AWS Cloud History

2002: 2004: 2007:

Internally Launched publicly Launched in
launched with SQS Europe

2003: 2006:
Amazon infrastructure is Re-launched
one of their core strength. publicly with
Idea to market SQS, S3 & EC2
AWS Cloud Number Facts
• In 2019, AWS had
$35.02 billion in annual
revenue
• AWS accounts for 47% of
the market in 2019
(Microsoft is 2nd with 22%)
• Pioneer and Leader of the
AWS Cloud Market for
the 9th consecutive year
• Over 1,000,000 active
users
Gartner Magic Quadrant
AWS Cloud Use Cases
• AWS enables you to build sophisticated, scalable
applications
• Applicable to a diverse set of industries
• Use cases include
• Enterprise IT, Backup & Storage, Big Data analytics
• Website hosting, Mobile & Social Apps
• Gaming
AWS Global Infrastructure
• AWS Regions
• AWS Availability Zones
• AWS Data Centers
• AWS Edge
Locations / Points of
Presence
AWS Regions
• AWS has Regions all around the world
• Names can be us-east-1, eu-west-3 …
• A region is a cluster of data centers

• Most AWS services are region-scoped

 How to choose an AWS Region?
If you need to launch a new
application, where should you • Compliance with data governance and legal requirements:
do it? data never leaves a region without your explicit
permission

? ? • Proximity to customers: reduced latency

• Available services within a Region: new services and
? ? new features aren’t available in every Region
• Pricing: pricing varies region to region and is
transparent in the service pricing page
AWS Availability Zones
• Each region has many availability
AWS Region
zones (usually 3, min is 2, max is 6). Sydney: ap-southeast-2
Example:
• ap-southeast-2a ap-southeast-2a
• ap-southeast-2b
• ap-southeast-2c
• Each availability zone (AZ) is one or more
discrete data centers with redundant
power, networking, and connectivity ap-southeast-2b ap-southeast-2c
• They’re separate from each other, so
that they’re isolated from disasters
• They’re connected with high
bandwidth, ultra-low latency
networking
AWS Points of Presence (Edge Locations)
• Amazon has 216 Points of Presence (205 Edge Locations & 11
Regional Caches) in 84 cities across 42 countries
• Content is delivered to end users with lower latency
• AWS has Global Services:
• Identity and Access Management (IAM)
• Route 53 (DNS service)
• CloudFront (Content Delivery Network)
• WAF (Web Application Firewall)

• Most AWS services are Region-scoped:

• Amazon EC2 (Infrastructure as a Service)
• Elastic Beanstalk (Platform as a Service)
• Lambda (Function as a Service)
• Rekognition (Software as a Service)

• Region Table:
IAM Section
• Authentication:

• Authorization:
Authentication Authorization

In the authentication process, the identity of users are While in authorization process, a the person’s or user’s
checked for providing the access to the system. authorities are checked for accessing the resources.

In the authentication process, users or persons are While in this process, users or persons are validated.
verified.

It is done before the authorization process. While this process is done after the authentication
process.

It needs usually the user’s login details. While it needs the user’s privilege or security levels.

Authentication determines whether the person is user or While it determines What permission does the user
not. have?

Popular Authentication Techniques- Popular Authorization Techniques-

Password-Based Authentication Role-Based Access Controls (RBAC)
Password less Authentication JSON web token (JWT) Authorization
2FA/MFA (Two-Factor Authentication / Multi-Factor SAML Authorization
Authentication)
Authentication Authorization

The authentication credentials can be changed in part as The authorization permissions cannot be changed by
and when required by the user. user as these are granted by the owner of the system
and only he/she has the access to change it.
The user authentication is identified with username, The user authorization is carried out through the access
password, face recognition, retina scan, fingerprints, etc. rights to resources by using roles that have been pre-
defined
Example: Employees in a company are required to Example: After an employee successfully authenticates,
authenticate through the network before accessing their the system determines what information the employees
company email. are allowed to access.
IAM: Users & Groups
• IAM = Identity and Access Management, Global service
• Root account created by default, shouldn’t be used or shared
• Users are people within your organization, and can be grouped
• Groups only contain users, not other groups
• Users
Group:don’t have to belong to a group, and user can belong
Developers to multiple
Group: Operations
Group
groups Audit Team

Alice Bob Charles David Edward Fred

IAM:
Permissions {
"Version": "2012-10-17",

• Users or Groups can be "Statement": [

{
"Effect": "Allow",
assigned JSON "Action": "ec2:Describe*",
"Resource": "*"
documents called policies },
{
• These policies define the "Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
permissions of the users "Resource": "*"
},
{
• In AWS you apply the least "Effect": "Allow",
"Action": [
"cloudwatch:Li
privilege principle: don’t give stMetrics",
"cloudwatch:GetMetricStatistics",
more permissions than a "cloudwatch:Describe*"
],
user needs "Resource": "*"
}
]
}
IAM Policies inheritance
Audit Team

