AWS Region
cluster of data centers
π‘ TIP: Most AWS services are region-scoped
How to choose an AWS Region?
- π Compliance with data governance & legal requirements: data never leaves a region without your explicit permission
- π Proximity to customers: reduced latency
- β Available services within a Region: new services & features are NOT available in every region
- π° Pricing: priving varies region to region & transparent on service pricing page
AWS Availability Zone (AZ)
one or more discrete data centers with redundant power, networking, & connectivity
usually 3, min is 3, max is 6
What are some benefits of Availability Zones (AZs)?
- AZs are separate from each others, so that they’re isolated from disasters
- AZs are connected with high bandwidth, ultra-low latency networking
AWS Points of Presence (Edge Locations)
content is delivered to end users with lower latency
Amazon has 400+ Points of Presence in 90+ cities across 40+ countries
IAM
Identity & Access Management;
Global service
Root account
created by default;
should NOT be used or shared
IAM User
IAM Identity to represent people within your organization;
can be grouped
IAM User Group
group of IAM users;
only contain users, NOT other groups
users don’t have to belong to group & user can belong to multiple groups
IAM Policy
JSON documents that define a set of permissions for making requests to AWS services and can be used by IAM Users, User Groups, & IAM Roles
π‘ TIP: Apply the least privilege principle
IAM Policy Structure
- Version: policy language version, always include “2012-10-17”
- Id: identifier for the policy (optional)
- Statement: one or more individual statements
IAM Policy Statement Structure
- Sid: identifier for the statement (optional)
- Effect: whether the statement allows or denies access (i.e. Allow, Deny)
- Principal: account/user/role to which this policy applied to
- Action: list of actions this policy allows or denies (i.e. s3:GetObject)
- Resource: list of resources to which the actions applied to
- Condition: conditions for when this policy is in effect (optional)
AWS Managed Policy
standalone policy that is created and adminstered by AWS
(i.e. IAMReadOnlyAccess)
Inline Policy
policy created for a single IAM identity (a user, group, or role)
π‘ TIP: If a policy could apply to more than one entity, it’s better to use. a managed policy
Multi Factor Authentication (MFA)
password you know + security device you own
β¨ Best Practice: Root Accounts & IAM users (at a minimum) should be protected with MFA
What is the main benefit of MFA?
if a password is stolen or hacked, the account is not compromised
How can users access AWS?
3 ways
- AWS Management Console: protected by password + MFA
- AWS Command Line Interface (CLI):
- AWS Softwarde Developer Kit (SDK): for code; protected by access keys
β¨ Best Practice: Access Keys are secret, just like a password. Don’t share them
Access Key ID ~= username, Secret Access Key ~= password
AWS Command Line Interface (CLI)
tool that enables you to interact with AWS services using commands in your command-line shell (i.e. terminal)
alternative to using AWS Management Console
AWS Software Development Kit (SDK)
language specific APIs (set of librariers) that enable you to access & manage AWS services programatically;
embedded within your application
IAM Role
IAM Identity that defines a set of permissions for making requests to AWS services, and will be used by an AWS service
(i.e. EC2 Instance Roles, Lambda Function Roles)
What IAM Security Tools does AWS provide?
- IAM Credentials Report (account-level)
- IAM Access Advisor (user-level)
IAM Credentials Report
- account-level
- report that lists all your account’s users & status of their various credentials
IAM Access Advisor
- user-level
- shows the service permissions granted to a user & when those services were last accessed
π‘TIP: Helpful information to audit and revise policies (i.e. least priviledge principle)
What are some IAM User & Group best practices?
- Don’t use the root account except for AWS account setup
- One physical user = One AWS user
- Assign users to groups & assign permissions to groups
- Create a strong password policy
- Use & enforce the use of Multi Factor Authentication (MFA)
