AWS IAM Roles

AWS Provides IAM roles  as a Service ( IAM is a Service that AWS provides us )

https://www.youtube.com/watch?v=UqKWHZ36yEM

This service helps us to keep our Account Secure

This is important because, our account is very valuable.

We add credit card and lots of services are present.
How does AWS handle Security ?

Not the Application security.

Apps and Systems need to be secure.

AWS helps us automatically by basic DDOS attacks.
We are talking about giving the Right permissions to right people or right Services.

People:  More than 1 person can use the account.
If we have an organization, multiple people can use this account.
There will be different teams, that use these services.
You can give access to different users.


We get

 1) Groups
 2) Users
 3) Roles
 4) Policies


We can add multiple Users and we can import these users into Groups

We can create an Admin group who has full admin access, and we can crate one who has access to only S3 and Filestore.

We can be more granular than that and only allow a certain group to access a certain bucket like a folder in S3 or only give read only Access.






Give read only access to a particular Group.






Even though we create the Admin Group, this group is not the same as the root account.
There are some restrictions to this group.
This group does not have access to billing information.


Why do i create a group with Admin rights, if i am alread the Admin ??? Answer above


We have attached a policy to the Group.

If we want to give more people Admin rights, we use IAM services.


We create users and dont use our root account, except for maybe accessing our Expense report.

We should create a user for our selves.

Dont use the root Account for day to day business.
We need to create an user for ourselves.

While Adding a user,  the type of access to the user is important.




We can also add more users in one Step

The access type is dependent on the type of usage the user needs.

The next step is the type of permissions that you want to give to the user.
The best is to add the user to a group and add the permissions at the group level.

We can also attach policies directly to the user

So, creating the user, we will see the following details.





The user will now need the link provided above to login.
He will need the username and the password.


Now, our security status has improved.

Strongly recommend enabling MFA.

We also enable a  Password Policy. ( Types of characters that go into and so on )




What about Roles and Policies:

We saw that we attached a policy of Admin to the User
What about Roles
We can look and choose the existing policies or we can create our own policy.





Policy is something that defines sets of rules.

This is a json and looks as follows.




This is how the summary of the policy looks like.

We define the version of the policy language here.

Example Elastic Beanstalk service:





This says the Action that a policy can do,  and the type of Resource that this action can be performed on.

We can either use an existing policy or create our own policy.



So far so good.

We have  user, policies
Groups and policies we can use to assign to groups or users.


By default in AWS, no service has permission to access our service.

We might wonder -  Why would a service access our service ?

Eg: We use a Bean stalk. Bean stalk is just a simplicification.

      In the background Beanstalk is an EC2 machine. It started a EC2 instance in the background a VM.
It did so, because it had the permissions to do so.
We gave it that permissions, when we started using it from the console.


By default though, no service has any permission to access our services.

If we have code on Ec2, Once we reach out to S3 to store our files there., Our Ec2 instance should have the permissions to do so.

So that is the last Step

The Roles allow services to reach out to



 Roles can be attached to Services. So our services can have certain roles, that can allow them to interact with our services.

That is how IAM works.
Security on IAM works.

We define who accesses what.


The best practice is to be granular and strict as possible.


Dont give more permissions than a user / role needs.

AWS Essentials: What is IAM > Linix acade

https://www.youtube.com/watch?v=4ngYrnJb7F8&index=8&list=PLv2a_5pNAko0Mijc6mnv04xeOut443Wnk



Under Security and Identity, we see the IAM WebService.

1) IAM is where we manage the AWS users and their access to AWS accounts and AWS Services.

2) Common use case of IAM is to manage Users, Groups, IAM access policies and Roles.
3) We are going to dive into deeper usage in the following lessons.
4) User created when we created the AWS Account is called the AWS ROOT User.
5) MFA Best practice is a service to protect your root account provided by a third party.

AWS 20

AWS 19

AWS 18

AWS 17

AWS 16

AWS 15

AWS 14

AWS 13

AWS 12

AWS 11

AWS 10

AWS 9

AWS 8

AWS 7

AWS 6 NACL , Security Groups and End points

NACL is stateless
SG is stateful



Total # of ports are 0-65000


Dynamic ports are from  49152 to 65535

If we do not open the outbound ports, then for the traffic that is initiating from the Server, we cant go out from the server
The packet gets dropped.




Protocol used is TCP or UDP

If we want to open the outbound traffic, then we have to open the ICMP  ping




AS NACL is STATELESS, we have to open both inbound and outbound.

Security Group is Assigned to the INSTANCES - Very Important

Subnet Security:
NACL is assigned to the SUBNETS -  Very Important

Dynamic ports are from  49152 to 65535
This is the port range that needs to be opened for NACL outbound ports.


There are inbound rules and outbound rules


VPC flow logs and  Elastic IPs

If we want to retain the Public IP we will first create an EIP and then assign the EIP to the EC2 instance.

If we do not assign the EIP to the instance, we will be charged money.

AWS 21 Database - RDS

There are 5 types of Databases

Overview:

1) RDS - Regular Relational Database System
              Structured DB. 
              SQL, Oracle, Mysql, Postgres, AWS Aurora ( mysql flavor), Maria DB

2) DynamoDB - This is a NoSQL Database ( Similar to Cassandra and Mongo )
3) ElastiCache - In memory DB used for caching by websites ( Redis and Memcached )
4 )Neptune - (Graph Database - Very New )
5) Amazon RedShift ( Used for Dataware housing )


Heavily used Databases are   RDS, DynamoDB and Amazon RedShift.


RDS is platform as a service  ( PAAS )
AWS Takes cares of the Database
          They are responsible for maintaining it
          Ready made service
          PAAS is a furnished house, we do not have control over it
   
No Chance for customization as needed.

AWS 5 VPC Peering

We create 3 VPC's in the Same Region but different Availability Zones



VPC peering is not  Transitive.
It is only 1 to 1




If we want communication from  Yelow to  RED, we need  to enable  VPC peering over there.








After we create the VPC peering connections, we need to modify the Route Tables
We can restrict the Address space in the routing table.
Specifying the Address range, that needs to have the ip space open.

The routing tables of both the VPC's should be edited to show the route.

The entry in the routing table is nothing but the VPC peering connection Name, that has the entries of both the  VPC's that are participating in the transaction.















We use VPC peering to manage multiple VPC's  instead of having a Jump host in each VPC.






We control the Traffic by editing the Security Groups to particular ports

Windows , we limit to TCP3389
Linux, we limit  to  TCP22