marc:linux:aws:solutionsarchitect
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| marc:linux:aws:solutionsarchitect [2023/02/21 10:13] – [IAM Exam tips] marcv | marc:linux:aws:solutionsarchitect [2023/03/02 11:20] (current) – [S3 Characteristics] marcv | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | --- // | ||
| ====== AWS Certified Solutions Architect ====== | ====== AWS Certified Solutions Architect ====== | ||
| Line 187: | Line 188: | ||
| {{: | {{: | ||
| + | |||
| + | :!: An explicit deny will always override an allow! Reference Documentation: | ||
| ==== IAM Building Blocks ==== | ==== IAM Building Blocks ==== | ||
| - | - Users: a physical person | + | - **Users**: a physical person |
| - | - Groups: Functions, such as administrators, | + | - **Groups**: Functions, such as administrators, |
| - | - Roles: Internal usage within AWS, allows 1 part of AWS to access another part of AWS (i.e. an S3 bucket that needs to be available to an EC2 instance) | + | - **Roles**: Internal usage within AWS, allows 1 part of AWS to access another part of AWS (i.e. an S3 bucket that needs to be available to an EC2 instance) |
| ==== Creating a User ==== | ==== Creating a User ==== | ||
| Line 228: | Line 231: | ||
| - SAML; your Windows AD (Active Directory) server. You need to create a trust between your AWS account and Active Directory Federation Services or | - SAML; your Windows AD (Active Directory) server. You need to create a trust between your AWS account and Active Directory Federation Services or | ||
| - OpenID Connect | - OpenID Connect | ||
| + | |||
| + | |||
| + | ==== Steps to secure your AWS root account ==== | ||
| + | |||
| + | - Enable multi-factor authentication (MFA)on the root account | ||
| + | - Create an admin group for you administrators and assign the appropriate permissions to this group | ||
| + | - Create user accounts for your administrators (and power users) | ||
| + | - Add your users to the admin (and power user) group. | ||
| + | |||
| + | :!: The reason I mention power users here is that they can anything accept IAM. They might be called functional admins. | ||
| + | |||
| ==== IAM Exam tips ==== | ==== IAM Exam tips ==== | ||
| + | * IAM is Universal; it does not apply to regions. | ||
| + | * The root account is created on first setting up AWS and it has complete admin access. Secure it as soon as possible and **do not** use it to log in day to day. | ||
| + | * New Users: no permissions when created | ||
| * Assign permission using IAM Policy Documents consisting of JSON (JavaScript Object Notation) | * Assign permission using IAM Policy Documents consisting of JSON (JavaScript Object Notation) | ||
| * Assign policy documents to groups when possible | * Assign policy documents to groups when possible | ||
| Line 235: | Line 252: | ||
| * Following the principle of least privilege, a newly created user does **NOT** have **ANY permissions** if not assigned by an administrator | * Following the principle of least privilege, a newly created user does **NOT** have **ANY permissions** if not assigned by an administrator | ||
| * **Access Key ID** and **Secret Access Key** can only be viewed **upon creation** so be sure to store them in a safe place | * **Access Key ID** and **Secret Access Key** can only be viewed **upon creation** so be sure to store them in a safe place | ||
| + | * Do **not** use the root account for anything other than managing permissions. Create a user within a admin group to assign permission etc | ||
| + | * The only difference between root user and a user with full admin permissions is that an admin user cannot delete a root user. The root user can delete all users. | ||
| + | * Access key ID and secret keys are not the same as usernames and passwords. They are used for programmatic and API access | ||
| + | * You only get to view keys once! | ||
| + | * Set up password rotations. You can create your own policies | ||
| + | * IAM Federation: Combine existing account with AWS using SAML with Active Directory setting up a trust, or use OpenID | ||
| + | * An explicit deny will always override an allow! Reference Documentation: | ||
| + | |||
| + | ===== S3 (Simple Storage Service) ===== | ||
| + | |||
| + | * S3 provides **Object** storage in a secure, durable, highly scalable way. | ||
| + | * Upload any file type you can think of to S3 | ||
| + | * Examples include photos, videos, code, documents etc | ||
| + | * Can **NOT** be used to run operating systems or databases | ||
