DEV Community: warris oladipupo

IAM

warris oladipupo — Sat, 29 Jun 2024 16:44:26 +0000

What can iam(identity access management) do to you as an organization or individuals?. let me help you to get the basic knowledge about it.

IAM is a service that allows you to manage users and their access to the AWS console. With IAM, you can create users, grant permissions, and manage access to your AWS resources. It also enables you to create groups and roles , let say you have a company called "TechGuru" , your company will have software developer , HR manager, E.T.C, now these people will need resources of the company to work with thereby, you need to create users for each of your workers right?, yes IAM can help you to do that and your company might have various department which this department are groups and they will also need resources to work with , IAM can also help you to do that.

Now let learn how to create users for your workers and also adding then to groups if needed

search for IAM and click on the IAM

Now click on create user

now input the name of the user and the user can generate his/her passwords but in this case i will allow aws to generate a password for me

We can learn that a user can only change his/her password and username but can not access the company resources unless he/she is given permission. Before we give the permissions , let imagine the user we just created is part of IT department , let create a group for IT department because any permission we assign to the group, any user within that group can have this permission ,so we don’t need to give each user permission, they will just inherit it from the group.
if you look at the picture down here 👇 you will see "add user to the group " since we don’t have a group, let create a group by clicking on create group

looking at the image below , i have given the group name "IT DEPARTMENT"

Now before we click on create user , we need to give it permission
what are permission ? Permissions in AWS are controlled using IAM policy documents, which are written in JSON (JavaScript Object Notation). These documents specify what actions are allowed or denied for a particular user, group, or role.

Here’s a basic example of a JSON policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

now if you don't understand what this code above is , don't worry , we will cover that in the later lesson
Now let give our group permission

From the picture above we have given the group some permission, now let create the group

Now we can see that our group is created and i have clicked on the group and now we can create user by clicking on the next button

looking at the picture above this is just the review section , so let check if everything is okay and correct, let click on create user

looking at the picture above we can see that we have create a user
you can download load the .cv file to see the user credential , now let return to our user list to see our user

Now our user is created.
Join me next week as we dive into s3(Simple Storage Services)
Thank you.

Pricing and Cost Management

warris oladipupo — Wed, 19 Jun 2024 21:53:50 +0000

Budgets

Budgets allow you to set custom thresholds for your AWS spending and usage, alerting you when you exceed these thresholds.
Scenario: You set a budget of $500 per month for your development environment. If your costs approach this limit, AWS Budgets sends you an alert, allowing you to investigate and take action before overspending.

Cost and Usage Reports

The Cost and Usage Report provides detailed information about your AWS usage and costs.
Scenario: You need to analyze the cost trends of your AWS resources over the past year. The Cost and Usage Report gives you a comprehensive view of your spending.

Cost Explorer

Cost Explorer helps you visualize and forecast your AWS costs and usage over time.
Scenario: You want to predict next month's AWS costs based on historical usage. Cost Explorer helps you visualize past trends and forecast future expenses.

Management and Governance
Organizations

Organizations allow you to centrally manage multiple AWS accounts under one organization.
Scenario: Your company has different departments using separate AWS accounts. Using AWS Organizations, you can manage billing and policies centrally.

Control Tower

Control Tower helps you set up and govern a secure, multi-account AWS environment based on AWS best practices.
Scenario: You need to ensure all AWS accounts within your organization comply with company policies. Control Tower sets up a landing zone with guardrails to enforce these policies.

Systems Manager

Systems Manager provides operational insights and management of AWS resources.
Scenario: You manage multiple EC2 instances and need to automate routine tasks. Systems Manager allows you to run commands, manage patches, and monitor performance from a single console.

Support Plans
Trusted Advisor

Trusted Advisor provides real-time guidance on following AWS best practices in terms of cost optimization, performance, security, and fault tolerance.
Scenario: Trusted Advisor alerts you to security gaps, such as open ports on EC2 instances, allowing you to quickly address these issues.

Basic Support

Basic Support is free for all AWS accounts and includes access to customer service and certain AWS Trusted Advisor checks.
Scenario: You’re a new AWS user and need help with account setup. Basic Support provides access to documentation and AWS support forums.

