1) Explain AWS shared responsibility model with block diagrams?

AWS shared responsibility model

• The AWS shared responsibility model defines what you (as an AWS account holder/user) and
AWS are responsible for when it comes to security and compliance.

• Security and Compliance is a shared responsibility between AWS and the customer. This
shared model can help relieve customer’s operational burdens as AWS operates, manages,
and controls the components from the host operating system and virtualization layer down
to the physical security of the facilities in which the service operates.

The customer assumes responsibility and management of the guest operating system (including
updates and security patches), other associated application software as well as the configuration
of the AWS provided security group firewall
 AWS are responsible for “Security of the Cloud” .

• AWS is responsible for protecting the infrastructure that runs all the services offered in the
AWS Cloud.

• This infrastructure is composed of the hardware, software, networking, and facilities that
run AWS Cloud services.

Customers are responsible for “Security in the Cloud”.

• For EC2 this includes network level security (NACLs, security groups), operating system
patches and updates, IAM user access management, and client and server-side data
encryption.

2) What is AWS IAM explain their classifications and IAM policies?

IAM stands for Identity Access Management.

IAM allows you to manage users and their level of access to the aws console. It is used to set users,
permissions and roles. It allows you to grant access to the different parts of the aws platform. AWS
Identity and Access Management is a web service that enables Amazon Web Services (AWS)
customers to manage users and user permissions in AWS. With IAM, Organizations can centrally
manage users, security credentials such as access keys, and permissions that control which AWS
resources users can access. Without IAM, Organizations with multiple users must either create
multiple user accounts, each with its own billing and subscriptions to AWS products or share an
account with a single security credential. Without IAM, you also don't have control about the tasks
that the users can do. IAM enables the organization to create multiple users, each with its own
security credentials, controlled and billed to a single aws account. IAM allows the user to do only
what they need to do as a part of the user's job.

IAM Features

Shared Access to your Account: A team working on a project can easily share resources with the
help of the shared access feature.

Free of cost: IAM feature of the Aws account is free to use & charges are added only when you
access other Amazon web services using IAM users.
Have Centralized control over your Aws account: Any new creation of users, groups, or any form of
cancellation that takes place in the Aws account is controlled by you, and you have control over
what & how data can be accessed by the user.

Grant permission to the user: As the root account holds administrative rights, the user will be
granted permission to access certain services by IAM.

Multifactor Authentication: Additional layer of security is implemented on your account by a third

IAM Identities

IAM identities are created to provide authentication for people and processes in your aws account.

IAM identities are categorized as given below:

IAM Users

• Individual Accounts: These are individual user accounts created within your AWS account.
Each user has its own credentials (username and password or access keys).

• Permissions: You can assign specific permissions to IAM users, allowing them to access and
manage only the AWS resources they need to do their jobs.

• Multi-Factor Authentication (MFA): It's highly recommended to enable MFA for IAM users
to add an extra layer of security.

Root User

• Master Account: The root user is the account that was created when you first signed up for
AWS. It has full administrative privileges over your entire AWS account.

• High Security Risk: Due to its extensive permissions, the root user is considered a high-
security risk. It's generally recommended to avoid using it for day-to-day operations.

• Best Practices: To enhance security, you should create IAM users with appropriate
permissions and limit the use of the root user. Consider using the root user only for
administrative tasks that require full privileges.

• IAM Groups
 • A group is a collection of users, and a single person can be a member of several groups. With
the aid of groups, we can manage permissions for many users quickly and efficiently.

• Example

• Consider two users named user-1 and user-2. If we want to grant user-1 specific
permissions, such as the ability to delete, create, and update the auto-calling group only,
and if we want to grant user-2 all the necessary permissions to maintain the auto-scaling
group as well as the ability to maintain EC2, we can create groups and add this user to them.
If a new user is added, we can add that user to the required group with the necessary
permissions.

• IAM Roles

• IAM Roles are a powerful feature in AWS that allow you to grant temporary security
credentials to entities like AWS services, EC2 instances, or code. These credentials provide
the entity with specific permissions to access AWS resources without requiring long-term
credentials like access keys.

