Professional Documents
Culture Documents
002-IAM and Compute
002-IAM and Compute
Cloud
●
IAM Intro
●
AWS Tenancy Models
●
IAM User & Group
●
Identity different Amazon
EC2 Instance Types
●
Iam Role
●
Instance Types and billing
●
IAM Policy options
●
IAM Best Practices ●
Revision Questions
Identity and Access Management - IAM
●
IAM enables you to manage access to AWS services
and resources securely.
●
Using IAM, you can create and manage AWS users
and groups, and use permissions to allow and deny
their access to AWS resources.
●
IAM is offered at no additional charge
●
IAM is a Global Service
IAM – IAM Users
●
IAM User: an entity that you create in AWS to represent the person or
application that uses it to interact with AWS. User consists of a name
and credentials
●
IAM User is for control; i)authentication and ii)authorization
●
IAM user have permanent keys
●
Users and Credentials
Console Password:A password that the user can type to sign in to
interactive sessions such as the AWS Management Console.
Access Keys: A combination of an access key ID and a secret access
key. You can assign two to a user at a time. These can be used to make
programmatic calls to AWS.
IAM- Groups
An IAM group is;
●
A collection of IAM users
●
A user group can contain many users,
●
A user can belong to multiple user groups.
●
User groups can't be nested; they can contain only users, not other user
groups.
●
There is no default user group that automatically includes all users in the
AWS account.
●
User groups let you specify permissions for multiple users, which can make it
easier to manage the permissions for those users. Groups simplify security.
IAM – Users and Groups
WirfonCloud AWS Account
User Group
Policy
User
Identity and Access Management
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["*"]
},
{
"Sid": "DenyCustomerBucket",
"Action": ["s3:*"],
"Effect": "Deny",
"Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ]
}
]
}
IAM – Best Practices
●
Multi-factor Authentication - Provides additional security with either a
physical or virtual device that generates a token for login
●
Least Privilege Access - Users should only be granted access to AWS
resources that are required for their current tasks
●
Use roles for applications - assign a role to a resource (eg: EC2
instance) rather than hard-coding or configuring direct credentials into
the application
●
Rotate credentials regularly
●
Remove unnecessary users and credentials
IAM – Best Practice
●
Monitor activity in your AWS account via the various monitoring
services
●
Delete root user access keys
●
Create a new use account for yourself and assign it administrative
access
●
Group users with the same security requirements into a group and
assign policies to the group
●
NB: Root Account - You log on to your Root user account using the
email address you registered with
IAM – Best Practice
●
Monitor activity in your AWS account via the various monitoring
services
●
Delete root user access keys
●
Create a new use account for yourself and assign it administrative
access
●
Group users with the same security requirements into a group and
assign policies to the group
●
NB: Root Account - You log on to your Root user account using the
email address you registered with
IAM – Best Practice
●
Monitor activity in your AWS account via the various monitoring
services
●
Delete root user access keys
●
Create a new use account for yourself and assign it administrative
access
●
Group users with the same security requirements into a group and
assign policies to the group
●
NB: Root Account - You log on to your Root user account using the
email address you registered with
Interacting with AWS
Interacting with AWS
AWS provides 3 different ways to interact with its services
1)AWS Management 2)AWS Command Line 3)AWS Software
Console (CL) Development Kits (SDKS)
This is a graphical user You use a terminal and not This is a programmatic way
interface (GUI) a GUI of interacting with AWS
You require a username You require access keys account or services
and a password that are associated to a You also require access
specific IAM User keys that are associated
Offers possibilities to do to a specific IAM User
automation than clicking Offers more possibility for
around programmbility
Interacting with AWS
AWS SDKs
Using code Access Keys
Compute
Fundamentals 101
Applications
Applications
1 Guest OS (Linux) 21Guest
GuestOSOS
(Win) 13 Guest
Guest OS
OS
Applications
Hypervisor
Instance store
Ephemeral
(temporary)
AWS Tenancy – Dedicated Tenancy
Ensures that your EC2 instances are run on hardware specific to your
account but comes at a price
Use case: Due to licensing restrictions some software isn’t allowed to be run
on a shared tenancy model
For instance if you’re trying to use Bring Your Own License (BYOL) to AWS
In other circumstances, regulatory compliance may dictate that you can’t
use the shared model
There are two different options for dedicated tenancy with AWS: Dedicated
Hosts and Dedicated Instances.
AWS Tenancy – Dedicated Hosts
You purchase an entire physical host from AWS and that host is billed to you
on an hourly basis
This might seem a lot like how you would manage an on-premises solution.
You control the hardware where your instances are hosted
Allow you to use your eligible software licenses from vendors such as
Microsoft and Oracle on Amazon with no additional charge
It is integrated with AWS License Manager, a service which helps you
manage your software licenses, including Microsoft Windows Server and
Microsoft SQL Server licenses
You may not mix EC2 instance types on the same dedicated host
AWS Tenancy – Dedicated Hosts
Host - 102
Apps
Guest OS Dedicated Host
HYPERVISOR
Hypervisor
AZ-1 AZ-2
Apps Apps
Guest OS Guest OS
Hypervisor Hypervisor
CPU 1 CPU 2 CPU 3 CPU 1 CPU 2 CPU 3
Def: An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
What is EC2
What good
is EC2 for?for
Good
●
Traditional OS+Applications
●
Long running compute
●
Server style applications
●
Monolithic application starts
●
Migrated application workloads or disaster recovery
Amazon Machine Images (AMI)
The precise definition of an AMI is a
●
Template that contains the desired software configuration for an instance:
➢ Operating system
➢ Optionally an application
➢ Additional supporting software
➢ Root device boot volume
●
After selecting an AMI, you then choose the instance type where the AMI will be
installed.
AMI Components
●
Boot Volume: describes what will be used as
the boot volume for the instance – either an
EBS boot volume or a local instance storage
volume
●
Operating system – Linux or Windows
EC2 Instance Types
EC2 Instances Types (I)
2) Spot Instances – Request unused EC2 instances, which can reduce your
Purchasing options
4) Dedicated Hosts – Pay for a physical host that is fully dedicated to running your instances,
and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs.
5) Dedicated Instances – Pay, by the hour, for instances that run on single-tenant hardware.
7) Savings Plan – Reduce your Amazon EC2 costs by making a commitment to a consistent
amount of usage, in USD per hour, for a term of 1 or 3 years.
3) Savings Plan
You can purchase Savings Plans to lower your spend on Dedicated Hosts.
Savings Plans is a flexible pricing model that provides savings of up to 72% on your
AWS compute usage. This pricing model offers lower prices on Amazon EC2 instances
usage, regardless of instance family, size, OS, tenancy or AWS Region..
EC2 usage are billed on one second increments, with a minimum of 60 seconds.
Similarly, provisioned storage for EBS volumes will be billed per-second
increments, with a 60 second minimum. Per-second billing is available for instances
launched in: