From 2c80d9df8764811f9c314923982aeadd5fc2ded5 Mon Sep 17 00:00:00 2001 From: Kanani Nirav Date: Sat, 5 Oct 2024 01:01:39 +0900 Subject: [PATCH] [Modify/Add] Update Cloud Computing and IAM Doc. --- README.md | 6 +- sections/cloud_computing.md | 174 ++++++++++++++++++++++++++++++++++++ sections/iam.md | 161 +++++++++++++++++++++++++++++++++ 3 files changed, 340 insertions(+), 1 deletion(-) create mode 100644 sections/cloud_computing.md create mode 100644 sections/iam.md diff --git a/README.md b/README.md index f68e4f5..6f12d63 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,10 @@ - [Mind Map for outlining essential topics](https://kananinirav.com/mind-map-aws-ccp.html) - [Study Guide](./study-guide.md) +- [Cloud Computing](./sections/cloud_computing.md) + - What is Cloud Computing?, AWS Global Infrastructure, Shared Responsibility Model +- [IAM: Identity Access & Management](./sections/iam.md) + - What Is IAM? ## Practice Exams ( dumps ) @@ -19,7 +23,7 @@ - [Microsoft Azure Fundamentals (AZ-900)](https://certification.kananinirav.com/az-900-microsoft-azure-fundamentals/) - [Useful Cheat Sheet For Developers](https://certification.kananinirav.com/cheat-sheets/) -#### If you find the content of this website interesting and helpful, use the “Buy me a Coffee” link below to buy me a coffee +### If you find the content of this website interesting and helpful, use the “Buy me a Coffee” link below to buy me a coffee Buy Me A Coffee diff --git a/sections/cloud_computing.md b/sections/cloud_computing.md new file mode 100644 index 0000000..08bc7db --- /dev/null +++ b/sections/cloud_computing.md @@ -0,0 +1,174 @@ +# Cloud Computing + +- [Cloud Computing](#cloud-computing) + - [What is Cloud Computing?](#what-is-cloud-computing) + - [The Deployment Models of the Cloud](#the-deployment-models-of-the-cloud) + - [The Five Characteristics of Cloud Computing](#the-five-characteristics-of-cloud-computing) + - [Six Advantages of Cloud Computing](#six-advantages-of-cloud-computing) + - [Problems Solved by the Cloud](#problems-solved-by-the-cloud) + - [Types of Cloud Computing](#types-of-cloud-computing) + - [Example of Cloud Computing Types](#example-of-cloud-computing-types) + - [Pricing of the Cloud – Quick Overview](#pricing-of-the-cloud--quick-overview) + - [How Cloud Pricing Solves Traditional IT Cost Issues](#how-cloud-pricing-solves-traditional-it-cost-issues) + - [AWS Cloud Use Cases](#aws-cloud-use-cases) + - [AWS Global Infrastructure](#aws-global-infrastructure) + - [AWS Regions](#aws-regions) + - [How to Choose an AWS Region?](#how-to-choose-an-aws-region) + - [AWS Availability Zones (AZs)](#aws-availability-zones-azs) + - [AWS Points of Presence (Edge Locations)](#aws-points-of-presence-edge-locations) + - [AWS Shared Responsibility Model](#aws-shared-responsibility-model) + - [What is the Shared Responsibility Model?](#what-is-the-shared-responsibility-model) + - [AWS Responsibilities: **Security *of* the Cloud**](#aws-responsibilities-security-of-the-cloud) + - [Customer Responsibilities: **Security *in* the Cloud**](#customer-responsibilities-security-in-the-cloud) + - [Example Responsibilities for Different AWS Services](#example-responsibilities-for-different-aws-services) + - [Summary](#summary) + +## What is Cloud Computing? + +Cloud computing is the on-demand delivery of compute power, database storage, applications, and other IT resources through a cloud services platform with pay-as-you-go pricing. It provides: + +- Provisioning of exactly the right type and size of computing resources. +- Access to as many resources as needed, almost instantly. +- A simple way to access servers, storage, databases, and a set of application services. +- Amazon Web Services (AWS) owns and maintains the network-connected hardware, while you provision and use what you need via a web application. + +### The Deployment Models of the Cloud + +| **Private Cloud** | **Public Cloud** | **Hybrid Cloud** | +|----------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| Cloud services used by a single organization, not exposed to the public. | Cloud resources owned and operated by a third-party cloud service provider, delivered over the Internet. | Keep some servers on-premises and extend some capabilities to the cloud. | +| Complete control over data, security, and compliance. | Cost-effective as infrastructure is shared among multiple users. | Allows data and applications to be shared between private and public clouds. | +| Security for sensitive applications, ideal for critical workloads. | Suitable for less sensitive workloads that require high scalability and availability. | Offers flexibility, security, and scalability for different use cases. | +| Meet specific business needs and compliance requirements. | No maintenance required as the cloud provider manages the infrastructure. | Provides business continuity, disaster recovery, and data backup solutions. | + +### The Five Characteristics of Cloud Computing + +1. **On-demand self-service**: Provision computing resources as needed automatically. +2. **Broad network access**: Access cloud