Udemy AWS SAA - Intro and IAM

MiraMira發表於2024-04-01

How to choose an AWS Region if you need to launch a new app

  1. Compliance: with data governance and legal requirement, data never leaves a region w/o your explicit permission
  2. Proximity: to customers, to reduce latency
  3. Available services: some region doesn't have all services
  4. Pricing: varies region to region

Availability Zones:
each region has many availability zones, usually 3, min is 2, max is 6
each AZ is 1+ discrete data centers with redundant power, networking and connectivity, they are separate from each other, but connected with high bandwidth, ultra-low latency

AWS Points of Presence (Edge Locations)網點

AWS has Global Services

  • ldentity and Access Management (lAM)
  • Route 53 (DNS service)
  • CloudFront (Content Delivery Network)
  • WAF (Web Application Firewall)

Most AWS services are Region-scoped

  • Amazon EC2 (Infrastructure as a Service)
  • Elastic Beanstalk (Platform as a Service)
  • Lambda (Function as a Service)
  • Rekognition (Software as a Service)

ldentity and Access Management (lAM)

  • Root account created by default, shouldn't be used or shared
  • Users are ppl in your org, and can be grouped. After getting a root user, we can create an Admin account, then create users account
  • Groups only contain users, not other groups
  • An user can belong to multiple groups
  • We want the users to use their AWS account
  • Permissions: users or groups can be assigned JSON documents called policies to grant their permissions to the AWS services. Please do Least Privilege Principle : don't give more permission than a user needs

Inline policy: a policy only assigned to one person

IAM Policies Structure

An Example for Permission JSON
The "*" below means any, it permits any action and any resource

Two Ways to Protect Your AWS Account
Password Policy

  • Strong passwords = higher security for your accountIn AWS, you can setup a password policy:
    • Set a minimum password lengthRequire specific character types.including uppercase letters
    • lowercase letters
    • numbers
    • non-alphanumeric charactersAllow all lAM users to change their own passwords
    • Require users to change their password after some time (password expiration)
    • Prevent password re-use

Multi Factor Authentication - MFA

  • Users have access to your account and can possibly change configurations or delete resources in your AWS account
  • You want to protect your Root Accounts and lAM users
  • MFA = password you know + security device you own
  • You can use:
    • Virtual MFA device: Google Authenticator (Phone only), Authy (multi-device);
    • Universal 2nd Factor (U2F) Security Key, ex. YubiKey
    • Hardware Key Fob: Gemalto
    • Hardware Key Fob for AWS GovCloud(US): SurePassID

相關文章