Developer Support

Developer Support starts at $29 per month and is intended for testing and development environments.
Scenario: You're developing a new application and need technical support for troubleshooting. Developer Support provides resources and technical guidance.

Business Support

Business Support starts at $100 per month and is recommended for production workloads.
Scenario: Your application is in production, and you need 24/7 access to AWS technical support. Business Support ensures you have the necessary support.

Enterprise Support

Enterprise Support starts at $15,000 per month and is recommended for business-critical applications.
Scenario: Your business relies on AWS for mission-critical services and requires a dedicated Technical Account Manager (TAM) and 24/7 support. Enterprise Support provides this high level of service.

Additional Services

Marketplace

Marketplace is a digital catalog where you can purchase or license prebuilt software solutions.
Scenario: You need a specialized analytics tool for your project. AWS Marketplace offers a variety of third-party solutions that you can quickly deploy.

AWS Partner Network (APN)

APN is a global community of partners offering software solutions and consulting services for AWS.
Scenario: Your company needs help with a complex migration to AWS. APN partners can provide the expertise and tools required for a smooth transition.

Managed Services

Managed Services help you operate your AWS infrastructure efficiently, ensuring best practices.
Scenario: You lack the internal resources to manage your AWS environment. AWS Managed Services take over the operational management, allowing you to focus on your core business.

Professional Services

Professional Services assist enterprises in transitioning to cloud-based operations.
Scenario: Your organization needs to migrate a legacy system to AWS. Professional Services provide the strategy and execution support needed for this migration.

AWS License Manager

License Manager helps manage software licenses for your AWS resources.
Scenario: You use various software licenses for your applications. License Manager tracks these licenses, ensuring compliance and optimizing usage.

AWS Certificate Manager

Certificate Manager helps provision and manage SSL/TLS certificates for your AWS resources.
Scenario: You need to secure your website with HTTPS. AWS Certificate Manager provisions and renews SSL/TLS certificates automatically.

Security and Compliance

warris oladipupo — Thu, 06 Jun 2024 13:39:32 +0000

Shared Responsibility Model: This model defines what security responsibilities are handled by AWS and what is handled by the customer/you.
_Scenario:_You’re hosting an application on AWS. AWS is responsible for the physical security of the servers, while you are responsible for managing your data and access controls.

Well-Architected Framework: This framework consists of five pillars (Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization) that provide best practices for designing reliable, secure, efficient, and cost-effective systems in the cloud.
Scenario: You’re designing a scalable e-commerce platform. The Well-Architected Framework helps ensure it remains secure, reliable, and cost-efficient even as traffic grows.

Security Basics

1.Identity and Access Management (IAM): IAM enables you to manage users and their access to AWS services and resources securely.
•Scenario: You’re setting up a team project on AWS. You create IAM users for each team member and assign roles with specific permissions to ensure they only access what they need.
2.Web Application Firewall (WAF): WAF helps protect your web applications by filtering and monitoring HTTP and HTTPS requests.
•Scenario: Your website is getting attacked by bots trying to exploit vulnerabilities. WAF blocks these malicious requests, keeping your site secure.

Threat Protection

1.Shield:
Shield is a managed DDoS protection service that safeguards applications from DDoS attacks.
Scenario: Your online service experiences a massive influx of traffic due to a DDoS attack. Shield mitigates the attack, ensuring your service remains available.
2.Macie:
Macie uses machine learning to discover, classify, and protect sensitive data.
•Scenario: You store customer information in S3 buckets. Macie scans these buckets, identifies sensitive data like credit card numbers, and helps you secure it.

Configuration and Monitoring

1.Config:
AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources.
•Scenario: You need to ensure your resources comply with company policies. Config tracks changes and assesses compliance automatically.
2.GuardDuty:
GuardDuty is an intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior.
•Scenario: GuardDuty detects unusual API calls indicating a potential breach. You investigate and mitigate the threat promptly.

