Session 002 IAM & Compute in

Cloud

AWS Cloud Practitioner Challenge

 Objectives

●
IAM Intro
●
AWS Tenancy Models
●
IAM User & Group
●
Identity different Amazon
EC2 Instance Types
●
Iam Role
●
Instance Types and billing
●
IAM Policy options
●
IAM Best Practices ●
Revision Questions
 Identity and Access Management - IAM
●
IAM enables you to manage access to AWS services
and resources securely.
●
Using IAM, you can create and manage AWS users
and groups, and use permissions to allow and deny
their access to AWS resources.
●
IAM is offered at no additional charge
●
IAM is a Global Service
 IAM – IAM Users
●
IAM User: an entity that you create in AWS to represent the person or
application that uses it to interact with AWS. User consists of a name
and credentials
●
IAM User is for control; i)authentication and ii)authorization
●
IAM user have permanent keys
●
Users and Credentials
Console Password:A password that the user can type to sign in to
interactive sessions such as the AWS Management Console.
Access Keys: A combination of an access key ID and a secret access
key. You can assign two to a user at a time. These can be used to make
programmatic calls to AWS.
 IAM- Groups
An IAM group is;
●
A collection of IAM users
●
A user group can contain many users,
●
A user can belong to multiple user groups.
●
User groups can't be nested; they can contain only users, not other user
groups.
●
There is no default user group that automatically includes all users in the
AWS account.
●
User groups let you specify permissions for multiple users, which can make it
easier to manage the permissions for those users. Groups simplify security.
 IAM – Users and Groups
WirfonCloud AWS Account

IAM User1 IAM GroupA

IAM User2 IAM GroupHC
IAM User3 IAM GroupM
...

Group A - Accountants Group D - HealthCare

Kevin Keri Bri Bime Kevin Keri Bri Bime

 IAM - Role
●
IAM Role: an identity with permission policies that determine what the identity
can and cannot do in AWS. Instead of being uniquely associated with one
person, a role is intended to be assumable by anyone who needs it
●
Roles have temporary keys.
●
Roles are used to assign temporary access keys to services or users.
●
By assuming a role, the access keys grant the entity the permissions that
have been assigned to the role. While the keys are active the user or service
will temporarily have the level of access assigned to the role.
When to use IAM Role – Users or Services can assume a role
●
Example: You're creating an application that runs on an Amazon Elastic
Compute Cloud (Amazon EC2) instance and that application makes requests
to AWS S3 bucket.
 Identity and Access Management
Policy: A policy is a json file used to set permissions. When attached to
an identity or resource, defines their permissions. It can be used to allow
or deny access to resources for services and users.I am policy is made up
if an 1)Effect -Allow or deny, 2)Action – the permission and 3)Resource –
the entity you are controlling
You can attach a policy to a user or a group

User Group

Policy

User
 Identity and Access Management
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["*"]
},
{
"Sid": "DenyCustomerBucket",
"Action": ["s3:*"],
"Effect": "Deny",
"Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ]
}
]
}
 IAM – Best Practices
●
Multi-factor Authentication - Provides additional security with either a
physical or virtual device that generates a token for login
●
Least Privilege Access - Users should only be granted access to AWS
resources that are required for their current tasks
●
Use roles for applications - assign a role to a resource (eg: EC2
instance) rather than hard-coding or configuring direct credentials into
the application
●
Rotate credentials regularly
●
Remove unnecessary users and credentials
 IAM – Best Practice
●
Monitor activity in your AWS account via the various monitoring
services
●
Delete root user access keys
●
Create a new use account for yourself and assign it administrative
access
●
Group users with the same security requirements into a group and
assign policies to the group
●
NB: Root Account - You log on to your Root user account using the
email address you registered with
 IAM – Best Practice
●
Monitor activity in your AWS account via the various monitoring
services
●
Delete root user access keys
●
Create a new use account for yourself and assign it administrative
access
●
Group users with the same security requirements into a group and
assign policies to the group
●
NB: Root Account - You log on to your Root user account using the
email address you registered with
 IAM – Best Practice
●
Monitor activity in your AWS account via the various monitoring
services
●
Delete root user access keys
●
Create a new use account for yourself and assign it administrative
access
●
Group users with the same security requirements into a group and
assign policies to the group
●
NB: Root Account - You log on to your Root user account using the
email address you registered with
Interacting with AWS
 Interacting with AWS
AWS provides 3 different ways to interact with its services
1)AWS Management 2)AWS Command Line 3)AWS Software
Console (CL) Development Kits (SDKS)
This is a graphical user You use a terminal and not This is a programmatic way
interface (GUI) a GUI of interacting with AWS
You require a username You require access keys account or services
and a password that are associated to a You also require access
specific IAM User keys that are associated
Offers possibilities to do to a specific IAM User
automation than clicking Offers more possibility for
around programmbility
 Interacting with AWS