• Policies

An IAM policy sets permission and controls access to AWS resources. Policies are stored in AWS as
JSON documents. Permissions specify who has access to the resources and what actions they can
perform. For example, a policy could allow an IAM user to access one of the buckets in Amazon S3.
The policy would contain the following information:

1. Who can access it

2. What actions that user can take

3. Which AWS resources that user can access

4. When they can be accessed

3) Explain the steps involved in securing a new aws account Explain the steps with best
practices?
 4) In securing accounts explain the following -a) AWS organization b) AWS KMS c) AWS shield
a) AWS Organizations is a free governance tool that lets users create and manage multiple AWS
accounts. It helps in managing multiple users’ accounts from a single location or account,
rather than switching every time from one account to another. It is a tool for the
centralization and governance of all user’s AWS accounts. With the help of AWS
Organizations, users can create new AWS accounts, link the existing accounts, and share
resources among the accounts. AWS users can also centralize their logs and also set policies
on how their AWS accounts will be managed

Components of AWS Organizations:

• Management/Master account – This is the master account in AWS Organizations that has all
the administrative rights for all accounts under that particular AWS Organization. It is used
to centrally manage all accounts and handle the billing and logs of all accounts in the
 Organization.

• Member account – The accounts in AWS Organization other than the Master account are
called member accounts. These can be existing accounts or new accounts added to AWS
Organization.

• Organization Units (OU) – The unit in which all accounts are grouped are called Organization
Units (OU). Multiple OUs can be created in an Organization, and they can be nested within
each other.

• Policies – AWS Organization provides various policies that help in restricting or setting
boundaries for each account. The most important policy provided is the Service Control
Policy (SCP). We’ll discuss this in a little more detail ahead.

b) What is AWS KMS?

AWS KMS is a safe and resilient service that uses hardware security protocols that are tested or are
in the process of being tested to protect our keys. AWS Key Management Service provides a highly
available key storage, management, and auditing solution for you to encrypt data within your own
applications and control the encryption of stored data across AWS services.

Features of AWS KMS

• It is an easy way to control and access your data using managed encryption.

• With AWS Key Management Service, the process of key management is reduced to a few
simple clicks.

• It is also integrated with other AWS services including Amazon EBS, Amazon S3, and Amazon
RedShift to simplify the encryption of your data within these services.

• AWS KMS enables you to create, rotate, disable, enable, and define usage policies for master
keys and audit their usage.

• It is a centralized key management

c) What is AWS Shield?

AWS Shield provides protection to web applications against DDoS attacks. Standard and Advanced
Shield are two versions of AWS Shield. AWS Shield Standard is by default applied when you start
using the AWS, whereas Advanced Shield is a paid version.

• AWS Shield Standard protects your websites and applications against common, frequently
occurring network layer DDoS attacks at no additional cost.

• Applications running on Amazon EC2, ELB, and Amazon Route 53 can get additional
protection against server attacks, for more advanced protection AWS Shield Advanced can
be implemented.
 5) What is a network? Explain addressing and OSI model?

Computer networking refers to interconnected computing devices that can exchange data and share
resources with each other. These networked devices use a system of rules, called communications
protocols, to transmit information over physical or wireless technologies.

An IP address represents an Internet Protocol address. A unique address that identifies the device
over the network. It is almost like a set of rules governing the structure of data sent over the
Internet or through a local network. An IP address helps the Internet to distinguish between
different routers, computers, and websites. It serves as a specific machine identifier in a specific
network and helps to improve visual communication between source and destination.

IP address structure: IP addresses are displayed as a set of four digits- the default address may be
192.158.1.38. Each number on the set may range from 0 to 255. Therefore, the total IP address
range ranges from 0.0.0.0 to 255.255.255.255.

Network ID–
It is the part of the left-hand IP address that identifies the specific network where the device is
located. In the normal home network, where the device has an IP address 192.168.1.32, the
192.168.1 part of the address will be the network ID. It is customary to fill in the last part that is not
zero, so we can say that the device’s network ID is 192.168.1.0.

