masterElmar/AWS-CCP-Notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

clous computing and iam doc added

Browse Source
This commit is contained in:
kananinirav
2022-08-07 20:21:14 +09:00
parent 2f40ad13b9
commit ba7abae8d5
3 changed files with 356 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@@ -1 +1,14 @@
# AWS-Certified-Cloud-Practitioner-Notes-
# AWS-Certified-Cloud-Practitioner-Notes
## AWS Cloud Practitioner exam
### Table of contents
- AWS Fundamentals
- [What is Cloud Computing?](/cloud_computing.md)
- [IAM: Identity Access & Management](/iam.md)
- [EC2: Virtual Machines](/iam.md)
### Contributors
Please feel free to contribute by making a Pull Request!

168
cloud_computing.md Normal file
View File

@@ -0,0 +1,168 @@
# What is Cloud Computing?
* Cloud computing is the on-demand delivery of compute power, database storage, applications, and other IT resources
* Through a cloud services platform with pay-as-you-go pricing
* You can provision exactly the right type and size of computing resources you need
* You can access as many resources as you need, almost instantly
* Simple way to access servers, storage, databases and a set of application services
* Amazon Web Services owns and maintains the network-connected hardware required for these application services, while you provision and use what you need via a web application.
## The Deployment Models of the Cloud
**Private Cloud:**
* Cloud services used by a single organization, not exposed to the public.
* Complete control
* Security for sensitive applications
* Meet specific business needs
**Public Cloud:**
* Cloud resources owned and operated by a thirdparty cloud service provider delivered over the Internet.
* Six Advantages of Cloud Computing
**Hybrid Cloud:**
* Keep some servers on premises and extend some capabilities to the Cloud
* Control over sensitive assets in your private infrastructure
* Flexibility and costeffectiveness of the public cloud
## The Five Characteristics of Cloud Computing
* **On-demand self service:**
* Users can provision resources and use them without human interaction from the service provider
* **Broad network access:**
* Resources available over the network, and can be accessed by diverse client platforms
* **Multi-tenancy and resource pooling:**
* Multiple customers can share the same infrastructure and applications with security and privacy
* Multiple customers are serviced from the same physical resources
* **Rapid elasticity and scalability:**
* Automatically and quickly acquire and dispose resources when needed
* Quickly and easily scale based on demand
* **Measured service:**
* Usage is measured, users pay correctly for what they have used
## Six Advantages of Cloud Computing
* **Trade capital expense (CAPEX) for operational expense (OPEX)**
* Pay On-Demand: dont own hardware
* Reduced Total Cost of Ownership (TCO) & Operational Expense (OPEX)
* **Benefit from massive economies of scale**
* Prices are reduced as AWS is more efficient due to large scale
* **Stop guessing capacity**
* Scale based on actual measured usage
* **Increase speed and agility**
* **Stop spending money running and maintaining data centers**
* **Go global in minutes:** leverage the AWS global infrastructure
## Problems solved by the Cloud
* **Flexibility:** change resource types when needed
* **Cost-Effectiveness:** pay as you go, for what you use
* **Scalability:** accommodate larger loads by making hardware stronger or adding additional nodes
* **Elasticity:** ability to scale out and scale-in when needed
* **High-availability and fault-tolerance:** build across data centers