AWS CLI Access Keys

With Terminal

Username AWS Console

AWS Password GUI

AWS SDKs
Using code Access Keys
Compute
 Fundamentals 101

Applications

HardWare Operating System (Linux) - Kernel

CPU Network Devices

Operating system runs in privileged mode

Applications run in user mode
 Virtualization 101
Applications Applications
Applications Applications
Applications

Applications
1 Guest OS (Linux) 21Guest
GuestOSOS
(Win) 13 Guest
Guest OS
OS

HardWare Host / Hypervisor

CPU Network Devices

Operating system still runs in privileged mode

Applications run in user mode
Hypervisor is the brain an in charge of allocating hardware resources
Hardware Virtualization for Cloud Computing
1) Hardware virtualization for cloud computing has come a long way
2) The latest AWS hypervisor, Nitro, uses everything to provide a
new hardware-assisted hypervisor that is easy to use and has
near bare-metal performance
3)AWS Nitro is a combination of dedicated hardware and lightweight
hypervisor enabling faster innovation and enhanced security
4) It is the underlying platform for EC2 instances
Click here to read more on AWS Nitro System
 AWS - Virtualization

Applications

Operating System (Linux) - Kernel

CPU Network Devices

 AWS Tenancy
Tenancy determines who is the owner of a resource
Think of tenancy in terms of housing

If you have a house then you could consider it a dedicated tenant

If you have an apartment building then it is a shared tenancy model
 AWS Tenancy – Shared Tenancy
Default model when launching and EC2 Instance
Multiple customers will use the same pieces of hardware
even though they don’t interact with each other
Remember there is host/hypervisor running on it to handle
CPU, Memory, Storage etc
This is the general one that you will use most of the times
This is the cheapest option for running your EC2 Instances
 AWS Tenancy – Shared Tenancy
Virtual Machines Apps Apps Apps Apps Host-101
EC2 Instances Guest OS Guest OS Guest OS Guest OS

Hypervisor

CPU CPU 1 CPU 2 CPU 3

RAM RAM 1 RAM 2 RAM 3

Instance store
Ephemeral
(temporary)
 AWS Tenancy – Dedicated Tenancy
Ensures that your EC2 instances are run on hardware specific to your
account but comes at a price
Use case: Due to licensing restrictions some software isn’t allowed to be run
on a shared tenancy model
For instance if you’re trying to use Bring Your Own License (BYOL) to AWS
In other circumstances, regulatory compliance may dictate that you can’t
use the shared model
There are two different options for dedicated tenancy with AWS: Dedicated
Hosts and Dedicated Instances.
 AWS Tenancy – Dedicated Hosts
You purchase an entire physical host from AWS and that host is billed to you
on an hourly basis
This might seem a lot like how you would manage an on-premises solution.
You control the hardware where your instances are hosted
Allow you to use your eligible software licenses from vendors such as
Microsoft and Oracle on Amazon with no additional charge
It is integrated with AWS License Manager, a service which helps you
manage your software licenses, including Microsoft Windows Server and
Microsoft SQL Server licenses
You may not mix EC2 instance types on the same dedicated host
AWS Tenancy – Dedicated Hosts
Host - 102
Apps
Guest OS Dedicated Host

HYPERVISOR
Hypervisor

CPU 1 CPU 2 CPU 3

RAM 1 RAM 2 RAM 3

 AWS Tenancy – Dedicated Instance
Amazon EC2 instances that run in a VPC on a host that's
dedicated to a single customer.
Dedicated instances are physically isolated at the host hardware
level from instances that belong to other AWS accounts
Dedicated instances may share hardware with other instances
from the same AWS account that are not Dedicated instances
No control over instance placement (can move host after
stop/start)
 AWS Tenancy – Dedicated Instance
Host - 103
Apps Apps Apps Apps
Guest OS Guest OS Guest OS Guest OS Dedicated instance
Shared Hypervisor
instances
CPU 1 CPU 2 CPU 3

RAM 1 RAM 2 RAM 3

 Elastic Compute Cloud, EC2 - (i)

