masterElmar/AWS-CCP-Notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Modify/Add] Update Cloud Computing and IAM Doc.

Browse Source
This commit is contained in:
Kanani Nirav
2024-10-05 01:01:39 +09:00
parent d0afaf16c9
commit 2c80d9df87
3 changed files with 340 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -9,6 +9,10 @@
- [Mind Map for outlining essential topics](https://kananinirav.com/mind-map-aws-ccp.html) - [Mind Map for outlining essential topics](https://kananinirav.com/mind-map-aws-ccp.html)
- [Study Guide](./study-guide.md) - [Study Guide](./study-guide.md)
- [Cloud Computing](./sections/cloud_computing.md)
- What is Cloud Computing?, AWS Global Infrastructure, Shared Responsibility Model
- [IAM: Identity Access & Management](./sections/iam.md)
- What Is IAM?
## Practice Exams ( dumps ) ## Practice Exams ( dumps )
@@ -19,7 +23,7 @@
- [Microsoft Azure Fundamentals (AZ-900)](https://certification.kananinirav.com/az-900-microsoft-azure-fundamentals/) - [Microsoft Azure Fundamentals (AZ-900)](https://certification.kananinirav.com/az-900-microsoft-azure-fundamentals/)
- [Useful Cheat Sheet For Developers](https://certification.kananinirav.com/cheat-sheets/) - [Useful Cheat Sheet For Developers](https://certification.kananinirav.com/cheat-sheets/)
#### If you find the content of this website interesting and helpful, use the “Buy me a Coffee” link below to buy me a coffee ### If you find the content of this website interesting and helpful, use the “Buy me a Coffee” link below to buy me a coffee
<a href="https://www.buymeacoffee.com/kananinirav" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/default-orange.png" alt="Buy Me A Coffee" height="41" width="174"></a> <a href="https://www.buymeacoffee.com/kananinirav" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/default-orange.png" alt="Buy Me A Coffee" height="41" width="174"></a>

174
sections/cloud_computing.md Normal file
View File

@@ -0,0 +1,174 @@
# Cloud Computing
- [Cloud Computing](#cloud-computing)
- [What is Cloud Computing?](#what-is-cloud-computing)
- [The Deployment Models of the Cloud](#the-deployment-models-of-the-cloud)
- [The Five Characteristics of Cloud Computing](#the-five-characteristics-of-cloud-computing)
- [Six Advantages of Cloud Computing](#six-advantages-of-cloud-computing)
- [Problems Solved by the Cloud](#problems-solved-by-the-cloud)
- [Types of Cloud Computing](#types-of-cloud-computing)
- [Example of Cloud Computing Types](#example-of-cloud-computing-types)
- [Pricing of the Cloud Quick Overview](#pricing-of-the-cloud--quick-overview)
- [How Cloud Pricing Solves Traditional IT Cost Issues](#how-cloud-pricing-solves-traditional-it-cost-issues)
- [AWS Cloud Use Cases](#aws-cloud-use-cases)
- [AWS Global Infrastructure](#aws-global-infrastructure)
- [AWS Regions](#aws-regions)
- [How to Choose an AWS Region?](#how-to-choose-an-aws-region)
- [AWS Availability Zones (AZs)](#aws-availability-zones-azs)
- [AWS Points of Presence (Edge Locations)](#aws-points-of-presence-edge-locations)
- [AWS Shared Responsibility Model](#aws-shared-responsibility-model)
- [What is the Shared Responsibility Model?](#what-is-the-shared-responsibility-model)
- [AWS Responsibilities: **Security *of* the Cloud**](#aws-responsibilities-security-of-the-cloud)
- [Customer Responsibilities: **Security *in* the Cloud**](#customer-responsibilities-security-in-the-cloud)
- [Example Responsibilities for Different AWS Services](#example-responsibilities-for-different-aws-services)
- [Summary](#summary)
## What is Cloud Computing?
Cloud computing is the on-demand delivery of compute power, database storage, applications, and other IT resources through a cloud services platform with pay-as-you-go pricing. It provides:
- Provisioning of exactly the right type and size of computing resources.
- Access to as many resources as needed, almost instantly.
- A simple way to access servers, storage, databases, and a set of application services.
- Amazon Web Services (AWS) owns and maintains the network-connected hardware, while you provision and use what you need via a web application.