* **Agility:** rapidly develop, test and launch software applications
## Types of Cloud Computing
* **Infrastructure as a Service (IaaS)**
* Provide building blocks for cloud IT
* Provides networking, computers, data storage space
* Highest level of flexibility
* Easy parallel with traditional on-premises IT
* **Platform as a Service (PaaS)**
* Removes the need for your organization to manage the underlying infrastructure
* Focus on the deployment and management of your applications
* **Software as a Service (SaaS)**
* Completed product that is run and managed by the service provider
## Example of Cloud Computing Types
* **Infrastructure as a Service:**
* Amazon EC2 (on AWS)
* GCP, Azure, Rackspace, Digital Ocean, Linode
* Platform as a Service:
* Elastic Beanstalk (on AWS)
* Heroku, Google App Engine (GCP), Windows Azure (Microsoft)
* Software as a Service:
* Many AWS services (ex: Rekognition for Machine Learning)
* Google Apps (Gmail), Dropbox, Zoom
## Pricing of the Cloud Quick Overview
* AWS has 3 pricing fundamentals, following the pay-as-you-go pricing model
* **Compute:**
* Pay for compute time
* **Storage:**
* Pay for data stored in the Cloud
* **Data transfer OUT of the Cloud:**
* Data transfer IN is free
* Solves the expensive issue of traditional IT
## AWS Cloud Use Cases
* AWS enables you to build sophisticated, scalable applications
* Applicable to a diverse set of industries
* Use cases include
* Enterprise IT, Backup & Storage, Big Data analytics
* Website hosting, Mobile & Social Apps
* Gaming
## AWS Global Infrastructure
* AWS Regions
* AWS Availability Zones
* AWS Data Centers
* AWS Edge Locations / Points of Presence
* <https://infrastructure.aws/>
## AWS Regions
* AWS has Regions all around the world
* Names can be us-east-1, eu-west-3…
* A region is a **cluster of data centers**
* **Most AWS services are region-scoped**
## How to choose an AWS Region?
If you need to launch a new application, where should you do it?
* **Compliance with data governance and legal requirements:** data never leaves a region without your explicit permission
* **Proximity to customers:** reduced latency
* **Available services within a Region:** new services and new features arent available in every Region
* **Pricing:** pricing varies region to region and is transparent in the service pricing page
## AWS Availability Zones
* Each region has many availability zones (usually 3, min is 2, max is 6). Example:
* ap-southeast-2a
* ap-southeast-2b
* ap-southeast-2c
* Each availability zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity
* Theyre separate from each other, so that theyre isolated from disasters
* Theyre connected with high bandwidth, ultra-low latency networking
## AWS Points of Presence (Edge Locations)
* Amazon has 216 Points of Presence (205 Edge Locations & 11 Regional Caches) in 84 cities across 42 countries
* Content is delivered to end users with lower latency
## Tour of the AWS Console
* **AWS has Global Services:**
* Identity and Access Management (IAM)
* Route 53 (DNS service)
* CloudFront (Content Delivery Network)
* WAF (Web Application Firewall)
* **Most AWS services are Region-scoped:**
* Amazon EC2 (Infrastructure as a Service)
* Elastic Beanstalk (Platform as a Service)
* Lambda (Function as a Service)
* Rekognition (Software as a Service)
* **Region Table:** <https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services>
## Shared Responsibility Model diagram
* CUSTOMER = RESPONSIBILITY FOR THE SECURITY **IN** THE CLOUD
* AWS = RESPONSIBILITY FOR THE SECURITY **OF** THE CLOUD