Vulnerability and Compliance Management

1.Inspector:
Inspector assesses your EC2 instances for vulnerabilities and deviations from best practices.
•Scenario: You launch a new EC2 instance. Inspector runs a security assessment and provides a report highlighting potential vulnerabilities for you to address.
2.Artifact:
Artifact provides on-demand access to AWS’s compliance and security reports.
•Scenario: Your company needs proof of AWS compliance for an audit. Artifact supplies the necessary compliance reports.

1.Cognito:
Cognito helps you add user sign-up, sign-in, and access control to your web and mobile applications.
•Scenario: You’re developing a mobile app and need user authentication. Cognito provides a user pool for registration and sign-in functionalities.

Encryption

Encryption is the process of converting data into a code to prevent unauthorized access. It is a critical component of data security in the cloud.

Scenario: You need to ensure that sensitive customer data stored in an S3 bucket is protected from unauthorized access. By encrypting the data, you can ensure it remains secure even if someone gains unauthorized access to the storage.

Key Management Service (KMS)

KMS is a managed service that allows you to create and manage encryption keys. It simplifies the process of encrypting your data and managing keys securely.

Scenario: You have an application that processes sensitive information. You use KMS to generate and store encryption keys, ensuring that your data is encrypted both at rest and in transit.

CloudHSM

CloudHSM is a hardware security module that allows you to generate and use your encryption keys within dedicated hardware. It provides a higher level of security by managing encryption keys in hardware security modules.

Scenario: Your organization has strict regulatory requirements for encryption key management. Using CloudHSM, you generate and store encryption keys in a dedicated hardware security module, ensuring compliance with regulatory standards.

Secrets Management

Secrets management involves securely storing, managing, and retrieving sensitive information such as passwords, API keys, and other credentials. AWS Secrets Manager helps you do this effectively.

Scenario: You have a web application that requires access to a database. Instead of hardcoding the database credentials in your application code, you store them in AWS Secrets Manager. Your application retrieves these credentials securely at runtime, reducing the risk of exposing sensitive information.

EXPLORING APPLICATION SECURITY SERVICES ON AWS

warris oladipupo — Sun, 21 Apr 2024 08:43:43 +0000

One of the services is WAF(WEB APPLICATION FIREWALLS)
Firewall Basics:

Purpose: Prevent unauthorized access to networks by inspecting incoming and outgoing traffic against defined security rules.

Web Application Firewall (WAF):

Purpose: Protect web applications against common web attacks.
Key Protections: Defense against SQL injection and cross-site scripting (XSS).
Real-World Application: Deployed on EC2 instances or CloudFront to block XSS attacks directly.

Another services is DDOS(DISTRIBUTED DENIAL OF SERVICES)
a DDOS attack causes a traffic jam on a website or web application in an attempt to cause it to crash

Distributed Denial of Service (DDOS) Protection:

Service: AWS Shield.
Features: Always-on detection for DDOS attacks.
Types: Shield Standard (free) and Shield Advanced (paid).
Supported Services: CloudFront, Route 53, ELB, AWS Global Accelerator.
Real-World Application: Real-time notifications and assistance during DDOS attacks.

We also have MACIE

MACIE (Data Discovery and Protection):
Purpose: Discover and protect sensitive data using machine learning.
Key Features: Evaluates S3 environments and uncovers personally identifiable information (PII).
Real-World Application: Identifying and securing sensitive data like passport numbers stored on S3.

Each of these services plays a crucial role in securing different aspects of web applications and infrastructure. Firewalls like WAF protect against specific attacks, DDOS protection services like AWS Shield defend against large-scale attacks, and data discovery tools like MACIE help identify and protect sensitive information within cloud environments. These tools are vital components in maintaining the security and integrity of online applications and data.

Importance of Managing Access to your AWS services and resources.

warris oladipupo — Fri, 12 Apr 2024 17:07:22 +0000

First let discuss about IAM(identity access management )
IAM add security to the your resources by allowing you to control who can access your aws services and what resources they can access.
IAM plays a crucial role in enhancing the security of your cloud resources.
You define who has
access.
You define what they can do.

Secondly let talk about identity and access
identities and access within AWS IAM, focusing on who can access your resources and what resources they can access, comparing the different types of entities involved:

Identities:

Root User:

The root user is the initial account owner created when signing up for AWS services.
This user has full administrative access to all resources in the AWS account.
It is recommended to avoid using the root user for routine tasks to minimize security risks.