### The Deployment Models of the Cloud
| **Private Cloud** | **Public Cloud** | **Hybrid Cloud** |
|----------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|
| Cloud services used by a single organization, not exposed to the public. | Cloud resources owned and operated by a third-party cloud service provider, delivered over the Internet. | Keep some servers on-premises and extend some capabilities to the cloud. |
| Complete control over data, security, and compliance. | Cost-effective as infrastructure is shared among multiple users. | Allows data and applications to be shared between private and public clouds. |
| Security for sensitive applications, ideal for critical workloads. | Suitable for less sensitive workloads that require high scalability and availability. | Offers flexibility, security, and scalability for different use cases. |
| Meet specific business needs and compliance requirements. | No maintenance required as the cloud provider manages the infrastructure. | Provides business continuity, disaster recovery, and data backup solutions. |
### The Five Characteristics of Cloud Computing
1. **On-demand self-service**: Provision computing resources as needed automatically.
2. **Broad network access**: Access cloud resources over the network using standard mechanisms.
3. **Resource pooling**: Providers serve multiple customers using a multi-tenant model.
4. **Rapid elasticity**: Resources can be scaled up or down rapidly.
5. **Measured service**: Resource usage is monitored and billed accordingly.
### Six Advantages of Cloud Computing
1. **Cost Savings**: Pay only for the computing power, storage, and other resources you use.
2. **Speed and Agility**: Quickly deploy services and resources.
3. **Scalability**: Easily scale resources up or down as needed.
4. **High Availability**: Highly available architecture for business continuity.
5. **Global Reach**: Access services from any geographical region.
6. **Security**: AWS provides robust security capabilities to protect your data.
### Problems Solved by the Cloud
- **High upfront costs**: Replaced by a pay-as-you-go model.
- **Scalability limitations**: Dynamic scaling to meet business demands.
- **Limited infrastructure availability**: Global infrastructure to support workloads.
### Types of Cloud Computing
| **Infrastructure as a Service (IaaS)** | **Platform as a Service (PaaS)** | **Software as a Service (SaaS)** |
|-------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|------------------------------------------------------------------------|
| Provides virtualized computing resources over the internet (e.g., AWS EC2). | Provides a platform allowing customers to develop, run, and manage applications (e.g., AWS Elastic Beanstalk). | Provides software applications over the internet on a subscription basis (e.g., AWS Chime). |
| Offers maximum control over the infrastructure. | Focus on deploying applications without managing underlying infrastructure. | Accessible over the internet, usually via a web browser. |
| Suitable for developers needing control over OS, middleware, and runtime. | Ideal for developers who want to focus on application development. | Suitable for users needing access to software without infrastructure management. |
### Example of Cloud Computing Types
- **IaaS**: AWS EC2 (Elastic Compute Cloud)
- GCP, Azure, Rackspace, Digital Ocean, Linode
- **PaaS**: AWS Elastic Beanstalk
- Heroku, Google App Engine (GCP), Windows Azure (Microsoft)
- **SaaS**: AWS Chime
- Google Apps (Gmail), Dropbox, Zoom
### Pricing of the Cloud Quick Overview
AWS follows three fundamental pricing principles based on the pay-as-you-go pricing model:
| **Fundamental** | **Description** |
|---------------------|-------------------------------------------------------------------------------------------------|
| **Compute** | Pay for the compute time you consume. Examples include EC2 instance hours or Lambda invocation duration. |
| **Storage** | Pay for the amount of data stored in the cloud. Examples include S3 storage space and EBS volume usage. |
| **Data Transfer OUT** | Pay for data transfer out of the cloud. Data transfer IN is free. This pricing structure solves the issue of expensive data transfer fees in traditional IT systems. |
### How Cloud Pricing Solves Traditional IT Cost Issues
- Traditional IT requires expensive upfront investments for hardware, maintenance, and upgrades.
- With AWS's pay-as-you-go model, you only pay for what you use, reducing overall costs.
- You can scale up or down based on demand, minimizing under-utilized resources.
### AWS Cloud Use Cases
1. **Web Hosting**: Host websites with elastic scaling and high availability.
2. **Big Data Analytics**: Run analytics on large datasets.
3. **Application Hosting**: Host applications with global accessibility and automated scaling.
4. **Disaster Recovery**: Implement disaster recovery strategies with minimized infrastructure.
5. **Backup and Storage**: Store backups in a highly durable and secure manner.
## AWS Global Infrastructure
### AWS Regions
- Geographically isolated areas where AWS clusters data centers.
- Each region has multiple Availability Zones.
- Used to deploy applications close to customers for lower latency.
### How to Choose an AWS Region?
- **Latency**: Choose a region closest to your customers for lower latency.
- **Compliance**: Ensure the region meets data residency and compliance requirements.
- **Services Available**: Check which AWS services are offered in the region.
- **Pricing**: Prices vary by region, so choose a region that fits your cost requirements.
