AWS fundamentals

AWS stands for Amazon Web Services. The AWS service is provided by the Amazon that uses distributed IT infrastructure to provide different IT resources available on demand. It provides different services such as infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS).

AWS offers around 200 services to the customers. It delivers its services using "Region" and Availability Zones.
AWS distributes the regions worldwide allowing customers to choose based on their preference for low latency, cost and compliance.

AWS Region

AWS Region is a physical location where AWS provides its services.
for Example :- North America, South America, Europe/Middle East/ Africa, Asia Pacific.
Each region is completely isolated from another allowing for fault tolerance.

AWS Availability Zones

A region has multiple isolated locations called "Availability Zones"
Availability Zones is made up of one or more discrete data centers, each with redundant power and connectivity.
Each availability zone is isolated, but within a region they're connected through low-latency links
Each region has at least two availability zones.

Visualize Regions and Availability Zones

AWS regularly adds new regions and availability zones.
Complete list of Availability zones and regions are provided on AWS Official Documentation

AWS Service Categories

Services that AWS provides to its customer are grouped into different categories.
Important Categories include :-

• Compute
• Storage
• Networking
• Databases
• Identity and Access Management
• Containers
• Developer Tools
• Management and Governance
• Machine Learning
  and more...
  Most of these categories include multiple products and have flexible pricing options

Customers planning to migrate their resources to cloud commonly have two concerns "Security" and "Compliance"

(Security) Shared Responsibility Model

Talking about security AWS uses a Shared Responsibility Model.

AWS manages the security of the cloud, while you're responsible for security in the cloud.

For Example :-

• AWS will manage the physical hardware of the cloud services
• we will be responsible for data and application we host on them.

  Compliance

  When talking about compliance there are two aspect to consider.
  1. Compliance of your resources :- AWS offers several tools to monitor configuration and evaluate compliance.
  2. Compliance of cloud provider (AWS) :- AWS infrastructure is compliant with standards such as --
• SOC1, SOC2 and SOC3
• FedRAMP
• PCI DSS Level 1
• ISO 9001
• ISO 27001, and more

Identity and Access Management (IAM)

Introduction to IAM

Identity and Access Management (IAM) allows us to manage access to AWS services and resources.

We can do this by creating users and groups and allow or deny to access to their resources.
When we create Our AWS account we have access to Root Account

Root Account

• Root account is a single sign-in identity created when we first create our AWS Account.
• Root account has unrestricted access to all AWS services and resources.
• Root account should not be used for everyday tasks; instead, use IAM user accounts

Use of IAM

• With IAM we can enforce MFA (Multi-Factor Authentication) for users. MFA adds extra layer of authentication and improves security of account
• With IAM we can also define granular permissions. It means we can Grant only the required permissions to user. For example allow a user to list EC2 instance but not start or stop them.
• With IAM we can share access to our AWS account. This Grant other users permissions to administer and use resources in our AWS account without sharing our password or access key.
• With IAM we can configure identity federation by this we can configure temporary access for users who already have password elsewhere.
• With IAM we can Analyze and identify unintended access we can use the IAM access analyzer tool to identify resources such as S3 buckets that users may have unintentionally shared with external entities posing a security risk to our organization.

IAM is free to use but we are charged when we or our any users use other AWS resources. For example :- we are not charged if we create a user called "gautam" but we have charged when "gautam" uses any resources like EC2 and others.

IAM Users and Groups

IAM User

An IAM user is an entity we create in our AWS account to represent a person or application

• A user is consist of a name and credentials
• By default, a user has no permissions the user is not authorized to perform any AWS operations or access any AWS resources

  There are two primary method by which IAM users can access AWS.

  1. Console password
  2. Access Keys :- It is a combination of access key IS and secret access key used to make programmatic calls

• A user can have both console password and access keys, or any on of them.
• Each IAM user is associated with only one AWS account

IAM User Group

An IAM user Group is a collection of IAM users

• A user group can contain many users, and a user can belong to multiple user groups
• User group cannot be nested -- They can contain only users, not other groups.

IAM roles

An IAM role is an identity that has specific permissions and can be assumed by a user or service that needs it.

For example :- Consider two services in your AWS account, Amazon EC2 and Amazon S3 An EC2 instance wants to access the content on S3 bucket even though both services are from the same account access is not permitted. This is because An AWS service cannot access another service by default.

To allow this access we can create an IAM role with permissions on the S3 service and attach it to the EC2 instance. Doing so will enable the EC2 instance to access the content of S3 bucket.

• IAM roles are similar to IAM user
• It is an identity with permissions that determine what the identity can an cannot do in AWS.
  The role is intended to be assumable by anyone who needs it.
• Unlike IAM users IAM roles does not have credentials.

IAM policies

An IAM policy is an object that when associated with an identity or resource, defines its permissions. AWS evaluates these policies When an IAM principal i.e. a user or role make any request, Permissions in the policies determine whether the request is allowed or denied

An IAM policies define permissions for actions, regardless of the method used to perform the operation. For example:- If a policy allows a user to launch an EC2 instance, the user with that policy can launch an EC2 instance from the AWS management console, AWS CLI or the AWS API

IAM best practices

1. Lock Away Your Root user Access Keys

• Root user access key grants full access to all AWS services, including billing information
• Delete them or secure and rotate them regularly
• Never share our root user password or access keys

2. Create Individual IAM Users

• Create and use individual user accounts instead of using root user credentials.
• If we have to do administrative works We should create an IAM user account with administrative permissions

3. Configure a strong password policy

• Require user to create strong passwords and periodically rotate them.

4. Enable MFA (Multi-factor Authentication )

• Enable MFA on your root user account and for all users

5. Grant Least Privilege

• Determine what your users (or roles) need to do
• Start with a minimum set of permissions
• Grant additional permissions when required

Now this is it! this is all about must know before actually using AWS services.

About my next blog on AWS :- In next blog I am going to deep dive into an AWS service called Amazon EC2 used for creating virtual machine on cloud an accessing it from your local system. Be ready for it 😃😃

Thankyou for Reading 😊😊