWS accounts, you
might want your employees to sign in with a single credential.

AWS SSO is an IdP that lets your users sign in to a user portal with a single set of
credentials. It then provides users access to their assigned accounts and applications in a
central location.

Similar to IAM. AWS SSO offers a directory where you can create users, organize them in
groups, set permissions across the groups, and grant access to AWS resources. However,
AWS SSO has some advantages over IAM. For example, if you’re using a third-party IdP,
you can sync your users and groups to AWS SSO. This removes the burden of having to re-
create users that already exist elsewhere, and it enables you to manage the users from your
IdP. More importantly, AWS SSO separates the duties between your IdP and AWS, ensuring
that your cloud access management is not inside or dependent on your IdP.

https://aws.amazon.com/blogs/security/how-to-create-and-manage-users-within-aws-sso/