resources over the network using standard mechanisms. +3. **Resource pooling**: Providers serve multiple customers using a multi-tenant model. +4. **Rapid elasticity**: Resources can be scaled up or down rapidly. +5. **Measured service**: Resource usage is monitored and billed accordingly. + +### Six Advantages of Cloud Computing + +1. **Cost Savings**: Pay only for the computing power, storage, and other resources you use. +2. **Speed and Agility**: Quickly deploy services and resources. +3. **Scalability**: Easily scale resources up or down as needed. +4. **High Availability**: Highly available architecture for business continuity. +5. **Global Reach**: Access services from any geographical region. +6. **Security**: AWS provides robust security capabilities to protect your data. + +### Problems Solved by the Cloud + +- **High upfront costs**: Replaced by a pay-as-you-go model. +- **Scalability limitations**: Dynamic scaling to meet business demands. +- **Limited infrastructure availability**: Global infrastructure to support workloads. + +### Types of Cloud Computing + +| **Infrastructure as a Service (IaaS)** | **Platform as a Service (PaaS)** | **Software as a Service (SaaS)** | +|-------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|------------------------------------------------------------------------| +| Provides virtualized computing resources over the internet (e.g., AWS EC2). | Provides a platform allowing customers to develop, run, and manage applications (e.g., AWS Elastic Beanstalk). | Provides software applications over the internet on a subscription basis (e.g., AWS Chime). | +| Offers maximum control over the infrastructure. | Focus on deploying applications without managing underlying infrastructure. | Accessible over the internet, usually via a web browser. | +| Suitable for developers needing control over OS, middleware, and runtime. | Ideal for developers who want to focus on application development. | Suitable for users needing access to software without infrastructure management. | + +### Example of Cloud Computing Types + +- **IaaS**: AWS EC2 (Elastic Compute Cloud) + - GCP, Azure, Rackspace, Digital Ocean, Linode +- **PaaS**: AWS Elastic Beanstalk + - Heroku, Google App Engine (GCP), Windows Azure (Microsoft) +- **SaaS**: AWS Chime + - Google Apps (Gmail), Dropbox, Zoom + +### Pricing of the Cloud – Quick Overview + +AWS follows three fundamental pricing principles based on the pay-as-you-go pricing model: + +| **Fundamental** | **Description** | +|---------------------|-------------------------------------------------------------------------------------------------| +| **Compute** | Pay for the compute time you consume. Examples include EC2 instance hours or Lambda invocation duration. | +| **Storage** | Pay for the amount of data stored in the cloud. Examples include S3 storage space and EBS volume usage. | +| **Data Transfer OUT** | Pay for data transfer out of the cloud. Data transfer IN is free. This pricing structure solves the issue of expensive data transfer fees in traditional IT systems. | + +### How Cloud Pricing Solves Traditional IT Cost Issues + +- Traditional IT requires expensive upfront investments for hardware, maintenance, and upgrades. +- With AWS's pay-as-you-go model, you only pay for what you use, reducing overall costs. +- You can scale up or down based on demand, minimizing under-utilized resources. + +### AWS Cloud Use Cases + +1. **Web Hosting**: Host websites with elastic scaling and high availability. +2. **Big Data Analytics**: Run analytics on large datasets. +3. **Application Hosting**: Host applications with global accessibility and automated scaling. +4. **Disaster Recovery**: Implement disaster recovery strategies with minimized infrastructure. +5. **Backup and Storage**: Store backups in a highly durable and secure manner. + +## AWS Global Infrastructure + +### AWS Regions + +- Geographically isolated areas where AWS clusters data centers. +- Each region has multiple Availability Zones. +- Used to deploy applications close to customers for lower latency. + +### How to Choose an AWS Region? + +- **Latency**: Choose a region closest to your customers for lower latency. +- **Compliance**: Ensure the region meets data residency and compliance requirements. +- **Services Available**: Check which AWS services are offered in the region. +- **Pricing**: Prices vary by region, so choose a region that fits your cost requirements. + +### AWS Availability Zones (AZs) + +- Multiple, isolated data centers within a region. +- Each AZ has independent power, cooling, and networking. +- Provides redundancy and fault tolerance in case of a failure. +- They’re connected with high bandwidth, ultra-low latency networking + +### AWS Points of Presence (Edge Locations) + +- Network locations that deliver content closer to end users. +- Used by services like Amazon CloudFront and AWS Global Accelerator. +- Provides low latency and improved performance for content delivery. + +## AWS Shared Responsibility Model + +### What is the Shared Responsibility Model? + +- AWS and the customer