-EC2 Instances are virtual machines

-EC2 Instances run on EC2 Hosts
-EC Shared Hosts or Dedicated Hosts
-Hosts run in a single Availibility Zones
-If Availability Zone fails, host fails then instance
fail
 Elastic Compute Cloud, EC2 - (ii)
AWS Region - eu-central-1

AZ-1 AZ-2

Apps Apps
Guest OS Guest OS

Hypervisor Hypervisor
CPU 1 CPU 2 CPU 3 CPU 1 CPU 2 CPU 3

RAM 1RAM 2RAM 3 RAM 1RAM 2RAM 3

Def: An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
 What is EC2
What good
is EC2 for?for
Good

●
Traditional OS+Applications
●
Long running compute
●
Server style applications
●
Monolithic application starts
●
Migrated application workloads or disaster recovery
 Amazon Machine Images (AMI)
The precise definition of an AMI is a
●
Template that contains the desired software configuration for an instance:
➢ Operating system
➢ Optionally an application
➢ Additional supporting software
➢ Root device boot volume
●
After selecting an AMI, you then choose the instance type where the AMI will be
installed.
 AMI Components

●
Boot Volume: describes what will be used as
the boot volume for the instance – either an
EBS boot volume or a local instance storage
volume
●
Operating system – Linux or Windows
EC2 Instance Types
 EC2 Instances Types (I)

