DEV Community: Madhumitha

Day 2.3: AWS IAM Security Best Practices

Madhumitha — Tue, 09 Jan 2024 19:34:43 +0000

To help secure your AWS resources, follow these best practices for AWS Identity and Access Management (IAM)

!.Requires Federation for human users:
Enable human users to access aws using temporary credentials obtained through federation with an identity provider.
2.Use temporary Credentials with IAM roles:
Ensure workloads utilize temporary credentials obtained through IAM roles to access AWS resources.
3.Implement MFA(Multifactor authentication)
Apply the use of MFA to add an extra layer of security for user authentication.
4.Update Access keys when needed:
Regularly refresh access keys, especially for use cases requiring long-term credentials, to minimize security risks.
5.Secure Root user credentials:
Follow best practices to protect the credentials of the root user, including enabling MFA for the root account.
6.Apply Least-Privilege Permissions:
Grant users and processes the minimum permissions necessary to perform their tasks, reducing the risk of misuse.
7.Start with AWS Managed Policies:
Begin with AWS managed policies and progressively move towards implementing least-privilege permissions.
8.Utilize IAM Access Analyzer:
Utilize IAM Access Analyzer to generate least-privilege policies based on access activity and ensure secure permissions.
9.Regularly review and remove unused resources:
Conduct regular reviews to identify and remove unused users, roles, permissions, policies and credentials.
10.Use conditions in IAM Policies:
Improve access control by incorporating conditions in IAM policies to further restrict user access.
11.Verify public and cross-account access:
Use IAM Access Analyzer to validate public and cross-account access to resources, ensuring security and compliance.
12.Establish permissions guardrails:
Implement security policies across multiple AWS accounts to enforce consistent access controls.
13.Delegate permissions boundaries:
Manage permissions within an account by setting up defined boundaries.

By following these IAM best practices, you can greatly strengthen the security of your AWS environment, ensuring both secure and efficient access to resources.

Day 2.2: SCPs (service control policies)

Madhumitha — Mon, 08 Jan 2024 18:23:01 +0000

What is Service Control Policies?
=> This is another type of policy that we can apply in AWS. It allow you to control what aws services and actions are accessible for aws accounts within your organization.
=> SCPs operate on a "deny by default" principle, where you explicitly define permissions to deny or allow. They act as an additional layer of control on top of IAM policies.
=> In simple terms, SCPs help you say who gets to use what.

Service Control Policies:
Service Control Policies are associated with a service called AWS organization.
AWS organization: It is a service that enable you to combine multiple AWS accounts into an organization that you create and centrally manage. It simplifies billing and cost allocation, applies policies across your accounts, and allow you to create a hierarchical structure with organizational units(OUs).

Root: Root is the top-level entity in your AWS Organizations hierarchy. The purpose of root is where you initially set up your organization-wide controls, such as SCPs that apply to all accounts.
AWS Organizations supports a hierarchical structure with the root at the top and OUs beneath it.
Lets understand this with an analogy:
Imagine AWS as a large corporate building. Each floor represents a different department or team (organizational unit or OUs). The CEO's office on the top floor(Root) makes high-level decisions for the entire company. Each department floor has specific rules(Service control policies or SCP's) at its entrance stating what that department can or cannot access.
So, AWS Organizations is like a well organized corporate building where the CEO's office(Root) sets the main rules, and each department(OU) has its own rules posted at the entrance, ensuring a structured and controlled environment.

Day 2.1: AWS IAM

Madhumitha — Mon, 08 Jan 2024 08:21:42 +0000

> The AWS IAM service is a global service which means you create your users, groups, roles and policies in one place.

What is AWS IAM?

AWS IAM is a web service that helps you securely control access to AWS resources. It allows you to manage users and their level of access to the AWS resources.

To understand this, lets use an analogy,

Lets consider a theme park(cloud infrastructure). The ticket seller(IAM) decides who gets tickets(Access) to which rides(AWS resources). Users are visitors, Groups are like friend categories, and Permissions are types of rides you are allowed on.

Key terms in IAM Definition Example to understand

IAM User: A unique identity in AWS associated with specific security credentials. Alex, who has a set of credentials(username and password) to access AWS services.

IAM Group: A collection of IAM users, simplifying the management of permissions. Example: The "Developers" group includes Sarah, Mike, and Emily, who share similar access needs.