Hosting ID–
The host ID is part of the IP address that was not taken by the network ID. Identifies a specific device
(in the TCP / IP world, we call devices “host”) in that network. Continuing with our example of the IP
address 192.168.1.32, the host ID will be 32- the unique host ID on the 192.168.1.0 network.

Versions of IP Address

IPv4 Addresses
IPv6 Addresses

Open Systems Interconnection (OSI) model

6) Explain VPC and its use cases, components with its architecture?

Amazon VPC

Amazon VPC can be referred to as the private cloud inside the cloud. It is a logical grouping of
servers in a specified network. The servers that you are going to deploy in the Virtual Private
Cloud(VPC) will be completely isolated from the other servers that are deployed in the Amazon Web
Services. You can have complete control of the IP address to the virtual machines and route tables
and gateways to the VPC. With the help of security groups and network access control lists, you can
protect your application more.

Amazon VPC (Virtual Private Cloud) Architecture

The basic architecture of a properly functioning VPC consists of many distinct services such as
Gateway, Load Balancer, Subnets, etc. Altogether, these resources are clubbed under a VPC to
create an isolated virtual environment. Along with these services, there are also security checks on
multiple levels. It is initially divided into subnets, connected with each other via route tables along
with a load balancer.

Amazon VPC (Virtual Private Cloud) Components

VPC

You can launch AWS resources into a defined virtual network using Amazon Virtual Private Cloud
(Amazon VPC). With the advantages of utilizing the scalable infrastructure of AWS, this virtual
network closely mimics a conventional network that you would operate in your own data center. /16
user-defined address space maximum (65,536 addresses)

Subnetes

To reduce traffic, the subnet will divide the big network into smaller, connected networks. Up to /16,
200 user-defined subnets.

Route Tables

Route Tables are mainly used to Define the protocol for traffic routing between the subnets.
Network Access Control Lists

Network Access Control Lists (NACL) for VPC serve as a firewall by managing both inbound and
outbound rules. There will be a default NACL for each VPC that cannot be deleted.

Internet Gateway(IGW)

the Internet Gateway (IGW) will make it possible to link the resources in the VPC to the Internet.

Network Address Translation (NAT)

Network Address Translation (NAT) will enable the connection between the private subnet and the
internet.

Use cases of Amazon VPC

 Using VPC, you can host a public-facing website, a single-tier basic web application, or just a
plain old website.

 The connectivity between our web servers, application servers, and database can be limited
by VPC with the help of VPC peering.

 By managing the inbound and outbound connections, we can restrict the incoming and
outcoming security of our application.

7) Explain VPC networking components?

Subnet: A subnet in VPC is something a range of IP addresses. It is a section of a VPC that can contain
resources such as Amazon EC2 services and shares a common address component. Public
Subnet where resources are exposed to the internet through Internet Gateway and Private
Subnet where resources are not exposed to the outside world.

Route Table: They are the set of rules used to decide where the network traffic has to be managed.
It specifies the destination i.e IP address and target. The target can be Internet gateway, NAT
gateway, Virtual private gateway, etc. With the use of route tables, users can determine where the
network traffic will be directed from your subnet or gateway.

Virtual Private Gateway: It is the VPN(Virtual Private Network) hub on the Amazon side of the VPN
connection to have a secure transaction. Users can attach it to the VPC from which they want to
create the VPN connection.

NAT Gateway: Network Address Translation (NAT) Gateway is used when higher bandwidth,
availability with lesser management effort is required. It updates the routing table of the private
subnet such that it sends the traffic to the NAT gateway. It supports only UDP, TCP, and ICMP
protocols.

VPC Peering: A VPC peering connection allows you to route traffic between two Virtual Private
Clouds using IPv4 or IPv6 private addresses. Users can create a VPC peering connection between
their own VPC with a VPC in another AWS account. This connection helps you to smoothly transfer
the data.

Security Groups: It consists set of firewalls rules that control the traffic for your sample. You can
have a single security group associated with multiple instances.
Elastic IP: It is a static IP address which is a reserved public IP address that can be assigned to any
Instance in a particular region and never changes.

Network Access Control Lists (NACL): It is an optional layer of security for your VPC that acts as a
firewall for controlling traffic in and out of one or more subnets. It adds an additional layer of
security to your VPC.

