Monday, September 24, 2018

AWS - concepts and features

AWS has stood on top in the area of *aaS cloud infrastructure provider. It is one of the prime reason as to why so many startups spin up and have an IT system running in no time...

Some concept on AWS are explained below -

IAM - Identity Access Management -  this is basically the authentication and authorization system for an AWS service. Needed for security, identity and compliance and segregation of duties.

Features -
  • Centralized access to AWS account
  • Shared access to AWS account
  • Access to a program / user
  • Granular access
  • Password rotation policy
  • Multifactor authentication - this can be setup in 3 ways - a. virtual device b. hard device c. SMS facility. Option c is going to be not supported from Q2 2019. Option b has some cost. Option a is totally free and one needs to simply download a token generating software mobile app e.g. Google Authenticator and add AWS account there.
  • Identity federation (google, linkedin, facebook or active directory :))
  • Supports PCI-DSS compliance
  • Integrates with many other AWS services
Terms:
  • Users and User Groups (say admin group, dev group, hr group)
  • Roles (assigned to aws resources)
  • Resources (e.g. aws ec2 instance, or aws s3 instance, aws db instance)
  • Permissions (set of policies)
  • Policy - Technical representation (in JSON) of an entitlement telling what actions can be done on what resources.
         Example of a Policy (it allows all actions on all resources, could be an admin level permission)

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

AWS comes with a lot of pre-canned permissions for almost all of the AWS resources, so all we need to do is to create a user, optionally put him/her in a resource group and attach permissions to it.

Region:

Select a region which is closed to you. It is quite possible that some of the AWS services might not be available on that region, so the region needs to change.
  • IAM is universal and not Region dependent.
  • Root account has complete Admin access
  • New user has NO permissions to start with. They are assigned Access Key ID and Secret Access Keys when first created. These are used to access AWS via command line or via APIs. They are once view types can't be reused. Need to regenerate.
  • Always setup MFA on root account
  • You can create and customize password strength and rotation policies.
  • Power User allows access to all AWS services except management of groups and users within IAM.
AWS S3  - It is simply a "file system as a service". 

  • It is an object based storage. Files and documents can be stored. You simply upload files via Http. 
  • 0 to 5 TB is the limit to file size. 
  • Unlimited storage. 
  • Files are stored in buckets (having a universal namespace). e.g. s3-eu-west-1.amazon.aws.com/
  • Data consistency - Read after Write for PUTs of new files; Eventual Consistency for override PUTs and DELETES. S3 is spread across multiple availability zones, so there can be dirty reads due to replication latency.
  • S3 is object based key value store: Object consists of Key, Value, Metadata, Version, Sub-Resource (ACLs, Torrents). 
  • Availability: Built for 99.99% availability. Gives 99.9% availability. 
  • Durability: 11 9s durability.
  • Tiered Storage, LifeCycle mgmt., Versioning, Encryption and Securing using ACLs and bucket policies.

No comments: