Udemy AWS SAA - Intro and IAM

合集 - AWS SAA(5)

1.Udemy AWS SAA - Intro and IAM2024-04-01

2.Udemy AWS SAA - Private vs Public IP (IPv4)2024-04-023.Udemy AWS SAA - EC22024-04-014.Udemy AWS SAA - Scalability & Availability2024-04-085.Udemy AWS SAA - RDS2024-04-23

收起

How to choose an AWS Region if you need to launch a new app

1. Compliance: with data governance and legal requirement, data never leaves a region w/o your explicit permission
2. Proximity: to customers, to reduce latency
3. Available services: some region doesn't have all services
4. Pricing: varies region to region

Availability Zones:
each region has many availability zones, usually 3, min is 2, max is 6
each AZ is 1+ discrete data centers with redundant power, networking and connectivity, they are separate from each other, but connected with high bandwidth, ultra-low latency

AWS Points of Presence (Edge Locations)网点

AWS has Global Services

• ldentity and Access Management (lAM)
• Route 53 (DNS service)
• CloudFront (Content Delivery Network)
• WAF (Web Application Firewall)

Most AWS services are Region-scoped

• Amazon EC2 (Infrastructure as a Service)
• Elastic Beanstalk (Platform as a Service)
• Lambda (Function as a Service)
• Rekognition (Software as a Service)

ldentity and Access Management (lAM)

• Root account created by default, shouldn't be used or shared
• Users are ppl in your org, and can be grouped. After getting a root user, we can create an Admin account, then create users account
• Groups only contain users, not other groups
• An user can belong to multiple groups
• We want the users to use their AWS account
• Permissions: users or groups can be assigned JSON documents called policies to grant their permissions to the AWS services. Please do Least Privilege Principle : don't give more permission than a user needs
  

Inline policy: a policy only assigned to one person

IAM Policies Structure

An Example for Permission JSON
The "*" below means any, it permits any action and any resource

Two Ways to Protect Your AWS Account
Password Policy

• Strong passwords = higher security for your accountIn AWS, you can setup a password policy:
  • Set a minimum password lengthRequire specific character types.including uppercase letters
  • lowercase letters
  • numbers
  • non-alphanumeric charactersAllow all lAM users to change their own passwords
  • Require users to change their password after some time (password expiration)
  • Prevent password re-use

Multi Factor Authentication - MFA

• Users have access to your account and can possibly change configurations or delete resources in your AWS account
• You want to protect your Root Accounts and lAM users
• MFA = password you know + security device you own
• You can use:
  • Virtual MFA device: Google Authenticator (Phone only), Authy (multi-device);
  • Universal 2nd Factor (U2F) Security Key, ex. YubiKey
  • Hardware Key Fob: Gemalto
  • Hardware Key Fob for AWS GovCloud(US): SurePassID

How can users access AWS ?

• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLl): protected by access keys. interact with AWS services in your command-line shell
• AWS Software Developer Kit (SDK) - for code: protected by access keys. Language-specific APIs, enable to access and manage AWS services programmatically

Access key ID = username, Secret Access Key = password. So DO NOT SHARE YOUR ACCESS KEY

CloudShell: it's not global, it's like a terminal on a website, can be a substitute for CLI. we have the upload and download function

IAM Roles: some AWS service will need to perform actions on your behalf; to do so, we will assign permissions to AWS services w/ IAM Roles. ex. EC2 Instance roles, Lambda Function Roles, Roles for CloudFormation

lAM Security Tools

• lAM Credentials Report (account-level): a report that lists all your account's users and the status of their various credentials, include all accounts' passwords and permissions
• IAM Access Advisor (user-level): Access advisor shows the service permissions granted to a user and when those services were last accessed. You can use this info to revise your policies, maybe they never use this service, then we can remove this permission

IAM Guidelines & Best Practices

1. Don't use the root account except for AWS account setup
2. One physical user = One AWS user
3. Assign users to groups and assign permissions to groups
4. Create a strong password policy
5. Use and enforce the use of Multi Factor Authentication (MFA)
6. Create and use Roles for giving permissions to AWS services
7. Use Access Keys for Programmatic Access (CLl / SDK)
8. Audit permissions of your account with the lAM Credentials Report

AWS Budget Setup