174
iam.md Normal file
View File

@@ -0,0 +1,174 @@
# IAM: Identity Access & Management
## What Is IAM?
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
## IAM: Users & Groups
* IAM = Identity and Access Management, Global service
* **Root account** created by default, shouldnt be used or shared
* **Users** are people within your organization, and can be grouped
* **Groups** only contain users, not other groups
* Users dont have to belong to a group, and user can belong to multiple groups
## IAM: Permissions
* Users or Groups can be assigned JSON documents called policies
* These policies define the permissions of the users
* In AWS you apply the least privilege principle: dont give more permissions than a user needs
IAM Policies Structure
* Consists of
* Version: policy language version, always include “2012-10-17”
* Id: an identifier for the policy (optional)
* Statement: one or more individual statements (required)
* Statements consists of
* Sid: an identifier for the statement (optional)
* Effect: whether the statement allows or denies access (Allow, Deny)
* Principal: account/user/role to which this policy applied to
* Action: list of actions this policy allows or denies
* Resource: list of resources to which the actions applied to
* Condition: conditions for when this policy is in effect (optional)
Example:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
}
]
}
```
## IAM Password Policy
* Strong passwords = higher security for your account
* In AWS, you can setup a password policy:
* Set a minimum password length
* Require specific character types:
* including uppercase letters
* lowercase letters
* numbers
* non-alphanumeric characters
* Allow all IAM users to change their own passwords
* Require users to change their password after some time (password expiration)
* Prevent password re-use
## Multi Factor Authentication - MFA
* Users have access to your account and can possibly change configurations or delete resources in your AWS account
* You want to protect your Root Accounts and IAM users
* MFA = password you know + security device you own
* Main benefit of MFA: if a password is stolen or hacked, the account is not compromised
## MFA devices options in AWS
* Virtual MFA device (Support for multiple tokens on a single device.)
* Google Authenticator (phone only)
* Authy (multi-device)
* Universal 2nd Factor (U2F) Security Key (Support for multiple root and IAM users using a single security key)
* YubiKey by Yubico (3rd party)
* Hardware Key Fob MFA Device
* Hardware Key Fob MFA Device for AWS GovCloud (US)
## How can users access AWS ?
* To access AWS, you have three options:
* AWS Management Console (protected by password + MFA)
* AWS Command Line Interface (CLI): protected by access keys
* AWS Software Developer Kit (SDK) - for code: protected by access keys
* Access Keys are generated through the AWS Console
* Users manage their own access keys
* Access Keys are secret, just like a password. Dont share them
* Access Key ID ~= username
* Secret Access Key ~= password
## Whats the AWS CLI?
* A tool that enables you to interact with AWS services using commands in your command-line shell
* Direct access to the public APIs of AWS services
* You can develop scripts to manage your resources
* Its open-source <https://github.com/aws/aws-cli>
* Alternative to using AWS Management Console
## Whats the AWS SDK?
* AWS Software Development Kit (AWS SDK)
* Language-specific APIs (set of libraries)
* Enables you to access and manage AWS services programmatically
* Embedded within your application
* Supports
* SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++)
* Mobile SDKs (Android, iOS, …)
* IoT Device SDKs (Embedded C, Arduino, …)
* Example: AWS CLI is built on AWS SDK for Python
## IAM Roles for Services
* Some AWS service will need to perform actions on your behalf
* To do so, we will assign permissions to AWS services with IAM Roles
* Common roles:
* EC2 Instance Roles
* Lambda Function Roles
* Roles for CloudFormation
## IAM Security Tools
* IAM Credentials Report (account-level)
* a report that lists all your account's users and the status of their various credentials
* IAM Access Advisor (user-level)
* Access advisor shows the service permissions granted to a user and when those services were last accessed.
* You can use this information to revise your policies.
## IAM Guidelines & Best Practices
* Dont use the root account except for AWS account setup
* One physical user = One AWS user
* **Assign users to groups** and assign permissions to groups
* Create a **strong password policy**
* Use and enforce the use of **Multi Factor Authentication (MFA)**
* Create and use Roles for giving permissions to AWS services
* Use Access Keys for Programmatic Access (CLI / SDK)
* Audit permissions of your account with the IAM Credentials Report
* **Never share IAM users & Access Keys**
## Shared Responsibility Model for IAM
AWS | YOU
---------- | ------------
Infrastructure (global network security) | Users, Groups, Roles, Policies management and monitoring
Configuration and vulnerability analysis | Enable MFA on all accounts
Compliance validation | Rotate all your keys often, Use IAM tools to apply appropriate permissions, Analyze access patterns & review permissions
## IAM Section Summary
* **Users:** mapped to a physical user, has a password for AWS Console
* **Groups:** contains users only
* **Policies:** JSON document that outlines permissions for users or groups
* **Roles:** for EC2 instances or AWS services
* **Security:** MFA + Password Policy
* **AWS CLI:** manage your AWS services using the command-line
* **AWS SDK:** manage your AWS services using a programming language
* **Access Keys:** access AWS using the CLI or SDK
* **Audit:** IAM Credential Reports & IAM Access Advisor