Scribd
Upload
18 views19 pages

AWS Cloud Foundations & IAM

Uploaded by

burnerjdr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views19 pages

AWS Cloud Foundations & IAM

Uploaded by

burnerjdr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

AWS Cloud Foundations & IAM

Module 1
What are availability zones (AZs)?

Availability zones (AZs) are isolated or separated data


centers located within specific regions in which public
cloud services originate and operate.

Cloud computing businesses typically have multiple worldwide


availability zones. This helps ensure cloud customers have a stable
connection to a cloud service in the geographic AZ that's closest to
them.

Cloud service providers (CSPs) host their resources and data centers
in multiple locations worldwide. The locations that are isolated from
each other but close enough to have low-latency connections with
each other are known as availability zones. AZs represent parts of
regions, and each AZ includes one or more data center.
AWS Cloud Availability Zones

• Availability Zone is a single Data Center or a group of Data


Centers in a region.

• In an Availability Zone the Data Centers are located many miles


apart from each other.

• Having them apart reduces the risk of them all going down if a
disaster happens in the region.

• Simultaneously, have the Data Center(s) close enough to have


low latency.

https://aws.amazon.com/about-aws/global-infrastructure/
AWS Shared Responsibility Model

Security and Compliance is a shared responsibility between AWS and


the customer. This shared model can help relieve the customer’s
operational burden as AWS operates, manages and controls the
components from the host operating system and virtualization layer
down to the physical security of the facilities in which the service
operates.
The customer assumes responsibility and management of the guest
operating system (including updates and security patches), other
associated application software as well as the configuration of the
AWS provided security group firewall. Customers should carefully
consider the services they choose as their responsibilities vary
depending on the services used, the integration of those services into
their IT environment, and applicable laws and regulations. The nature
of this shared responsibility also provides the flexibility and customer
control that permits the deployment
AWS responsibility “Security of the Cloud”

AWS is responsible for protecting the infrastructure that runs all


of the services offered in the AWS Cloud. This infrastructure is
composed of the hardware, software, networking, and facilities
that run AWS Cloud services.
Customer responsibility “Security in the Cloud”

Customer responsibility will be determined by the AWS Cloud


services that a customer selects.
For example, a service such as Amazon Elastic Compute Cloud
(Amazon EC2) is categorized as Infrastructure as a Service (IaaS)
and, as such, requires the customer to perform all of the necessary
security configuration and management tasks. Customers that deploy
an Amazon EC2 instance are responsible for management of the
guest operating system (including updates and security patches), any
application software or utilities installed by the customer on the
instances, and the configuration of the AWS-provided firewall
(called a security group) on each instance.

Customers are responsible for managing their data (including


encryption options), classifying their assets, and using IAM tools to
apply the appropriate permissions.
AWS Shared Responsibility Model

Inherited Controls – Controls which a customer fully inherits from


AWS.
Physical and Environmental controls
Shared Controls – Controls which apply to both the infrastructure
layer and customer layers, but in completely separate contexts or
perspectives. In a shared control, AWS provides the requirements for
the infrastructure and the customer must provide their own control
implementation within their use of AWS services. Examples include:
Patch Management – AWS is responsible for patching and fixing
flaws within the infrastructure, but customers are responsible for
patching their guest OS and applications.
Configuration Management – AWS maintains the configuration of
its infrastructure devices, but a customer is responsible for
configuring their own guest operating systems, databases, and
applications.
Applying the AWS Shared Responsibility Model in Practice

Determine external and internal security and related compliance


requirements and objectives, and consider industry frameworks like
the NIST Cybersecurity Framework (CSF) and ISO.

Consider employing the AWS Cloud Adoption Framework (CAF)


and Well-Architected best practices to plan and execute your digital
transformation at scale.

Review the security functionality and configuration options of


individual AWS services within the security chapters of AWS
service documentation.

Review third-party audit attestation documents to determine


inherited controls
Identity and Access Management (IAM) in Amazon Web
Services (AWS)

IAM manages Amazon Web Services (AWS) users and their


access to AWS accounts and services. It controls the level of
access a user can have over an AWS account & set users, grant
permission, and allows a user to use different features of an AWS
account.

Identity and access management is mainly used to manage users,


groups, roles, and Access policies

The account we created to sign in to Amazon web services is


known as the root account and it holds all the administrative rights
and has access to all parts of the account.
How IAM Works?

IAM verifies that a user or service has the necessary authorization to


access a particular service in the AWS cloud. We can also use IAM
to grant the right level of access to specific users, groups, or
services. For example, we can use IAM to enable an EC2 instance to
access S3 buckets by requesting fine-grained permissions.
What Does IAM Do?

IAM Identities
IAM Identities assists us in controlling which users can access
which services and resources in the AWS Console and also we can
assign policies to the users, groups, and roles. The IAM Identities
can be created by using the Root user

IAM Identities Classified As

IAM Users

IAM Groups

IAM Roles
What Does IAM Do?

Root user
The root user will automatically be created and granted unrestricted
rights. We can create an admin user with fewer powers to control
the entire Amazon account.

IAM Users
We can utilize IAM users to access the AWS Console and their
administrative permissions differ from those of the Root user and if
we can keep track of their login information.
Example
With the aid of IAM users, we can accomplish our goal of giving a
specific person access to every service available in the Amazon
dashboard with only a limited set of permissions, such as read-only
access. Let’s say user-1 is a user that I want to have read-only
access to the EC2 instance and no additional permissions, such as
create, delete, or update.
What Does IAM Do?

IAM Groups
A group is a collection of users, and a single person can be a
member of several groups. With the aid of groups, we can manage
permissions for many users quickly and efficiently.

Example
Consider two users named user-1 and user-2. If we want to grant
user-1 specific permissions, such as the ability to delete, create, and
update the auto-calling group only, and if we want to grant user-2
all the necessary permissions to maintain the auto-scaling group as
well as the ability to maintain EC2, we can create groups and add
this user to them. If a new user is added, we can add that user to the
required group with the necessary permissions.
What Does IAM Do?

IAM Roles
While policies cannot be directly given to any of the services
accessible through the Amazon dashboard, IAM roles are similar to
IAM users in that they may be assumed by anybody who requires
them. By using roles, we can provide AWS Services access rights to
other AWS Services.

Example
Consider Amazon EKS. In order to maintain an autoscaling group,
AWS eks needs access to EC2 instances. Since we can’t attach
policies directly to the eks in this situation, we must build a role
and then attach the necessary policies to that specific role and
attach that particular role to EKS.
What Does IAM Do?

IAM Policies

IAM Policies can manage access for AWS by attaching them to the
IAM Identities or resources IAM policies defines permissions of
AWS identities and AWS resources when a user or any resource
makes a request to AWS will validate these policies and confirms
whether the request to be allowed or to be denied.

AWS policies are stored in the form of Jason format the number of
policies to be attached to particular IAM identities depends upon
no.of permissions required for one IAM identity.

IAM identity can have multiple policies attached to them.


IAM Features
Free of cost: IAM feature of the Aws account is free to use &
charges are added only when you access other Amazon web services
using IAM users.
Have Centralized control over your Aws account: Any new
creation of users, groups, or any form of cancellation that takes place
in the Aws account is controlled by you, and you have control over
what & how data can be accessed by the user.
Grant permission to the user: As the root account holds
administrative rights, the user will be granted permission to access
certain services by IAM.
Multifactor Authentication: Additional layer of security is
implemented on your account by a third party, a six-digit number that
you have to put along with your password when you log into your
accounts.
Create a report on the
IAM best practices

You might also like