### AWS Availability Zones (AZs)
- Multiple, isolated data centers within a region.
- Each AZ has independent power, cooling, and networking.
- Provides redundancy and fault tolerance in case of a failure.
- Theyre connected with high bandwidth, ultra-low latency networking
### AWS Points of Presence (Edge Locations)
- Network locations that deliver content closer to end users.
- Used by services like Amazon CloudFront and AWS Global Accelerator.
- Provides low latency and improved performance for content delivery.
## AWS Shared Responsibility Model
### What is the Shared Responsibility Model?
- AWS and the customer share responsibility for security and compliance.
- Divides security tasks based on **AWS as the provider** and **customer as the user** of cloud services.
### AWS Responsibilities: **Security *of* the Cloud**
- AWS is responsible for protecting the infrastructure that runs all services offered in the AWS Cloud.
- Includes hardware, software, networking, and facilities:
- **Physical security** of data centers (e.g., access control, environmental controls).
- **Infrastructure** security, such as maintaining hypervisors, host operating systems, and network infrastructure.
- **Global network** operations, such as DDoS protection and monitoring.
### Customer Responsibilities: **Security *in* the Cloud**
- Customers are responsible for managing and securing what they put in the cloud.
- Includes:
- **Data protection**: Encrypt data in transit and at rest.
- **IAM**: Control access through Identity and Access Management (IAM) roles, users, and policies.
- **OS and application configurations**: Maintain security of guest operating systems, applications, and firewall configurations.
- **Network settings**: Manage security group rules and network access control lists (NACLs).
- **Compliance**: Ensure compliance with regulations and standards based on data storage and usage.
### Example Responsibilities for Different AWS Services
| **Service Type** | **AWS Responsibility** | **Customer Responsibility** |
|--------------------------|----------------------------------------------------------|---------------------------------------------------------------------|
| **IaaS (e.g., EC2)** | Securing physical infrastructure, hypervisor, and network. | Configure and secure OS, patch management, data, and network settings. |
| **PaaS (e.g., RDS)** | Managing the database engine, backups, and patching. | Secure data at rest and in transit, manage DB access, and IAM roles. |
| **SaaS (e.g., S3)** | Protecting the service's underlying infrastructure. | Manage permissions, bucket policies, and data lifecycle rules. |
### Summary
- AWS handles security *of* the cloud, while customers manage security *in* the cloud.
- Understanding your responsibilities helps you implement appropriate security measures for your AWS environment.
![Shared Responsibility Model](../images/Shared_Responsibility_Model.jpg)

161
sections/iam.md Normal file
View File

@@ -0,0 +1,161 @@
# IAM: Identity Access & Management (IAM)
- [IAM: Identity Access \& Management (IAM)](#iam-identity-access--management-iam)
- [What Is IAM?](#what-is-iam)
- [IAM: Users \& Groups](#iam-users--groups)
- [IAM: Permissions](#iam-permissions)
- [IAM Policies Inheritance](#iam-policies-inheritance)
- [IAM Policies Structure](#iam-policies-structure)
- [Example IAM Policy](#example-iam-policy)
- [IAM Password Policy](#iam--password-policy)
- [Common Password Policy Settings:](#common-password-policy-settings)
- [IAM Roles for Services](#iam-roles-for-services)
- [IAM Security Tools](#iam-security-tools)
- [IAM Guidelines \& Best Practices](#iam-guidelines--best-practices)
- [Shared Responsibility Model for IAM](#shared-responsibility-model-for-iam)
## What Is IAM?
- **Identity and Access Management (IAM)** is a web service for securely controlling access to AWS resources.
- Allows you to manage:
- **Users**: Individual identities who interact with AWS services.
- **Groups**: Collection of IAM users with similar access permissions.
- **Roles**: Set of permissions to be assumed by AWS services or applications.
### IAM: Users & Groups
- **Users**: Represent individual identities that interact with AWS services. Users have unique credentials (username, password, access keys).
- **Groups**: Logical grouping of users to simplify permission management.
- Permissions assigned to a group are automatically inherited by its users.
| **IAM Users** | **IAM Groups** |
|------------------------------------------------------------|----------------------------------------------------------|
| Unique identity for accessing AWS services. | Logical grouping of users to apply common permissions. |
| Each user has individual permissions based on policies. | Adding/removing users from groups automatically changes their permissions. |
### IAM: Permissions
- **Permissions** are defined using policies.
- Policies specify what actions are allowed or denied on specific resources.
- Policies can be attached to:
- **Users**
- **Groups**
- **Roles**
### IAM Policies Inheritance
- Policies are evaluated together for a user, including:
- **Directly attached policies**.
- **Group policies**.
- **Policies attached to roles**.
- If multiple policies apply, IAM combines them to evaluate the final permission set.
| **Policy Type** | **Description** |
|---------------------------------|------------------------------------------------------------------------------------------------|
| **Inline Policies** | Directly attached to a single user, group, or role. |
| **Managed Policies** | Reusable policies created and maintained by AWS (AWS-managed) or the customer (Customer-managed). |
| **Group Inherited Policies** | Policies assigned to groups apply to all users in that group. |
### IAM Policies Structure
- Policies are JSON documents that define permissions.
- Key elements of a policy:
1. **Version**: Policy language version (e.g., `2012-10-17`).
2. **Statement**: Contains one or more permissions (allow or deny).
3. **Action**: Specifies which AWS service actions are allowed or denied.
4. **Resource**: Specifies the AWS resources to which the actions apply.
5. **Effect**: Either `Allow` or `Deny`.
#### Example IAM Policy
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example-bucket"
}
]
}
```
### IAM Password Policy
- AWS allows you to define a **password policy** for IAM users to ensure strong security standards.
- You can enforce specific rules to make sure passwords are complex and secure.
#### Common Password Policy Settings:
1. **Minimum password length**: Set a minimum number of characters (e.g., at least 8 characters).
2. **Require specific character types**:
- Lowercase letters.
- Uppercase letters.
- Numbers.
- Non-alphanumeric characters (special symbols like `!`, `@`, `#`).
3. **Prevent password reuse**: Enforce that new passwords cannot be the same as recently used passwords (e.g., prevent using the last 3 passwords).
4. **Password expiration**: Set the password to expire after a certain period (e.g., 90 days) to prompt users to change their passwords.
5. **Enable Multi-Factor Authentication (MFA)**: Enforce MFA for extra security, requiring both a password and a second authentication factor.
### IAM Roles for Services
- IAM roles are used to grant permissions to AWS services to perform actions on behalf of users or applications.
- Example use cases for IAM roles:
1. An EC2 instance can assume a role to access S3 buckets without the need for storing long-term credentials.
2. Lambda functions can use roles to interact with other AWS services without hardcoding access keys.
### IAM Security Tools
1. **IAM Credential Report**:
- A report that provides details about all IAM users in the AWS account, including the status of their passwords and access keys.
- Useful for auditing and reviewing user credentials.
2. **IAM Access Advisor**:
- Shows service permissions granted to a user and indicates the last time those permissions were used.
- Helps identify unnecessary permissions that can be revoked for least privilege.
3. **IAM Policy Simulator**:
- A tool that lets you test and validate the impact of IAM policies before applying them to users, groups, or roles.
- Helps to understand which actions are allowed or denied based on current policies.
### IAM Guidelines & Best Practices
1. **Follow the Principle of Least Privilege**:
- Grant only the permissions required to perform a specific task.
- Regularly review and adjust permissions as needed.
2. **Enable Multi-Factor Authentication (MFA)**:
- Enforce MFA for privileged IAM users (e.g., admin accounts).
- Adds an additional layer of security by requiring users to provide a code from an MFA device along with their password.
3. **Use IAM Roles Instead of IAM Users for Applications**:
- Assign roles to AWS resources instead of using IAM user credentials in code or configuration files.
- Prevents security issues that could arise from accidental exposure of long-term credentials.
4. **Rotate IAM Credentials Regularly**:
- Regularly rotate IAM access keys and passwords.
- Remove unused credentials to reduce risk.
5. **Use AWS Managed Policies for Common Use Cases**:
- AWS provides a set of predefined managed policies that are regularly updated.
- Managed policies are designed for common use cases and provide a good starting point for granting permissions.
### Shared Responsibility Model for IAM
- **AWS Responsibility**:
- Protect the infrastructure that runs AWS services.
- Provide IAM service availability.
- Offer managed policies for common scenarios.
- **Customer Responsibility**:
- Manage IAM users, groups, and roles.
- Configure IAM policies correctly and apply the principle of least privilege.
- Secure IAM credentials and enable MFA.
- Regularly audit permissions using tools like IAM Credential Report and Access Advisor.
| **AWS Responsibility** | **Customer Responsibility** |
|-----------------------------------------------------------|---------------------------------------------------------------------------------------|
| Protect physical data centers and global infrastructure. | Manage and secure IAM user accounts and access keys. |
| Maintain the availability of IAM service. | Implement strong password policies and enable MFA. |
| Provide IAM managed policies for common scenarios. | Ensure IAM permissions are correctly configured and follow the principle of least privilege. |