AWS Certified Cloud Practitioner Exam Guide - cloudsecuritylabs/AWS_Certified_Cloud_Practitioner_Exam_Guide Wiki

Cloud Computing

  • On-demand
  • metered
  • compute, networking, storage
  • available over public internet
  • Pay as you go
  • OpEx
  • Elastic, scalable, fault tolerant, High Availability

Advantages of Cloud computing as per AWS

Virtualization

Hypervisors

  • type I
  • type II

Cloud Computing Models

IaaS

  • EC2, EBS, EFS, VM

PaaS

  • Elastic Beanstalk, Azure Functions, App service, Dynamo DB

SaaS

  • gmail, salesforce, Qualys

Cloud deployment models

  • Public cloud (AWS, Azure, GPC)
  • Private cloud
  • Hybrid cloud

AWS

AWS Global Infrastructure

Region:

  • a physical location where AWS host a cluster of data centers
  • Has a minimum of 2 AZ

Availability Zones:

  • part of a region
  • logically and physically separated within 60 miles
  • has one or more data centers per one AZ
  • Synchronous replication is possible between AZs
  • AZs are connected by high-bandwidth, low latency metro fiber links.

Edge locations (AWS CloudFront)

Regional vs. Global Services vs. On-prem!

  • Most AWS services are regional (EC2, RDS etc)
  • Global service - IAM, CloudFront, Route 53
  • On-prem:
  1. Amazon Snow Family (SSDs, compute and neetworking)
  2. Amazon storage GW
  3. Amazon outposts (can scale from 1 rack to 96 racks)

Support plans

  • Basic
  • Developer
  • Business
  • Enterprise support plan - $15,000 a month; dedicated TAM (Technical Account Manager)

Service Health Dashboards

Trusted Advisor

Personal Health Dashboard (PHD)

AWS AuP

AWS Account

  • multiple account - dev, uat, prod etc

AWS Organizations

  • free service
  • similar accounts can be grouped under Organizational Units (OU)
  • Service Control Policies (SCPs) can be applied to OU
  • Consolidated billing (All features or just Consolidated Billing feature)

Consolidated Billing benefit

  • single bill for all accounts
  • simplified tracking
  • volume discount
  • consolidated billing is a free service

Core OU recommendations

AWS guide on OUs: https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/recommended-ous.html separate into at least two OUs

  1. Infrastructure service account
  2. Security service account

AWS Landing Zones (old) >> AWS Control Tower (new)

  1. Create AWS Org and multiple AWS accounts
  2. SSO for IAM
  3. Federation
  4. Pre-configured AWS CloudTrail and AWS config
  5. Pre-configured recommended guardrails and policies

FREE TIER Benefits

  • up to 5 GB of S3 storage for 12 months
  • EC2 free - 750 hours a month
  • RDS - 750 hours a month
  • completely free - always: CloudFormation

Amazon Workspace

  • Virtual desktops - Linux or windows

Amazon Detective

  • Analyze and visualize security issues

Redshift

  • enterprise grade data warehouse

Billing

AWS Technologies

MFA for root account

IAM password policies

  • password polices can be used to enforce password complexities.
  • can be configured from the account setting; you can update the default policy

IAM users

  • roor user vs IAM user
  • IAM user - username/password
  • CLI access - access key ID / secret access key
  • service accounts (IAM accounts)

IAM groups

IAM policies

  • can be attached to a given IAM user or IAM group, or a IAM role
  • enforce principle of least privilege

Types of polices

  1. Identity based policies: attached to IAM user, group or roles. Identity policy can not be applied to an identity in a different AWS account. However, roles can be granted to identities in a different AWS account to access resources.
  • Managed AWS polices
  • Customer managed policies
  • Inline policies - attached to a IAM identity directly
  1. Resource based policies: attached to AWS resources
  2. Permission boundaries: policy can be defined as a permission boundary
  3. Organization Service Control Policies (SCPs):
  4. Access Control Lists
  5. Session polices

ARN - Amazon Resource Name

  • arn:partition:service:region:account-id:resource-id

IAM Policy Simulator