Depending on the type of workload you have you can

choose one of the the different vehicles shown
Picking the right truck/machine is crucial for your
workload to be carried in an efficient manner
We also have different types of EC Instances depending
on the type of compute workload you have
 EC2 Instance Types - II
●
Amazon EC2 provides a wide selection of instance types
optimized to fit different use cases.
●
Instance types comprise varying combinations of CPU, memory,
storage, and networking capacity and give you the flexibility to
choose the appropriate mix of resources for your applications.
●
Each instance type includes one or more instance sizes,
allowing you to scale your resources to the requirements of your
target workload.
 (I) EC2 Instance Types – General Purpose
●
Default and for diverse workloads and equal resource
ratio.
●
Provide a balance of compute, memory and networking
resources, and can be used for a variety of diverse
workloads.
●
Ideal for applications that use these resources in equal
proportions such as web servers and code repositories.
(ii) EC2 Instance Types – Compute Optimized
●
Compute Optimized instances are ideal for
compute bound applications that benefit from
high performance processors.
●
Media Processing Scientific Modelling, gaming
and Machine Learning
(iii) EC2 Instance Types – Memory Optimized
●
Memory optimized instances are designed to
deliver fast performance for workloads that
process large data sets in memory and some
database workloads
 (iv) EC2 Instance Types –
Accelerated Computing
●
Accelerated computing instances use hardware
accelerators, or co-processors, to perform
functions, graphics processing, or data pattern
matching, more efficiently than is possible in
software running on CPUs.
 (v) EC2 Instance Types – Storage Optimized
●
Storage optimized instances are designed for
workloads that require high, sequential read and
write access to very large data sets on local
storage.
●
They are optimized to deliver tens of thousands
of low-latency, random I/O operations per
second (IOPS) to applications.
EC2 Instances: Pricing Options
Purchasing Options --- On-Demand Instances
●
Pay for what you use
●
Pricing is per second for Linux Instances and per
minute for Windows Instances
●
No upfront payment, No long term commitment
●
Recommended for short-term and unpredictable
workloads that cannot be interrupted
●
Applications being developed or tested on AWS EC2
for the first time
 Spot Instances - Pricing
●
AWS EC2 Spot instances allow you to bid on spare AWS EC2
computing capacitythat is not currently used for up to 90% of the On-
Demand price.
●
You bid a price and get the instance as long as its under the price
●
The Spot instance price fluctuates based on the supply and demand of
available unused AWS EC2 capacity; instance will run until capacity
●
Your Spot instance is launched when the Spot price is lower than the
price you specified
●
Spot instances are reclaimed with a 2 minute notification warning
when the spot price goes above your bid
 Purchasing Options --- Spot Instances
Spot instances are recommended if
●
You have applications that have flexible start and end times
●
Applications that are only feasible at very low compute prices
●
Workloads that are not critical and can be interrupted at any time
●
For batch jobs, Big Data analysis, or workloads that are resilient
to failures.
●
Not recommended for critical jobs or databases
 Purchasing Options --- Reserved Instances
●
Provide you with a significant discount (up to 75%) compared to On-
Demand instance pricing.
●
Reserved instances also provide a capacity reservation, if assigned to a
specific Availability Zone, thereby ensuring your ability to launch instances
when you need them.
Reserved Instances are recommended if:
●
You have applications with steady state usage.
●
You have applications that may require reserve capacity.
●
You are a committed customer for a one year or three year term.
 Reserved Instance Pricing (i)
Standard Pricing
●
Enables you to purchase reserved instances for a one-
year or three-year term and offers significant discounts
(up to 75%) compared to On-Demand instances. term.
●
You have the flexibility to change the Availability Zone,
the instance size, and networking type of your
Standard Reserved Instances.term.
 Reserved Instance Pricing (ii)
Convertible Pricing
●
This suits best if you need additional flexibility, such as
the ability to use different instance families, operating
systems, or tenancies over the Reserved Instance term.
●
Convertible Reserved Instances provide you with a
significant discount (up to 45%) compared to On-
Demand and can be purchased for a 3-year term.
 Reserved Instance Payment options
●
No Upfront — discounted hourly rate for every hour within the term,
regardless of usage. No upfront payment is required.
For Standard Reserved Instances, this option is only available as a 1-year
reservation.
For Convertible Reserved Instances, the option is available as a 3-year
reservation.
●
Partial Upfront — pay a portion of the cost upfront and the remaining hours
in the term are billed at a discounted hourly rate, regardless of usage.
●
All Upfront — Full payment is made at the start of the term, with no other
costs incurred for the remainder of the term regardless of the number of
hours used. This option provides you with the largest discount compared to
On-Demand instance pricing.
 Purchasing options -
Scheduled Reserved Instance
●
Purchase instances that are always available on the specified
recurring schedule, for a one-year term.
●
Launch within time window you reserve
●
When you require a fraction of day/week/month
●
Pay for the time that the instances are scheduled
●
Recommended for an application that runs during business
hours or for batch processing that runs at the end of the week.
 Dedicated Hosts Pricing
●
The price for Dedicated Hosts vary based on the
instance family, region, and payment option that you
choose.
●
You pay only hourly for each active Dedicated Host,
regardless of the quantity or the size of instances that
you choose to launch on a particular Dedicated Host.
●
You are not billed for the usage of your instances!
 On Demand Dedicated Hosts Pricing
●
You pay for each hour that the Dedicated Host
is active or allocated in your account.
●
When you release the on-demand Dedicated
Host, you also terminate the billing.
●
On-Demand gives you the flexibility to scale up
or down without long-term commitments.
 Reserved Dedicated Hosts Pricing
●
Just like the AWS EC2 Reserved Instances, the AWS EC2 Dedicated Hosts
reservations also provide up to a 70% discount compared to the on-demand
price.
●
There are three payment options for you to choose when you purchase Reserved
Dedicated Hosts.
●
All Upfront — you pay for the entire Dedicated Host Reservation with one
upfront payment. This option provides you with the largest discount compared to
On-Demand pricing.
●
Partial Upfront — you make a low upfront payment and are then charged a
discounted hourly rate for the Dedicated Host for the duration of the reservation.
●
No Upfront — you do not need to make an upfront payment and you get a
discounted hourly rate for the duration of the term.
 Dedicated Hosts – Pricing Summary
The price for a Dedicated Host varies by instance family, region, and payment option
Pay for each active Dedicated Host.
1) On-Demand Pricing
When you pay On-Demand for Dedicated Hosts, you pay for each second (minimum of 60
seconds) that the Dedicated Host is active in your account (or allocated).
2) Reservation Pricing
Reservations can provide up to a 70% discount compared to the On-Demand price.
Dedicated Host Reservations can be purchased using the AWS Management Console or
AWS CLI.
3) Savings Plans
You can purchase Savings Plans to lower your spend on Dedicated Hosts. Savings Plans is
a flexible pricing model that provides savings of up to 72% on your AWS compute usage

Click here to read more on dedicated hosts pricing

 Instance Purchasing options Summary
1) On-Demand Instances - Pay, by the second/minute , for the instances that you launch.

2) Spot Instances – Request unused EC2 instances, which can reduce your
Purchasing options

Amazon EC2 costs significantly.

3) Reserved Instances – Reduce your Amazon EC2 costs by making a commitment to a

consistent instance configuration, including instance type and Region, for a term of 1 or 3 years

4) Dedicated Hosts – Pay for a physical host that is fully dedicated to running your instances,
and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs.

5) Dedicated Instances – Pay, by the hour, for instances that run on single-tenant hardware.

6) Capacity Reservations – Reserve capacity for your EC2 instances in a

specific Availability Zone for any duration.