| + | * It allows you to store and retrieve **any amount of data from anywhere** on the web at a very low cost. | ||
| + | * Amazon S3 is easy to use with a simple web service interface | ||
| + | |||
| + | |||
| + | ==== S3 Basics ==== | ||
| + | |||
| + | * Unlimited Storage" | ||
| + | * Objects up to 5TB in size | ||
| + | * Objects are stored in S3 Buckets (similar to directories) | ||
| + | * S3 buckets need to be uniquely named: all AWS accounts share the S3 namespace so each S3 Bucket name is **globally unique** | ||
| + | * Example S3 URLS: | ||
| + | - https:// | ||
| + | - https:// | ||
| + | * Uploading files; when you upload a file to an S3 bucket you will receive an **HTTP 200** code if successful | ||
| + | * An S3 Object consists of: | ||
| + | * **Key**; the name of the object (picture.jpg) | ||
| + | * **Value**: The data itself which is made up of a sequence of bytes | ||
| + | * **Version ID**: Important for storing multiple versions of the same object | ||
| + | * **Metadata**: | ||
| + | * S3 is a safe place to store your files; the data is spread across **multiple devices and facilities** to ensure **availability** and ** durability** | ||
| + | * Availability: | ||
| + | * Durability: 99.999999999% (9 decimal places) **durability** for data stored in S3 (meaning data will be stored safely) | ||
| + | |||
| + | ==== S3 Characteristics ==== | ||
| + | |||
| + | * Tiered Storage: S3 offers a range of storage classes designed for different use cases | ||
| + | * Lifecycle Management: Define rules to automatically transition objects to a cheaper storage tier or delete objects that are no longer required after a set period of time | ||
| + | * Versioning: with versioning, all versions of an object are stored and can be retrieved, **including deleted objects** | ||
| + | * Securing your data: | ||
| + | - Server-Side Encryption: You can set default encryption on a bucket to encrypt all **new** objects when they are stored in the bucket | ||
| + | - Access Control Lists (ACLs): define which AWS accounts or groups are granted access **AND** the type of access. You can attach S3 ACLs **only to individual objects within a bucket!** | ||
| + | - Bucket Policies: S3 bucket policies specify what actions are allowed or denied, e.g. allow user Alice to **PUT** but not **DELETE** objects in the bucket. These buckets are (like IAM policies) written in JSON and attached to buckets. They function on the **whole bucket!** For finer grained permissions you use the ACLs | ||
| + | - Strong Read-After-Write Consistency: | ||
| + | - After a successful write of a new object (PUT) or an overwrite of an existing object, any subsequent read request immediately receives the latest version of the object | ||
| + | - Strong consistency for list operations, so after a write you can immediately perform a listing of the objects in a bucket with all changes reflected | ||
| + | |||
| + | |||
| + | ==== Object Policies vs ACLs ==== | ||
| + | |||
| + | Object policies are given on the **bucket level**; all objects in the buckets get the same Object Policy and its permissions | ||
| + | |||
| + | ACLs are given on *individual objects**. Giving an ACL on 1 object in a bucket does not affect the other object in the same bucket. | ||
| + | |||
| + | :!: To make objects publically available, you need to configure both Object Policies and ACL on each object! | ||
| + | |||
| + | ==== S3 Tiers ==== | ||
| + | |||
| + | * S3 Standard: | ||
| + | * High Availability and Durability: | ||
| + | * Data is stored redundantly across multiple devices in multiple facilities (>=3 AZ's) | ||
| + | * 99.99% availability | ||
| + | * 99.999999999% durability (11 9's) | ||
| + | * Designed for Frequent Access; perfect for frequently accessed data | ||
| + | * Suitable for most workloads: | ||
| + | * The default storage class | ||
| + | * Use cases include websites, content distribution, | ||
| + | |||
| + | |||
| + | |||
| + | ==== S3 Exam tips ==== | ||
| - | ===== testing ===== | + | * S3 is object based which allows you to upload files |
| - | test | + | * Files up to 5Tb |
| + | * Not OS or DB storage | ||
| + | * Unlimited storage | ||
| + | * S3 is a Universal Namespace! | ||
| + | * Successful CLI or API uploads generate an HTTP 200 status code | ||
| + | * S3 objects consist of | ||
| + | - KEY (object name) | ||
| + | - VALUE (data itself) | ||
| + | - Version ID | ||
| + | - Meta data | ||
marc/linux/aws/solutionsarchitect.1676970801.txt.gz · Last modified: (external edit)