Customer Gateway: VPN connection links your network (or data) to your Amazon VPC (virtual
private cloud). A customer gateway is a presenter on your side of that connection. It can be a
physical or software appliance.

Network Interface: It’s a connection between private and public networks. Network traffic is
automatically shifted to the new instance if you move it from one instance to the other.

VPC Endpoints: It allows VPC to make a connection with other services of AWS without using the
internet. They are of two types, Interference endpoints, and Gateway endpoints. They are scaled,
redundant, and highly available VPC components.

IP addressing: With the IP Addressing, you can assign your VPCs and subnets, the IPv4 addresses and
IPv6 addresses.

8) Explain VPC Direct connect and VPC peering?

Working with Direct Connect Services:

AWS direct connect facilitates the installation of dedicated network connections from your premises
to your Amazon VPC or between Amazon VPCs. It provides users with an efficient method of
connecting. Its use can efficiently cut network costs. It can give a more consistent network
experience and boost bandwidth throughput than other VPC-to-VPC connecting methods. Because
traffic can take advantage of 1 Gbps or 10 Gbps fiber links physically connecting to the AWS network
in each area, AWS Direct Connect can enable exceptionally efficient routing. Furthermore, this
solution provides the most control and management options for routing on your local and remote
networks, as well as the capability to reuse AWS Direct Connect connections. A physical AWS Direct
Connect connection can be divided into many logical connections, one for each VPC. As shown in the
diagram below, you can then use these logical connections to route traffic between VPCs. In addition
to intra-region routing, you can use your current WAN providers to connect AWS Direct Connect
locations in other regions and use AWS Direct Connect to route traffic across regions through your
WAN backbone network.
What Is AWS VPC Peering Connection?

Virtual Private Cloud Peering is known as VPC Peering, It is an AWS networking function that
provides safe and direct communication between different VPCs. By using the VPC peering feature
organizations can establish private connections that facilitate the secure and smooth transfer of
resources and data across various VPCs in the AWS Cloud. By establishing communication between
different environments and maintaining the integrity of each VPC environment setting, VPC peering
makes network management easier. In the AWS ecosystem, VPC peering is an essential service for
creating scalable, networked infrastructure structures.

AWS VPC Peering Architecture

The following architecture diagram illustrates on usage of VPC peering connections to connect VPCs
in your account with a VPC in the third-party account.
 9) What is AWS route53? Explain its working and types?

What is Amazon Route 53?

What Is Amazon Route 53?

Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. It
is designed for developers and corporations to route the end users to Internet applications by
translating human-readable names like www.geeksforgeeks.org into the numeric IP addresses like
192.0.1.1 that computers use to connect. You cannot use Amazon Route 53 to connect your on-
premises network with AWS Cloud.

How Does Amazon Route53 Works?

Amazon Route53 is an aws service than offers a DNS (Domain Name System) web service which is
scalable and high available. It is essential for conversion of user friendly domain names into IP
addresses so that internet communication can proceed without difficulties. The following are the
some of the main features explaining on how Amazon Route 53 functions well:

Domain Registration And Management: Amazon Route 53 allows users to register and maintain
domain names through its user-friendly interface. Users can transfer their existing domain to the
Route 53 service or can go for register a new one. Users may freely configure the DNS settings,
including mail server setups (MX records), domain name aliases , and more, once they have
registered.

Global DNS Resolution: Route 53 uses a worldwidet network cast made up of many DNS servers that
have been placed strategically all over the world. The IP address which matches to a domain name
entered by a user in their web browser is sent back by Route 53’s DNS servers. Users can
immediately access the websites and services from anywhere in the globe because of Route 53’s low
latency and high-performance DNS resolution by using global network.

Traffic Routing And Load Balancing: Users can set up load balancing and fallback setups for their
applications with Route 53’s wide traffic routing capabilities. Users may distribute incoming traffic
among several endpoints, such as Amazon EC2 instances, Elastic Load Balancers, or by other external
resources, by utilizing capabilities like DNS-based latency routing and weighted round-robin routing.
10) Explain AWS cloud front? Explain the working of cloud front in detail?