7) Savings Plan – Reduce your Amazon EC2 costs by making a commitment to a consistent
amount of usage, in USD per hour, for a term of 1 or 3 years.

Click here to read more on Instance purchasing options

 Dedicated host Pricing
1) On-Demand Dedicated Hosts Pricing
Pay, by the second, for the instances that you launch.
Dedicated Hosts Pricing

2) Reserved Dedicated Hosts Pricing

70% discount compared to the on-demand price
and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs
3 Payment options
i)All Upfront — you pay for the entire Dedicated Host Reservation with one upfront payment.
This option provides you with the largest discount compared to On-Demand pricing.
ii)Partial Upfront — you make a low upfront payment and are then charged a discounted
hourly rate for the Dedicated Host for the duration of the reservation.
iii)No Upfront — you do not need to make an upfront payment and you get a discounted
Hourly rate for the duration of the term.

3) Savings Plan
You can purchase Savings Plans to lower your spend on Dedicated Hosts.
Savings Plans is a flexible pricing model that provides savings of up to 72% on your
AWS compute usage. This pricing model offers lower prices on Amazon EC2 instances
usage, regardless of instance family, size, OS, tenancy or AWS Region..

Click here to read more on Instance purchasing options

 Per Second Billing -
With per-second billing, you pay for only what you use.
It takes cost of unused minutes and seconds in an hour off of the bill, so you can focus
on improving your applications instead of maximizing usage to the hour. Especially, if
you manage instances running for irregular periods of time, such as dev/testing, data
processing, analytics, batch processing and gaming applications, can benefit.

EC2 usage are billed on one second increments, with a minimum of 60 seconds.
Similarly, provisioned storage for EBS volumes will be billed per-second
increments, with a 60 second minimum. Per-second billing is available for instances
launched in:

On-Demand, Reserved and Spot forms

All regions and Availability Zones
Amazon Linux and Ubuntu
Click here to read more on Amazon EC2 Pricing and Per second billing
Click here to read about Reserved Instances Purchase Options
Revision
 Question 1
Which type of EC2 instance is the most suitable and cost-
effective if the customer will be running mission-critical
workloads continuously for a whole year?
A. Dedicated
B. On-Demand
C. Reserved
D. Spot
 Answer 1 - C
Reserved Instances provide you with a significant discount
compared to On-Demand Instance pricing. RIs can provide a
capacity reservation, offering additional confidence in your
ability to launch the number of instances you have reserved
when you need them. You can purchase a Reserved Instance
for a one-year or three-year commitment, with t With Reserved
Instances (RIs), you can choose the type that best fits your
application needs such as Standard RIs, Convertible RIs, and
Scheduled RIs.
 Question 2
In Amazon EC2, which pricing construct adjusts its
price based on supply and demand of EC2 instances?
A. Spot Instance
B. Standard Reserved Instance
C. Convertible Reserved Instance
D. On-Demand Instance
 Answer Question 2 - A
Amazon EC2 simplified the Amazon EC2 Spot
instance pricing by moving to a model that
delivers low, predictable prices that adjust
gradually based on long-term trends in supply and
demand. The Spot instance price fluctuates based
on the supply and demand of available unused
AWS EC2 capacity
 Question 3
You have an Amazon Linux EC2 instance running for an hour and thirty
minutes. How will AWS bill you in terms of usage?
A) You will only be billed for an hour according to the hourly billing rule
B) You will be billed for one hour and thirty minutes according to the
hourly billing rule
C) You will be billed for an hour and thirty minutes according to the per-
second billing rule
D) You will be billed for an hour and twenty-nine minutes according to the
per second bi
 Answer Question 3 - C
Amazon Linux instances are now billed in a per-second
duration. With per-second billing, you pay for only what you
use. It takes cost of unused minutes and seconds in an hour off
of the bill, so you can focus on improving your applications
instead of maximizing usage to the hour. Especially, if you
manage instances running for irregular periods of time, such as
dev/testing, data processing, analytics, batch processing and
gaming applications, can benefit. EC2 usage is billed on one-
second increments, with a minimum of 60 seconds.
 Assignment
●
How to create an Amazon Account account
Click Here and follow how to create an account
Click Here and follow how to set MFA on your account
Read about;
●
Complete AWS Lab on IAM on www.qwiklabs.com
●
Amazon Simple Storage Service (Amazon S3)
●
Amazon Elastic Block Store (Amazon EBS)
●
Amazon Elastic File System (Amazon EFS)
The End