Individual Users:

These are AWS accounts created under your AWS organization.
Each individual user has a unique set of credentials (username and password) or can authenticate via federated login (such as through Active Directory).
You can grant specific permissions to individual users based on their roles or responsibilities within your organization.

Groups:

Groups are collections of individual users who have similar roles or permissions requirements.
Instead of assigning permissions to each user individually, you can assign permissions to groups.
This simplifies management by allowing you to add or remove users from groups to automatically adjust their permissions.

Roles:

Roles are used to delegate access to AWS services or resources to entities within or outside your AWS account.
They are not associated with a specific user or group but are assumed by users, applications, or AWS services as needed.
Roles are often used for cross-account access, allowing different AWS accounts to interact with resources in a controlled manner.

Access:

Who Can Access Your Resources:

IAM allows you to control access based on identities (root user, individual users, groups, or roles) and define specific permissions for each identity.
By assigning permissions to identities, you determine who can perform actions on AWS resources.

What Resources They Can Access:

Permissions in IAM are defined using policies that specify actions (e.g., ec2:StartInstances) and resources (e.g., arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0) that can be accessed.
Policies can be attached directly to individual users, groups, or roles to grant or restrict access to specific resources or services.

Comparison:
Root User: Has full administrative access to all resources by default. Should be used only for initial setup and emergency situations.

Individual Users: Represent specific users within your AWS account, each with unique credentials and assigned permissions based on their roles or responsibilities.

Groups: Used to manage permissions collectively for a set of users who share similar access requirements. Permissions are assigned to groups, and users inherit these permissions by being members of the group.

Roles: Provide temporary access to AWS resources for users, applications, or services without the need to share long-term credentials. Roles are assumed by entities, allowing them to perform actions based on the assigned permissions.

thirdly, let talk about authentication and authorization.

Authentication:

Authentication is the process of verifying the identity of a user, application, or entity attempting to access a system or resource. In AWS IAM:

What it is: Authentication involves presenting your identity (e.g., username, AWS access key ID) and providing verification (e.g., password, AWS secret access key) to prove that you are who you claim to be.
Purpose: The goal of authentication is to ensure that the entity requesting access is a legitimate user or system with the proper credentials.

Authorization:

Authorization is the process of determining what actions and resources an authenticated identity is allowed to access within a system or service. In AWS IAM:

What it is: Authorization determines which AWS services and resources an authenticated identity (user, application, role) can interact with based on their assigned permissions.
Purpose: The purpose of authorization is to enforce security policies that control access to specific actions (e.g., read, write) on designated resources (e.g., S3 buckets, DynamoDB tables) within the AWS environment.
Key Points:
Authentication: Verifies the identity of users or systems trying to access AWS resources by presenting credentials (e.g., username/password, access keys).

Authorization: Controls what actions (e.g., read, write, delete) an authenticated identity can perform on specific AWS resources (e.g., S3 objects, DynamoDB tables) based on assigned permissions.

Example in AWS IAM:
In an IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "dynamodb:Scan"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket/*",
        "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"
      ]
    }
  ]
}

Authentication: Before applying this policy, a user must authenticate (e.g., provide their IAM user credentials).

Authorization: If the authentication is successful, AWS then evaluates the policy to determine whether the authenticated user is authorized to perform s3:GetObject on objects within the example-bucket and dynamodb:Scan operations on the MyTable DynamoDB table.

please stay tune for the next lesson
thank you

how to create an iam user using terraform

warris oladipupo — Wed, 28 Jun 2023 09:03:14 +0000

hello! click on the link below and watch the full video https://youtu.be/mO43fdMwvHw

Creating internet gateway and public subnet and we will attach it to the VPC

warris oladipupo — Mon, 06 Mar 2023 13:24:15 +0000

Before we can attach the internet gateway and public subnet to the VPC , we need to create the VPC(VIRTUAL PRIVATE CLOUD ) modules.