IAM Role: Similar to a user but doesn't have long-term credentials. Roles are often assumed by users, services, or AWS resources for temporary permissions. Example: A role allowing an EC2 instance to access an S3 bucket without using permanent credentials

IAM Policy: Defines permissions in JSON format. It specifies what actions are allowed or denied on which AWS resources. Policies can be attached to users, groups, or roles. Example: A policy allowing read-only access to an S3 bucket.

IAM Permissions: Actions that are allowed or denied on AWS resources. Permissions are granted through policies and determine the level of access for users or groups. Example: Permission to launch and terminate EC2 instances or read/write objects in an S3 bucket.

IAM Access key: Consists of an access key ID and a secret access key. Used to interact with AWS programmatically, like making API requests or using AWS CLI. Access key ID: AKIAYOURACCESSKEY, Secret access key: YOURSECRETACCESSKEY.

Multifactor Authentication: Adds an extra layer of security by requiring users to provide a second authentication factor (e.g., a temporary code from a hardware token or a mobile app). Using a mobile app to generate a temporary code along with a password for AWS login.

Principal: In the context of IAM, a principal is an entity that can take actions and make requests. This can be an IAM user, an IAM role, or an AWS service. Example: Alex (IAM user), an EC2 instance (IAM role), or an AWS service

Policy Document: A JSON document that defines the permissions in an IAM policy. Specifies what actions are allowed or denied and on which AWS resources. Example: JSON specifying permissions for an IAM user to list EC2 instances

Resource: In IAM policies, a resource is an AWS entity that the policy applies to, such as an S3 bucket, an EC2 instance, or an IAM user. Example: An S3 bucket (arn:aws:s3:::example-bucket) or an EC2 instance (arn:aws:ec2:region:account-id:instance/instance-id).

Condition: Part of an IAM policy that sets additional restrictions on when a policy should be applied. Conditions are based on key-value pairs, such as time of day or IP address. Example: A condition specifying access only during certain hours or from specific IP addresses.

There are different ways to access IAM, like using console or CLI or API's. After entering into IAM you can see the users, roles, apps and federated users.

IAM role: If I have a full access to my AWS account and I assume a role and that role only has read only access to S3. so now I don't have access to the AWS account as long as I am in that role.

What is IAM Password Policy?

IAM password policy is a set of rules dictating how user passwords must be structured and managed, including length, complexity, expiration, history, and lockout settings for improved security.

What is AWS IAM?
AWS IAM is a web service that helps you securely control access to AWS resources. It allows you to manage users and their level of access to the AWS resources.
To understand this, lets use an analogy,
Lets consider a theme park(cloud infrastructure). The ticket seller(IAM) decides who gets tickets(Access) to which rides(AWS resources). Users are visitors, Groups are like friend categories, and Permissions are types of rides you are allowed on.

Key terms in IAM	Definition	Example to understand
*IAM User:*	A unique identity in AWS associated with specific security credentials.	Alex, who has a set of credentials(username and password) to access AWS services.
*IAM Group:*	A collection of IAM users, simplifying the management of permissions.	Example: The "Developers" group includes Sarah, Mike, and Emily, who share similar access needs.
*IAM Role:*	Similar to a user but doesn't have long-term credentials. Roles are often assumed by users, services, or AWS resources for temporary permissions.	Example: A role allowing an EC2 instance to access an S3 bucket without using permanent credentials
*IAM Policy:*	Defines permissions in JSON format. It specifies what actions are allowed or denied on which AWS resources. Policies can be attached to users, groups, or roles.	Example: A policy allowing read-only access to an S3 bucket.
*IAM Permissions:*	Actions that are allowed or denied on AWS resources. Permissions are granted through policies and determine the level of access for users or groups.	Example: Permission to launch and terminate EC2 instances or read/write objects in an S3 bucket.
*IAM Access key:*	Consists of an access key ID and a secret access key. Used to interact with AWS programmatically, like making API requests or using AWS CLI.	Access key ID: AKIAYOURACCESSKEY, Secret access key: YOURSECRETACCESSKEY.
*Multifactor Authentication:*	Adds an extra layer of security by requiring users to provide a second authentication factor (e.g., a temporary code from a hardware token or a mobile app).	Using a mobile app to generate a temporary code along with a password for AWS login.
*Principal:*	In the context of IAM, a principal is an entity that can take actions and make requests. This can be an IAM user, an IAM role, or an AWS service.	Example: Alex (IAM user), an EC2 instance (IAM role), or an AWS service
*Policy Document:*	A JSON document that defines the permissions in an IAM policy. Specifies what actions are allowed or denied and on which AWS resources.	Example: JSON specifying permissions for an IAM user to list EC2 instances
*Resource:*	In IAM policies, a resource is an AWS entity that the policy applies to, such as an S3 bucket, an EC2 instance, or an IAM user.	Example: An S3 bucket (arn:aws:s3:::example-bucket) or an EC2 instance (arn:aws:ec2:region:account-id:instance/instance-id).
*Condition:*	Part of an IAM policy that sets additional restrictions on when a policy should be applied. Conditions are based on key-value pairs, such as time of day or IP address.	Example: A condition specifying access only during certain hours or from specific IP addresses.

