From ba7abae8d53b1e5984995a93069313c2b6f0f325 Mon Sep 17 00:00:00 2001
From: kananinirav <30398499+kananinirav@users.noreply.github.com>
Date: Sun, 7 Aug 2022 20:21:14 +0900
Subject: [PATCH] clous computing and iam doc added
---
README.md | 15 +++-
cloud_computing.md | 168 +++++++++++++++++++++++++++++++++++++++++++
iam.md | 174 +++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 356 insertions(+), 1 deletion(-)
create mode 100644 cloud_computing.md
create mode 100644 iam.md
diff --git a/README.md b/README.md
index 167c281..b351f55 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,14 @@
-# AWS-Certified-Cloud-Practitioner-Notes-
\ No newline at end of file
+# AWS-Certified-Cloud-Practitioner-Notes
+
+## AWS Cloud Practitioner exam
+
+### Table of contents
+
+- AWS Fundamentals
+ - [What is Cloud Computing?](/cloud_computing.md)
+ - [IAM: Identity Access & Management](/iam.md)
+ - [EC2: Virtual Machines](/iam.md)
+
+### Contributors
+
+Please feel free to contribute by making a Pull Request!
diff --git a/cloud_computing.md b/cloud_computing.md
new file mode 100644
index 0000000..1ec4853
--- /dev/null
+++ b/cloud_computing.md
@@ -0,0 +1,168 @@
+# What is Cloud Computing?
+
+* Cloud computing is the on-demand delivery of compute power, database storage, applications, and other IT resources
+* Through a cloud services platform with pay-as-you-go pricing
+* You can provision exactly the right type and size of computing resources you need
+* You can access as many resources as you need, almost instantly
+* Simple way to access servers, storage, databases and a set of application services
+* Amazon Web Services owns and maintains the network-connected hardware required for these application services, while you provision and use what you need via a web application.
+
+## The Deployment Models of the Cloud
+
+**Private Cloud:**
+
+* Cloud services used by a single organization, not exposed to the public.
+* Complete control
+* Security for sensitive applications
+* Meet specific business needs
+
+**Public Cloud:**
+
+* Cloud resources owned and operated by a thirdparty cloud service provider delivered over the Internet.
+* Six Advantages of Cloud Computing
+
+**Hybrid Cloud:**
+
+* Keep some servers on premises and extend some capabilities to the Cloud
+* Control over sensitive assets in your private infrastructure
+* Flexibility and costeffectiveness of the public cloud
+
+## The Five Characteristics of Cloud Computing
+
+* **On-demand self service:**
+ * Users can provision resources and use them without human interaction from the service provider
+* **Broad network access:**
+ * Resources available over the network, and can be accessed by diverse client platforms
+* **Multi-tenancy and resource pooling:**
+ * Multiple customers can share the same infrastructure and applications with security and privacy
+ * Multiple customers are serviced from the same physical resources
+* **Rapid elasticity and scalability:**
+ * Automatically and quickly acquire and dispose resources when needed
+ * Quickly and easily scale based on demand
+* **Measured service:**
+ * Usage is measured, users pay correctly for what they have used
+
+## Six Advantages of Cloud Computing
+
+* **Trade capital expense (CAPEX) for operational expense (OPEX)**
+ * Pay On-Demand: don’t own hardware
+ * Reduced Total Cost of Ownership (TCO) & Operational Expense (OPEX)
+* **Benefit from massive economies of scale**
+ * Prices are reduced as AWS is more efficient due to large scale
+* **Stop guessing capacity**
+ * Scale based on actual measured usage
+* **Increase speed and agility**
+* **Stop spending money running and maintaining data centers**
+* **Go global in minutes:** leverage the AWS global infrastructure
+
+## Problems solved by the Cloud
+
+* **Flexibility:** change resource types when needed
+* **Cost-Effectiveness:** pay as you go, for what you use
+* **Scalability:** accommodate larger loads by making hardware stronger or adding additional nodes
+* **Elasticity:** ability to scale out and scale-in when needed
+* **High-availability and fault-tolerance:** build across data centers
+* **Agility:** rapidly develop, test and launch software applications
+
+## Types of Cloud Computing
+
+* **Infrastructure as a Service (IaaS)**
+ * Provide building blocks for cloud IT
+ * Provides networking, computers, data storage space
+ * Highest level of flexibility
+ * Easy parallel with traditional on-premises IT
+* **Platform as a Service (PaaS)**
+ * Removes the need for your organization to manage the underlying infrastructure
+ * Focus on the deployment and management of your applications
+* **Software as a Service (SaaS)**
+ * Completed product that is run and managed by the service provider
+
+## Example of Cloud Computing Types
+
+* **Infrastructure as a Service:**
+ * Amazon EC2 (on AWS)
+ * GCP, Azure, Rackspace, Digital Ocean, Linode
+* Platform as a Service:
+ * Elastic Beanstalk (on AWS)
+ * Heroku, Google App Engine (GCP), Windows Azure (Microsoft)
+* Software as a Service:
+ * Many AWS services (ex: Rekognition for Machine Learning)
+ * Google Apps (Gmail), Dropbox, Zoom
+
+## Pricing of the Cloud – Quick Overview
+
+* AWS has 3 pricing fundamentals, following the pay-as-you-go pricing model
+* **Compute:**
+ * Pay for compute time
+* **Storage:**
+ * Pay for data stored in the Cloud
+* **Data transfer OUT of the Cloud:**
+ * Data transfer IN is free
+* Solves the expensive issue of traditional IT
+
+## AWS Cloud Use Cases
+
+* AWS enables you to build sophisticated, scalable applications
+* Applicable to a diverse set of industries
+* Use cases include
+ * Enterprise IT, Backup & Storage, Big Data analytics
+ * Website hosting, Mobile & Social Apps
+ * Gaming
+
+## AWS Global Infrastructure
+
+* AWS Regions
+* AWS Availability Zones
+* AWS Data Centers
+* AWS Edge Locations / Points of Presence
+*
+
+## AWS Regions
+
+* AWS has Regions all around the world
+* Names can be us-east-1, eu-west-3…
+* A region is a **cluster of data centers**
+* **Most AWS services are region-scoped**
+
+## How to choose an AWS Region?
+
+If you need to launch a new application, where should you do it?
+
+* **Compliance with data governance and legal requirements:** data never leaves a region without your explicit permission
+* **Proximity to customers:** reduced latency
+* **Available services within a Region:** new services and new features aren’t available in every Region
+* **Pricing:** pricing varies region to region and is transparent in the service pricing page
+
+## AWS Availability Zones
+
+* Each region has many availability zones (usually 3, min is 2, max is 6). Example:
+ * ap-southeast-2a
+ * ap-southeast-2b
+ * ap-southeast-2c
+* Each availability zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity
+* They’re separate from each other, so that they’re isolated from disasters
+* They’re connected with high bandwidth, ultra-low latency networking
+
+## AWS Points of Presence (Edge Locations)
+
+* Amazon has 216 Points of Presence (205 Edge Locations & 11 Regional Caches) in 84 cities across 42 countries
+* Content is delivered to end users with lower latency
+
+## Tour of the AWS Console
+
+* **AWS has Global Services:**
+ * Identity and Access Management (IAM)
+ * Route 53 (DNS service)
+ * CloudFront (Content Delivery Network)
+ * WAF (Web Application Firewall)
+* **Most AWS services are Region-scoped:**
+ * Amazon EC2 (Infrastructure as a Service)
+ * Elastic Beanstalk (Platform as a Service)
+ * Lambda (Function as a Service)
+ * Rekognition (Software as a Service)
+* **Region Table:**
+
+## Shared Responsibility Model diagram
+
+* CUSTOMER = RESPONSIBILITY FOR THE SECURITY **IN** THE CLOUD
+* AWS = RESPONSIBILITY FOR THE SECURITY **OF** THE CLOUD
diff --git a/iam.md b/iam.md
new file mode 100644
index 0000000..29b3559
--- /dev/null
+++ b/iam.md
@@ -0,0 +1,174 @@
+# IAM: Identity Access & Management
+
+## What Is IAM?