share responsibility for security and compliance. +- Divides security tasks based on **AWS as the provider** and **customer as the user** of cloud services. + +### AWS Responsibilities: **Security *of* the Cloud** + +- AWS is responsible for protecting the infrastructure that runs all services offered in the AWS Cloud. +- Includes hardware, software, networking, and facilities: + - **Physical security** of data centers (e.g., access control, environmental controls). + - **Infrastructure** security, such as maintaining hypervisors, host operating systems, and network infrastructure. + - **Global network** operations, such as DDoS protection and monitoring. + +### Customer Responsibilities: **Security *in* the Cloud** + +- Customers are responsible for managing and securing what they put in the cloud. +- Includes: + - **Data protection**: Encrypt data in transit and at rest. + - **IAM**: Control access through Identity and Access Management (IAM) roles, users, and policies. + - **OS and application configurations**: Maintain security of guest operating systems, applications, and firewall configurations. + - **Network settings**: Manage security group rules and network access control lists (NACLs). + - **Compliance**: Ensure compliance with regulations and standards based on data storage and usage. + +### Example Responsibilities for Different AWS Services + +| **Service Type** | **AWS Responsibility** | **Customer Responsibility** | +|--------------------------|----------------------------------------------------------|---------------------------------------------------------------------| +| **IaaS (e.g., EC2)** | Securing physical infrastructure, hypervisor, and network. | Configure and secure OS, patch management, data, and network settings. | +| **PaaS (e.g., RDS)** | Managing the database engine, backups, and patching. | Secure data at rest and in transit, manage DB access, and IAM roles. | +| **SaaS (e.g., S3)** | Protecting the service's underlying infrastructure. | Manage permissions, bucket policies, and data lifecycle rules. | + +### Summary + +- AWS handles security *of* the cloud, while customers manage security *in* the cloud. +- Understanding your responsibilities helps you implement appropriate security measures for your AWS environment. + +![Shared Responsibility Model](../images/Shared_Responsibility_Model.jpg) diff --git a/sections/iam.md b/sections/iam.md new file mode 100644 index 0000000..5f9ac55 --- /dev/null +++ b/sections/iam.md @@ -0,0 +1,161 @@ +# IAM: Identity Access & Management (IAM) + +- [IAM: Identity Access \& Management (IAM)](#iam-identity-access--management-iam) + - [What Is IAM?](#what-is-iam) + - [IAM: Users \& Groups](#iam-users--groups) + - [IAM: Permissions](#iam-permissions) + - [IAM Policies Inheritance](#iam-policies-inheritance) + - [IAM Policies Structure](#iam-policies-structure) + - [Example IAM Policy](#example-iam-policy) + - [IAM – Password Policy](#iam--password-policy) + - [Common Password Policy Settings:](#common-password-policy-settings) + - [IAM Roles for Services](#iam-roles-for-services) + - [IAM Security Tools](#iam-security-tools) + - [IAM Guidelines \& Best Practices](#iam-guidelines--best-practices) + - [Shared Responsibility Model for IAM](#shared-responsibility-model-for-iam) + +## What Is IAM? + +- **Identity and Access Management (IAM)** is a web service for securely controlling access to AWS resources. +- Allows you to manage: + - **Users**: Individual identities who interact with AWS services. + - **Groups**: Collection of IAM users with similar access permissions. + - **Roles**: Set of permissions to be assumed by AWS services or applications. + +### IAM: Users & Groups + +- **Users**: Represent individual identities that interact with AWS services. Users have unique credentials (username, password, access keys). +- **Groups**: Logical grouping of users to simplify permission management. + - Permissions assigned to a group are automatically inherited by its users. + +| **IAM Users** | **IAM Groups** | +|------------------------------------------------------------|----------------------------------------------------------| +| Unique identity for accessing AWS services. | Logical grouping of users to apply common permissions. | +| Each user has individual permissions based on policies. | Adding/removing users from groups automatically changes their permissions. | + +### IAM: Permissions + +- **Permissions** are defined using policies. +- Policies specify what actions are allowed or denied on specific resources. +- Policies can be attached to: + - **Users** + - **Groups** + - **Roles** + +### IAM Policies Inheritance + +- Policies are evaluated together for a user, including: + - **Directly attached policies**. + - **Group policies**. + - **Policies attached to roles**. +- If multiple policies apply, IAM combines them to evaluate the final permission set. + +| **Policy Type** | **Description** | +|---------------------------------|------------------------------------------------------------------------------------------------| +| **Inline Policies** | Directly