What is IAM Password Policy?
IAM password policy is a set of rules dictating how user passwords must be structured and managed, including length, complexity, expiration, history, and lockout settings for improved security.

Day 1: Recap

Madhumitha — Mon, 08 Jan 2024 08:17:25 +0000

The AWS Acceptable Use Policy describes the prohibited uses of AWS

Day 1.5: Ways to launch Cloud Services

Madhumitha — Sun, 07 Jan 2024 20:52:17 +0000

Methods	Description	Use Case
*AWS Management Console:*	Web-based interface that allows users to access and manage AWS services through GUI.	Simply log in to the AWS management console, navigate to the desired service and configure settings visually.
*AWS Command Line Interface(CLI):*	A command-line tool that enables to interact with AWS services using commands in a terminal or command prompt.	Users can script and automate the repetitive tasks using AWS CLI commands.
*AWS Software Development Kits(SDKs):*	Provides libraries for various programming languages, allowing developers to integrate AWS services directly into their apps.	SDKs are available for popular programming languages like Java, Python, JavaScript, and more.
*AWS Elastic Beanstalk:*	fully managed service that simplifies the deployment and management of applications in various languages.	Users just upload their app's code, and Elastic beanstalk handles the deployment and scaling.
*AWS Marketplace:*	online store that allows users to find, buy and immediately start using software and services.	users can discover and launch pre-configured solutions from third party vendors directly form the AWS marketplace.

Day 1.4: Understanding API with an analogy.

Madhumitha — Sun, 07 Jan 2024 19:50:06 +0000

What is API(Application Programming Interfaces) in cloud?
APIs are like instruction manuals that enable developers to interact with and utilize AWS services in their applications by defining how software components communicate.
Simple analogy for easy understanding:
APIs are like a menu at a restaurant. The menu lists dishes (services), and each dish has a description(API documentation) detailing how it's prepared. Customers(developers) use the menu to place orders(make API calls) and the kitchen(AWS services) follows the instructions to prepare and serve the requested dish(perform actions in the cloud). The menu simplifies the process, allowing customers to interact with the restaurant without needing to know the recipes or cooking details. Similarly, APIs provide a simplified way for developers to interact(making requests and receiving responses) with AWS services programmatically without needing to know the internal complexities.
Real life examples:
(1) *Weather API*: A travel app uses weather API to display current conditions and forecasts for destinations, helping users plan their trips.
(2) *Social media API(like Twitter API)*: A news website integrates the twitter API to display live tweets related to specific topics or events on their homepage.
(3) *Flight aggregator API*: A travel booking platform uses a flight aggregator API to provide users with a full view of available flights, prices, and schedules across multiple airlines.
(4) *Maps and Location API(google maps API)*: A food delivery app uses a maps API to show the real time location of delivery drivers and track their routes for efficient deliveries.

Day 1.3: AWS Shared Responsibility Model

Madhumitha — Sun, 07 Jan 2024 19:03:02 +0000

What is AWS Shared Responsibility Model?
The AWS shared responsibility model defines the security responsibilities between AWS and its customers. AWS is responsible for the security "of" the cloud infrastructure, while customers are responsible for security "in" the cloud, focusing on configurations, data protection, and access controls.
*AWS Responsibility ("of" the cloud)* :
(1)Physical security: AWS ensures security of data centers. (2)Network infrastructure: AWS manages the global network infrastructure including protection against Distributed Denial of service(DDoS) attacks.
*Customer Responsibility ("in" the cloud)* :
(1)Encrypting sensitive data: Customers are responsible for implementing encryption to protect their data. (2)Managing access through IAM(Identity access management): Customers control who has access to their resources.

If you haven't understand, lets consider a real life analogy,

Consider Hotel owner as AWS and Guests as customers. AWS is like Hotel owner who takes care of the overall security and infrastructure, ensuring the physical and operational aspects are well-maintained. Customers are like hotel guests who are responsible for securing their individual spaces managing access to their data and using additional security measures within their control.

