AWS Certified Cloud Practitioner Exam Guide - cloudsecuritylabs/AWS_Certified_Cloud_Practitioner_Exam_Guide GitHub Wiki
Cloud Computing
- On-demand
- metered
- compute, networking, storage
- available over public internet
- Pay as you go
- OpEx
- Elastic, scalable, fault tolerant, High Availability
Advantages of Cloud computing as per AWS
- https://docs.aws.amazon.com/whitepapers/latest/aws-overview/six-advantages-of-cloud-computing.html
- Trade fixed expense for variable expense
- Benefit from massive economies of scale
- Stop guessing capacity
- Increase speed and agility
- Stop spending money running and maintaining data centers
- Go global in minute
Virtualization
Hypervisors
- type I
- type II
Cloud Computing Models
IaaS
- EC2, EBS, EFS, VM
PaaS
- Elastic Beanstalk, Azure Functions, App service, Dynamo DB
SaaS
- gmail, salesforce, Qualys
Cloud deployment models
- Public cloud (AWS, Azure, GPC)
- Private cloud
- Hybrid cloud
AWS
- Largest market share for public cloud
- nearly 200 services and growing
- Gartner Vendor Rating for AWS - https://www.gartner.com/doc/reprints?id=1-29YJX2Y2&ct=220505&st=sb
- Gartner Magic Quad: 2021 Magic Quadrant for Cloud Infrastructure & Platform Services
AWS Global Infrastructure
- The AWS Global Cloud Infrastructure is the most secure, extensive, and reliable cloud platform, offering over 200 fully featured services from data centers globally
- Visit: https://aws.amazon.com/about-aws/global-infrastructure/
Region:
- a physical location where AWS host a cluster of data centers
- Has a minimum of 2 AZ
Availability Zones:
- part of a region
- logically and physically separated within 60 miles
- has one or more data centers per one AZ
- Synchronous replication is possible between AZs
- AZs are connected by high-bandwidth, low latency metro fiber links.
Edge locations (AWS CloudFront)
- With edge locations, we can cache frequently accessed files on servers located closer to the users
- https://aws.amazon.com/cloudfront/features/?whats-new-cloudfront.sort-by=item.additionalFields.postDateTime&whats-new-cloudfront.sort-order=desc
Regional vs. Global Services vs. On-prem!
- Most AWS services are regional (EC2, RDS etc)
- Global service - IAM, CloudFront, Route 53
- On-prem:
- Amazon Snow Family (SSDs, compute and neetworking)
- Amazon storage GW
- Amazon outposts (can scale from 1 rack to 96 racks)
Support plans
- Basic
- Developer
- Business
- Enterprise support plan - $15,000 a month; dedicated TAM (Technical Account Manager)
Service Health Dashboards
Trusted Advisor
Personal Health Dashboard (PHD)
AWS AuP
AWS Account
- multiple account - dev, uat, prod etc
AWS Organizations
- free service
- similar accounts can be grouped under Organizational Units (OU)
- Service Control Policies (SCPs) can be applied to OU
- Consolidated billing (All features or just Consolidated Billing feature)
Consolidated Billing benefit
- single bill for all accounts
- simplified tracking
- volume discount
- consolidated billing is a free service
Core OU recommendations
AWS guide on OUs: https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/recommended-ous.html separate into at least two OUs
- Infrastructure service account
- Security service account
AWS Landing Zones (old) >> AWS Control Tower (new)
- Create AWS Org and multiple AWS accounts
- SSO for IAM
- Federation
- Pre-configured AWS CloudTrail and AWS config
- Pre-configured recommended guardrails and policies
FREE TIER Benefits
- up to 5 GB of S3 storage for 12 months
- EC2 free - 750 hours a month
- RDS - 750 hours a month
- completely free - always: CloudFormation
Amazon Workspace
- Virtual desktops - Linux or windows
Amazon Detective
- Analyze and visualize security issues
Redshift
- enterprise grade data warehouse
Billing
AWS Technologies
MFA for root account
- https://aws.amazon.com/iam/features/mfa/
- Add MFA for root user (Warning)
IAM password policies
- password polices can be used to enforce password complexities.
- can be configured from the account setting; you can update the default policy
IAM users
- roor user vs IAM user
- IAM user - username/password
- CLI access - access key ID / secret access key
- service accounts (IAM accounts)
IAM groups
IAM policies
- can be attached to a given IAM user or IAM group, or a IAM role
- enforce principle of least privilege
Types of polices
- Identity based policies: attached to IAM user, group or roles. Identity policy can not be applied to an identity in a different AWS account. However, roles can be granted to identities in a different AWS account to access resources.
- Managed AWS polices
- Customer managed policies
- Inline policies - attached to a IAM identity directly
- Resource based policies: attached to AWS resources
- Permission boundaries: policy can be defined as a permission boundary
- Organization Service Control Policies (SCPs):
- Access Control Lists
- Session polices
ARN - Amazon Resource Name
- arn:partition:service:region:account-id:resource-id