attached to a single user, group, or role. | +| **Managed Policies** | Reusable policies created and maintained by AWS (AWS-managed) or the customer (Customer-managed). | +| **Group Inherited Policies** | Policies assigned to groups apply to all users in that group. | + +### IAM Policies Structure + +- Policies are JSON documents that define permissions. +- Key elements of a policy: + 1. **Version**: Policy language version (e.g., `2012-10-17`). + 2. **Statement**: Contains one or more permissions (allow or deny). + 3. **Action**: Specifies which AWS service actions are allowed or denied. + 4. **Resource**: Specifies the AWS resources to which the actions apply. + 5. **Effect**: Either `Allow` or `Deny`. + +#### Example IAM Policy + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:ListBucket", + "Resource": "arn:aws:s3:::example-bucket" + } + ] +} +``` + +### IAM – Password Policy + +- AWS allows you to define a **password policy** for IAM users to ensure strong security standards. +- You can enforce specific rules to make sure passwords are complex and secure. + +#### Common Password Policy Settings: + +1. **Minimum password length**: Set a minimum number of characters (e.g., at least 8 characters). +2. **Require specific character types**: + - Lowercase letters. + - Uppercase letters. + - Numbers. + - Non-alphanumeric characters (special symbols like `!`, `@`, `#`). +3. **Prevent password reuse**: Enforce that new passwords cannot be the same as recently used passwords (e.g., prevent using the last 3 passwords). +4. **Password expiration**: Set the password to expire after a certain period (e.g., 90 days) to prompt users to change their passwords. +5. **Enable Multi-Factor Authentication (MFA)**: Enforce MFA for extra security, requiring both a password and a second authentication factor. + +### IAM Roles for Services + +- IAM roles are used to grant permissions to AWS services to perform actions on behalf of users or applications. +- Example use cases for IAM roles: + 1. An EC2 instance can assume a role to access S3 buckets without the need for storing long-term credentials. + 2. Lambda functions can use roles to interact with other AWS services without hardcoding access keys. + +### IAM Security Tools + +1. **IAM Credential Report**: + - A report that provides details about all IAM users in the AWS account, including the status of their passwords and access keys. + - Useful for auditing and reviewing user credentials. + +2. **IAM Access Advisor**: + - Shows service permissions granted to a user and indicates the last time those permissions were used. + - Helps identify unnecessary permissions that can be revoked for least privilege. + +3. **IAM Policy Simulator**: + - A tool that lets you test and validate the impact of IAM policies before applying them to users, groups, or roles. + - Helps to understand which actions are allowed or denied based on current policies. + +### IAM Guidelines & Best Practices + +1. **Follow the Principle of Least Privilege**: + - Grant only the permissions required to perform a specific task. + - Regularly review and adjust permissions as needed. + +2. **Enable Multi-Factor Authentication (MFA)**: + - Enforce MFA for privileged IAM users (e.g., admin accounts). + - Adds an additional layer of security by requiring users to provide a code from an MFA device along with their password. + +3. **Use IAM Roles Instead of IAM Users for Applications**: + - Assign roles to AWS resources instead of using IAM user credentials in code or configuration files. + - Prevents security issues that could arise from accidental exposure of long-term credentials. + +4. **Rotate IAM Credentials Regularly**: + - Regularly rotate IAM access keys and passwords. + - Remove unused credentials to reduce risk. + +5. **Use AWS Managed Policies for Common Use Cases**: + - AWS provides a set of predefined managed policies that are regularly updated. + - Managed policies are designed for common use cases and provide a good starting point for granting permissions. + +### Shared Responsibility Model for IAM + +- **AWS Responsibility**: + - Protect the infrastructure that runs AWS services. + - Provide IAM service availability. + - Offer managed policies for common scenarios. + +- **Customer Responsibility**: + - Manage IAM users, groups, and roles. + - Configure IAM policies correctly and apply the principle of least privilege. + - Secure IAM credentials and enable MFA. + - Regularly audit permissions using tools like IAM Credential Report and Access Advisor. + +| **AWS Responsibility** | **Customer Responsibility** | +|-----------------------------------------------------------|---------------------------------------------------------------------------------------| +| Protect physical data centers and global infrastructure. | Manage and secure IAM user accounts and access keys. | +| Maintain the availability of IAM service. | Implement strong password policies and enable MFA. | +| Provide IAM managed policies for common scenarios. | Ensure IAM permissions are correctly configured and follow the principle of least privilege. |