Developers Operations

inline

Alice Bob Charles David Edward Fred

 IAM Policies Structure
• Consists of
• Version: policy language version, always include “2012-
10- 17”
• Id: an identifier for the policy (optional)
• Statement: one or more individual statements
(required)
• Statements consists of
• Sid: an identifier for the statement (optional)
• Effect: whether the statement allows or denies
access (Allow, Deny)
• Principal: account/user/role to which this policy
applied to
• Action: list of actions this policy allows or denies
• Resource: list of resources to which the actions
applied to
• Condition: conditions for when this policy is in
effect (optional)
IAM – Password Policy
• Strong passwords = higher security for your account
• In AWS, you can setup a password policy:
• Set a minimum password length
• Require specific character types:
• including uppercase letters
• lowercase letters
• numbers
• non-alphanumeric characters
• Allow all IAM users to change their own passwords
• Require users to change their password after some time (password
expiration)
• Prevent password re-use
Multi Factor Authentication - MFA
• Users have access to your account and can possibly
change configurations or delete resources in your AWS
account
• You want to protect your Root Accounts and IAM users
• MFA = password you know + security device you own
Password + => Successful login

Alice

• Main benefit of MFA:

if a password is stolen or hacked, the account is not
compromised
 MFA devices options in AWS
Virtual MFA device Universal 2nd Factor (U2F) Security Key

Google Authenticator Authy YubiKey by Yubico (3rd party)

(phone only) (multi-device)

Support for multiple root and IAM users

Support for multiple tokens on a single device.
using a single security key
MFA devices options in
AWS
Hardware Key Fob MFA Device Hardware Key Fob MFA Device for
AWS GovCloud (US)

Provided by Gemalto (3rd party) Provided by SurePassID (3rd party)

How can users access AWS ?
• To access AWS, you have three options:
• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLI): protected by access keys
• AWS Software Developer Kit (SDK) - for code: protected by access keys
• Access Keys are generated through the AWS Console
• Users manage their own access keys
• Access Keys are secret, just like a password. Don’t share them
• Access Key ID ~= username
• Secret Access Key ~= password
Example (Fake) Access Keys

• Access key ID: AKIASK4E37PV4983d6C

• Secret Access Key:
AZPN3zojWozWCndIjhB0Unh8239a1bzbzO5fqqkZq
• Remember: don’t share your access keys
What’s the AWS CLI?
• A tool that enables you to interact with AWS services using commands
in your command-line shell
• Direct access to the public APIs of AWS services
• You can develop scripts to manage your resources
• It’s open-source https://github.com/aws/aws-cli
• Alternative to using AWS Management Console
What’s the AWS SDK?
• AWS Software Development Kit (AWS SDK)
• Language-specific APIs (set of libraries)
• Enables you to access and manage AWS
services programmatically AWS SDK
• Embedded within your application
• Supports
• SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go,
Node.js, C++)
• Mobile SDKs (Android, iOS, … ) Your Application
• IoT Device SDKs (Embedded C, Arduino, … )
• Example: AWS CLI is built on AWS SDK for
Python
IAM Roles for Services
IAM Role
• Some AWS service will need
to perform actions on your
behalf EC2 Instance
• To do so, we will assign (virtual server)
permissions to AWS services
with IAM Roles
• Common roles: Access AWS
• EC2 Instance Roles
• Lambda Function Roles
• Roles for CloudFormation
IAM Security Tools
• IAM Credentials Report (account-level)
• a report that lists all your account's users and the status of their
various credentials

• IAM Access Advisor (user-level)

• Access advisor shows the service permissions granted to a user and when
those services were last accessed.
• You can use this information to revise your policies.
IAM Guidelines & Best Practices
• Don’t use the root account except for AWS account setup
• One physical user = One AWS user

• Assign users to groups and assign permissions to groups

• Create a strong password policy
• Use and enforce the use of Multi Factor Authentication (MFA)
• Create and use Roles for giving permissions to AWS services
• Use Access Keys for Programmatic Access (CLI / SDK)
• Audit permissions of your account with the IAM Credentials
Report
IAM – Summary
• Users: mapped to a physical user, has a password for AWS Console
• Groups: contains users only
• Policies: JSON document that outlines permissions for users or groups
• Roles: for EC2 instances or AWS services
• Security: MFA + Password Policy
• Access Keys: access AWS using the CLI or SDK
• Audit: IAM Credential Reports & IAM Access Advisor