Day 1.2: AWS Global Infrastructure

Madhumitha — Sun, 07 Jan 2024 17:51:54 +0000

what is AWS Global Infrastructure
AWS Global Infrastructure is the interconnected network of data centers, availability zones, and edge locations strategically positioned worldwide. This Infrastructure enables AWS to provide reliable, scalable, and low-latency services to users globally.
Alright, let's break it down: Imagine AWS Global Infrastructure as a massive, well connected system of high-tech buildings(data centers) spread across the globe. In each building, there are backup systems(Availability zones) ready to take over if something goes wrong. This setup ensures that online services, like websites and apps, can handle a lot of users, work reliably and stay fast. It's like having a global safety net for digital operations.

what is AWS Global Infrastructure

AWS Global Infrastructure is the interconnected network of data centers, availability zones, and edge locations strategically positioned worldwide. This Infrastructure enables AWS to provide reliable, scalable, and low-latency services to users globally.

Alright, let's break it down: Imagine AWS Global Infrastructure as a massive, well connected system of high-tech buildings(data centers) spread across the globe. In each building, there are backup systems(Availability zones) ready to take over if something goes wrong. This setup ensures that online services, like websites and apps, can handle a lot of users, work reliably and stay fast. It's like having a global safety net for digital operations.

What are the key components of AWS Global Infrastructure?
1. Regions : AWS regions is a separate geographical area where AWS has established data centers. Each region is isolated and independent, allowing users to deploy resources in specific geographic locations.
2. Availability Zones : Each AWS region consists of multiple availability zones, which are isolated data centers within the region. AZs are connected through high speed, low latency networks. Deploying applications across multiple AZs enhances fault tolerance and availability.
3. Edge Locations : AWS has a global network of edge locations that serve as content delivery points for services like Amazon CloudFront(a content delivery network). These locations improve the performance of applications by caching content(improves content delivery speed) closer to end-users.
*Real life examples*
Netflix: With a global user base, Netflix leverages AWS's global infrastructure to deliver streaming services efficiently. They deploy their applications across multiple regions and availability zones to ensure high availability and low-latency streaming for users worldwide.

Day 1.1: Cloud Concepts

Madhumitha — Sun, 07 Jan 2024 06:34:51 +0000

What is Client-server model?
In computing, Client is web browser and server is any virtual services like Amazon EC2.
Example: You went to coffee shop. There barista is the server and you are the client. You(Client) make a request of you preferred coffee and the barista(server) evaluates the details of your request and fulfills it.

What is cloud computing?
*Def* : The On-demand delivery of IT resources over the internet with pay as-you-go pricing.
"On-demand delivery" : AWS has resources you need when you need them. you don't need to inform the AWS in advance. you can just demand when ever you need by just few clicks and launch.
"IT Resources" : AWS has many products. AWS wants to help you in tasks that are common and often repetitive, time consuming by providing its resources.
"Over the Internet" : You can access the resources using a secure webpage.
"pay as you go pricing" : why pay for developer environments for example on weekends if your developers aren't working! So you can pay only for what you use.
Examples: Gmail, Netflix are some of the daily used cloud services

Deployment models of Cloud Computing :

Public cloud(cloud based)	Private cloud(On-premises)	Hybrid cloud
Operated by third party cloud service provider	Used by single organization	Combines elements of both public and private clouds and allows data to be shared between them
Like using a public library. You access books(services) provided by the library(AWS) that anyone can use.	Like your book collection at home. Your books(services or resources) are exclusive to your use and not shared publicly.	Having both a personal book collection at home and using public library. You mix and match resources using some private and public based on your needs.

*Characteristics of Cloud Computing*
1.On Demand self service: Instant access to resources as-needed. Like ordering pizza when hungry.
2.Broad network access: Access services from anywhere, anytime. Like accessing social media from various devices.
3.Resource pooling: Shared resources for efficient utilization. Like sharing one vehicle for better efficiency(uber, rapido..etc)
4.Multitenancy: Multiple users sharing resources. Like different families sharing a vacation house.
5.Elasticity and measured services: Flexibility and Pay-as-you-go model. Like paying for electricity based on usage.

Cloud Service models:
1.Private cloud: You own secured cloud environment Like a private office space.
2.IaaS(Infrastructure as a service): Basic infrastructure like virtual machines are provided and you manage everything else. Like a renting fully furnished apartment.
3.PaaS(Platform as a service): Platform provided with tools and services to build and deploy applications without managing infrastructure. Like renting a kitchen in a restaurant: focus on cooking not on infrastructure.
4.SaaS(Software as a service): Ready to use software applications. Like Facebook, Emails where you don't need to install software; you are just a consumer.