Here is an example of a vpc modules,

this particular module will creates a Virtual Private Cloud (VPC) resource in AWS. The "vpc_cidr_block" is the IP address range that the VPC will use, and "vpc_name" is a name that will be assigned to the VPC as a tag. The "aws_vpc" resource block is where the VPC will actually be created.

next we need to create an internet gateway modules and here is an examples of an internet gateway modules,

This Terraform module creates an Internet Gateway resource in AWS. In this module, the aws_internet_gateway resource is created, and it is associated with a VPC specified by the vpc_id attribute.
Remember internet gateway allow communication between instances in your VPC and the internet, so to associate your internet gateway to your vpc , you always need the vpc_id in your internet gateway modules. Overall, this module creates an Internet Gateway resource and associates it with a VPC, which is necessary for enabling internet access to resources in the VPC.

Next we need to create a public subnet, we can also have a private subnet which will be my next post with route tables but we are creating public subnet in this lecture and here is an example

Before explanation, what is subnet? A subnet, short for "subnetwork," is a portion of a larger network that has been divided into smaller, more manageable sections. In this case, the subnet is created in a public VPC, which means that it has access to the internet via an internet gateway.

The aws_subnet resource is used to create the subnet. It requires the VPC ID (which is specified in a separate resource called aws_vpc.main), the CIDR block (which is specified in a variable called var.public_subnet_cidr_block), and the availability zone (which is specified in a variable called var.availability_zones[0]). The tags block is used to assign a name to the subnet for easier identification.

Overall, this module is a simple way to create a public subnet in an AWS VPC, which can be useful for hosting public-facing resources like web servers or load balancers.

Deploying VPC after creating your EC2 instances

warris oladipupo — Sat, 04 Mar 2023 20:08:12 +0000

After creating your ec2 instance which was my last post, we need to deploy VPC and in this course we are talking about aws vpc, and you can copy vpc resources on terraform website. To create your VPC,

We need to create a new new .tf file which I named main.tf, this file will contain your VPC resources

NOTE : all file created will work as one file.

after you've provided your resources , you need to apply the resources by typing terraform plan on your VScode terminal.

after that, you need the apply phase by typing terraform apply on your terminal.

your VScode will ask for confirmation to apply , type yes to confirmed and your VPC is created .

my next post will be creating internet gateways because we are going to be building developers environment together;

How to lunch AWS EC2 instance using Terraform

warris oladipupo — Sun, 19 Feb 2023 16:16:21 +0000

step 1 : install terraform on your machine or computer
step 2 : check the version of your terrform from either the command prompt or your VScode terminal;
step 3: set up your region, aws access key and secret access key from your aws
step 4: after you've done that , the first thing you need for your terraform is a provider( which is aws in this course) there are many providers but we are choosing AWS. on your Vscode , create a provider.tf file.

step 5: provide the access keys and secret keys in your provider.tf file.

step 6: then initialize your terraform by typing "terraform init" in your VScode terminal

step 7: to check if your terraform is valid type "terraform validate"

step 8:now creating an EC2 instance, you need to create an EC2.tf file on your VScode.

step 9: put your resources inside the EC2.tf file

step 10: provide the ami and the region you are using from AWS

the first picture is to show the ami i am using while the second is to show the region i am using.

step 11: after that , the next thing is to plan by typing "terraform plan" in your VScode terminal.

step 12: to activate the plan and get terraform running , type "terraform apply" and your aws will start creating.

step 13: then go back to your AWS and check the instance state if it's running

LAMBDA

warris oladipupo — Sat, 21 Jan 2023 19:21:03 +0000

Lambda is a serverless compute service which can help you to run a code without managing servers.

The code you run on lambda is called **Functions**
*Lambda scale automatically.
*Lambda is serverless which means you don't have to worry about
managing servers like EC2.

In a bigger picture,
*Lambda allow developers to focus on core business logic for the app they are developing instead of worrying about managing servers.

*Lambda is a building block for many serversless applications.

In lambda, serverless simply means AWS manages the servers for you and you cannot access them.

In the real world, lambda is used for

*Real-time file processing
*Sending email notifications
*Backend business logic.

Features of lambda.

*It support popular programming languages like java,node.js, python and ruby.
*Lambda can execute your code in response to events.
*You author code using your favorite development environment or via the console.