+
+AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
+
+## IAM: Users & Groups
+
+* IAM = Identity and Access Management, Global service
+* **Root account** created by default, shouldn’t be used or shared
+* **Users** are people within your organization, and can be grouped
+* **Groups** only contain users, not other groups
+* Users don’t have to belong to a group, and user can belong to multiple groups
+
+## IAM: Permissions
+
+* Users or Groups can be assigned JSON documents called policies
+* These policies define the permissions of the users
+* In AWS you apply the least privilege principle: don’t give more permissions than a user needs
+
+IAM Policies Structure
+
+* Consists of
+ * Version: policy language version, always include “2012-10-17”
+ * Id: an identifier for the policy (optional)
+ * Statement: one or more individual statements (required)
+* Statements consists of
+ * Sid: an identifier for the statement (optional)
+ * Effect: whether the statement allows or denies access (Allow, Deny)
+ * Principal: account/user/role to which this policy applied to
+ * Action: list of actions this policy allows or denies
+ * Resource: list of resources to which the actions applied to
+ * Condition: conditions for when this policy is in effect (optional)
+
+Example:
+
+```json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": "ec2:Describe*",
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": "elasticloadbalancing:Describe*",
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "cloudwatch:ListMetrics",
+ "cloudwatch:GetMetricStatistics",
+ "cloudwatch:Describe*"
+ ],
+ "Resource": "*"
+ }
+ ]
+}
+```
+
+## IAM – Password Policy
+
+* Strong passwords = higher security for your account
+* In AWS, you can setup a password policy:
+ * Set a minimum password length
+ * Require specific character types:
+ * including uppercase letters
+ * lowercase letters
+ * numbers
+ * non-alphanumeric characters
+* Allow all IAM users to change their own passwords
+* Require users to change their password after some time (password expiration)
+* Prevent password re-use
+
+## Multi Factor Authentication - MFA
+
+* Users have access to your account and can possibly change configurations or delete resources in your AWS account
+* You want to protect your Root Accounts and IAM users
+* MFA = password you know + security device you own
+* Main benefit of MFA: if a password is stolen or hacked, the account is not compromised
+
+## MFA devices options in AWS
+
+* Virtual MFA device (Support for multiple tokens on a single device.)
+ * Google Authenticator (phone only)
+ * Authy (multi-device)
+* Universal 2nd Factor (U2F) Security Key (Support for multiple root and IAM users using a single security key)
+ * YubiKey by Yubico (3rd party)
+* Hardware Key Fob MFA Device
+* Hardware Key Fob MFA Device for AWS GovCloud (US)
+
+## How can users access AWS ?
+
+* To access AWS, you have three options:
+ * AWS Management Console (protected by password + MFA)
+ * AWS Command Line Interface (CLI): protected by access keys
+ * AWS Software Developer Kit (SDK) - for code: protected by access keys
+* Access Keys are generated through the AWS Console
+* Users manage their own access keys
+* Access Keys are secret, just like a password. Don’t share them
+* Access Key ID ~= username
+* Secret Access Key ~= password
+
+## What’s the AWS CLI?
+
+* A tool that enables you to interact with AWS services using commands in your command-line shell
+* Direct access to the public APIs of AWS services
+* You can develop scripts to manage your resources
+* It’s open-source
+* Alternative to using AWS Management Console
+
+## What’s the AWS SDK?
+
+* AWS Software Development Kit (AWS SDK)
+* Language-specific APIs (set of libraries)
+* Enables you to access and manage AWS services programmatically
+* Embedded within your application
+* Supports
+ * SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++)
+ * Mobile SDKs (Android, iOS, …)
+ * IoT Device SDKs (Embedded C, Arduino, …)
+* Example: AWS CLI is built on AWS SDK for Python
+
+## IAM Roles for Services
+
+* Some AWS service will need to perform actions on your behalf
+* To do so, we will assign permissions to AWS services with IAM Roles
+* Common roles:
+ * EC2 Instance Roles
+ * Lambda Function Roles
+ * Roles for CloudFormation
+
+## IAM Security Tools
+
+* IAM Credentials Report (account-level)
+* a report that lists all your account's users and the status of their various credentials
+* IAM Access Advisor (user-level)
+* Access advisor shows the service permissions granted to a user and when those services were last accessed.
+* You can use this information to revise your policies.
+
+## IAM Guidelines & Best Practices
+
+* Don’t use the root account except for AWS account setup
+* One physical user = One AWS user
+* **Assign users to groups** and assign permissions to groups
+* Create a **strong password policy**
+* Use and enforce the use of **Multi Factor Authentication (MFA)**
+* Create and use Roles for giving permissions to AWS services
+* Use Access Keys for Programmatic Access (CLI / SDK)
+* Audit permissions of your account with the IAM Credentials Report
+* **Never share IAM users & Access Keys**
+
+## Shared Responsibility Model for IAM
+
+AWS | YOU
+---------- | ------------
+Infrastructure (global network security) | Users, Groups, Roles, Policies management and monitoring
+Configuration and vulnerability analysis | Enable MFA on all accounts
+Compliance validation | Rotate all your keys often, Use IAM tools to apply appropriate permissions, Analyze access patterns & review permissions
+
+## IAM Section – Summary
+
+* **Users:** mapped to a physical user, has a password for AWS Console
+* **Groups:** contains users only
+* **Policies:** JSON document that outlines permissions for users or groups
+* **Roles:** for EC2 instances or AWS services
+* **Security:** MFA + Password Policy
+* **AWS CLI:** manage your AWS services using the command-line
+* **AWS SDK:** manage your AWS services using a programming language
+* **Access Keys:** access AWS using the CLI or SDK
+* **Audit:** IAM Credential Reports & IAM Access Advisor