AWS Public and Private services:

Six Advantages of Cloud computing:
(1). Trade fixed expense for variable expense: Instead of making upfront investments in data centers and servers, cloud computing allows you to pay only for the computing resources you consume.
(2). Benefit from massive economies of scale: Cloud providers like AWS serve a vast number of customers globally. When many customers use the cloud services, the overall cost per unit decreases. This benefits the users who pay for computing resources on a pay-as-you-go basis.
(3). Stop Guessing Capacity: No need for upfront capacity decisions as users can access the required capacity as needed in mintues. So there is no limited capacity.
(4). Increase speed and agility: Cloud computing provides quick access to new IT resources. This increase in speed enhances organizational agility, making it easier and faster to experiment, develop, and deploy applications.
(5). Stop spending money running and maintaining data centers: Allows organizations to focus on customer-centric projects instead of managing the infrastructure.
(6). Go global in minutes: Deployment of applications in multiple global regions with minimal effort.

AWS Cloud Practitioner Certification Exam Outline

Madhumitha — Sat, 06 Jan 2024 08:05:34 +0000

Introduction to AWS Cloud Practitioner Certification

 The AWS Certified Cloud Practitioner certification is designed for individuals with a foundational understanding of AWS Cloud services and their basic architectural principles.

Exam Details

  Exam code: CLF-CO2
  Exam format: - Multiple choice and multiple answers
               - 90 min (1.5 hr) to complete the exam
               - Available in multiple languages

Domains covered

The exam has the following content domains and weightings:

Weightings
Domain 1: Cloud Concepts (24% of scored content)
Domain 2: Security and Compliance (30% of scored content)
Domain 3: Cloud Technology and Services (34% of scored content)
Domain 4: Billing, Pricing, and Support (12% of scored content)

For more info regarding this certification, click here

Courses
AWS cloud practitioner essentials(free on AWS training and certification)
udemy and other online courses and tutorials are helpful

Exam prep tips
1. Practice exams
2. Hands on labs

Achieving the AWS Certified Cloud Practitioner certification validates your foundational knowledge of AWS Cloud services, setting a solid foundation for a career in cloud computing.

you can do it

Study Plan for the week: AWS Cloud Practitioner Certification

Madhumitha — Sat, 06 Jan 2024 07:36:39 +0000

Hey Dev.to community! Excited to share my study plan for the first week of preparing for the AWS cloud practitioner certification. It's a challenging yet thrilling journey, and I'm documenting every step on this platform. Join me as I break down complex AWS concepts and conquer this certification!

Day	Topics	Morning	Afternoon	Evening
1 - 2	"Foundation of AWS"	Intro to AWS, Understanding basic services(EC2,S3)	Deep dive into EC2 Instances and their configurations	Hands-on practice with launching an EC2 instance
3-4	"AWS Storage Services"	Explore Amazon S3 and its use cases	Learn about EBS(Elastic Block Store) and its significance	Practical exercises on setting up S3 buckets and working with EBS volumes
5	"Networking in AWS"	Basics of VPC(Virtual Private Cloud) and subnetting	Understanding security groups and NACLs	Set up a simple VPC and practice network configurations
6	"AWS Security and Identity"	Introduction to IAM(Identity and Access Management)	Hands-on exercises with IAM roles and policies	Explore AWS key management services(KMS)
7	"Review and practice exam"	Review key concepts and notes	Take a practice exam to assess your understanding	Identify areas for improvement and plan further study

Feel free to customize the plan based on your preferences and time constraints. Wish me luck with my AWS cloud practitioner certification journey.

Embarking on my AWS Cloud Practitioner Journey: A Chronicle of Learning

Madhumitha — Sat, 06 Jan 2024 07:05:09 +0000

After completing my graduation, I took a one-year break to focus on personal growth and essential life skills needed. While my friends are achieving their yearly goals, I realized that it was time to bring some positive changes to my life. The year 2023 came to end and monotony of being alone and observing the world from the sidelines motivated me to take action. 

Feeling a bit behind in the career race, I decided it was time to embark on the journey of skill enhancement. I've set my sights on learning AWS to boost my expertise in cloud computing.

The first step? Cracking the AWS Cloud Practitioner Certification. Join me as I share my experiences, challenges, and triumphs in this exciting quest for self-improvement. Let's dive into the world of AWS together!