Printed by: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted. © 2023 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections, feedback, or other questions? Contact us at hitps://support.aws.amazon.com/#/contacts/aws-training. All trademarks are the property of their owners. Printed by: sathwickdutt [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.[AWS Teaning and Centicaion ‘Archtecting en ANS Contents ‘Course Introduction | 4 Module 4: Architecting Fundamentals a" 28 Module 2: Account Security or Module 3: Networking 1 114 Module 4: Compute { 160 Module §: Storage ( 218, Module 6: Database Services , 278 Module 7: Monitoring and Scaling 333 Module 6: Automation : 396 Module 8: Containers 423 Module 10: Networking 2° 459 Medule 11: Sefverless . 498 Modulet2; Edge Services 545 wd 13: Backup and Recovery 600 Course Summary ° 647 ©2002 Amazon Web Sans, eo te alae. Aight reared a Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention (Course invedueton Na rete Ne) fooled cele eel) (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, ‘ Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Preparing for class (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, . Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, ‘ Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Logistics + Breaks and lunch + Security + Cell phones + Virtual classroom features + Audio + chat + Raise hand (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 7 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Prerequisites We recommend that course attendees complete one of the following prerequisites: 1. AWS Cloud Practitioner Essentials (CPE) 2. AWS Technical Essentials 3. Bulld a working knowledge of: + Distributed systems + Networking concepts + IP addressing + Cloud computing concepts seventeen re es Oy ‘ If you have this working knowledge and have not taken AWS Cloud Practitioner Essentials, famil with AWS basic cloud services by visiting “AWS Cloud Practitior sIs" in AWS Skill Builder (ht .skillbuilderaws/learn/course/external/vi felear '134/aws-cloud- itioner-e: ° 2 » > , “) . y Ss : ins anc , Printed by: sathwickdutt [email protected]., Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Register for access to guides and lab environments Make sure you register for AWS Builder Labs” + Refer to your w -ome email for registration information Check your inbox for a welcome eméil from your instructor. In this email, you will fiffd. your unique student registration URL for the class. Usé this URL link to create an account or log in to your existing AWS Builder Labs account. In AWS Builder Lats, you tan access your lab environments, Lab Guide, and Student Guide. (©2023 Amazon Web Sonics, rec alas. A rights reserved ° Printed by: sathwickdutt [email protected]., Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Student and lab guides At this time, you should be logged into AWS Builder Labs. From here, youn cess your Lab Guide and Student Guide, which are located in eVantage Bookshelf |VitalSource). Buttons to the Lab Guide and Student Guide arelocted at the tpg corner of your as Bude? 1a yg far Te ab and batons wl bey eitvyed out until the start of the class. ) yy Once the class starts, select either button to access your guidest"You will be prompted to log in with yOUr existing eVantage Bookshelf (VitalSource) account orto create a new account. Once you log in to) eVantage Bookshelf (VitalSource), you will have access to the student and lab guides for the clas. You can access your guides online or download them, Use thas€ guides to follow along with the course and as 2 reference after the training (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 10 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Lab requirements + Computer running: + Reliable internet connection + Windows able to browse the internet + macOS, using HTTPS + Linux: Ubuntu, SUSE, or Red Hat —_* Register for AWS Builder Labs: + Recommended web browser: © Turn off ad and scrige blockers + Google Chrome + Mozilla Firefox + Microsoft Edge (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, " Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton About you Tell us the following: L) + First name + Organization and role LI * What do you expect of this course? CJ (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Course overview (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 18 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention (Course invedueton Peete) (tah) regan emer: ane eet to architect resilient, ne) aera ca b> (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, “4 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Day t agen Mose Mchtcing Fundamentals 45 mines, ab 1 spore and met withthe AWS Managenent Como and AWS romana ie ere, 35 nan ote 2 Account Sacarty oa Moe 3 Networking 1 minaes -~ Mode 4 Compete 78 minaee Lb 2 td your Amazon VPC irate 45 mina A (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 16 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Day2agen odie singe Tonnes ote nia Serce 7 mos abs ene bane ira Aso YE aire Somes Mode 7 Morarng a Sing ome Lab Configure gh avalaby nour Amazon VRC ind Mode © Aetaton ja?) (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, ‘6 Printed by: sathwickdutt [email protected]., Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Day agend More 10 Necwoing 2 ‘Soins LS Bald» eres ene Svinais ove 12 Edge Serves 50 mires ane Ub 6 congue an Arson Clank rerButan wh an Amazon = nn ee y= (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 7 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention (Course invedueton Capstone lab + Review and analyze architectural solutions based on project data, best practices, and the AWS Well-Architected Framework. + Design the architecture in a lab, without specifié guidance: ‘The capstone lab is the final project fartfiBicourse. During the lab, you are provided,with a scenario that discusses a business need. Review the requirements and vse what you have learned in this eourse to complete the list of tasks. You learn more about the capstone lab at the end of this course. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 18 Printed by: sathwickdutt [email protected]., Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Capstone acinar drcin ‘This is the multi-tier architecture you build in the capstone lab. ) J During check-ins, you discuss specific services outlined here and how they interact with each other. » . “*For accessibility: A single AWS Region with one VPC and tivo, AVailability Zones, Each Availability Zone contains a public subnet, an app subnet, and a database subnet. An arrow from outside the VPC péints to an ‘Application Load Balancer, not in a subnet or Availability Zone. The arrow continues to the Auto Scaling group that has app servers in the app subnets of both Availability Zones. Each app server communicates with an EFS ‘mount target in its own subnet to reach the Amazorv EFS file system, which is not inside an'Availability Zone. All app servers communicate with an Aurora primary DB instance in one of the database Subfets. The other database subnet holds the Aurore replica A led arrow points between the Aurora primary and Aurora replica. Arrows point away from the app servers and travel through each Availability Zone’s NAT gateway. The NAT gateways are located in the publiésubnet of each Availability Zone. The arfows travel through each NAT tnteway and through the interne gateway to ext the VPC and Region End Bescrpton. (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 16 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Module format Pollsand knomedge chedfs + Questions forthe instructor Each module starts with a check-in poll question ‘Then you are introduced to a stakeholdéPat the beginning of each module. They have brought business requests to you. Their questions havé informed you of what you should research to Support Example Corp. in their cloud journey. Your instruct6r prepares you to present solutions to the stakehélder by teaching you about services and best practices for building on AWS. ‘Atthe end of each module, your instructor asks 2-5 questions to help you review the topics and services covered in the module. In some sections, you also check in on the capstone architecture to see what you have leamed that relafes to the final capstone lab. If you aresattending virtually, use the live group chat to raise your hand and ask questions. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2 Printed by: sathwickdutt [email protected]., Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention (Course invedueton ES recta? The chief technology offices has hired you as a solutions architect toW6rk on a number of projects for Example:Gorp. Pay attention 16 what’your stakeholder needs to knoWiailt is your job to help them in eae their journéy in the AWS Cloud. Officer ‘The business request page at the beginning of the module is structured like this. Atthe end of the module, you review the questions asked by the stakeholder and provide solutions to fit their use case. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, a Printed by: sathwickdutt [email protected]., Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Supplemental learning (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton Online Course Supplement (OCS) Architecting on AWS Online Course Supplement (OCS) sien cag a ‘You can use the Online Course Supplement (OCS) to continue your journey after you complete this course. You ‘can also use it to dive deeper on topics not covered in detail in this course, (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, n Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention (Course invedueton AWS documentation resources Rene eet] Peet AWS Documentation ‘As part of their ole, solutions architects research topics and find adgitional information about features and services to make decisions. AWS services are constantly improving’and evolving. Use AWS documentation to find user guides, developer guides, API references, tutorials, and more. Documentation is provided in HTML, PDF, and GitHub. Tofind user guides, developer guides, API referenges, tutorials, and more, see “AWS Documentation” (https://docs.aws.amazon.com/). (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Traning and Cention (Course invedueton WE Comers dl) (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 8 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 1: Arcitecting Fundamentals Na leh ey Module 1: Architecting Fundamentals C.) (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 28 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Traning and Cention Module 1: Arcitecting Fundamentals PCT CRC BaEe How faris your organization in its journey to the AWS Cloud? A. We're just getting started. We already have prototypes running, We have production workloads running. ene We run 100 percent of our operations in the AWS Cloud. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Trang and Cention Module 1: Arcitecting Fundamentals Module overview + Business request + AWS services + AWS infrastructure + AWS Well-Architected Framework + Present solutions ¥ + Knowledge check + Lab 1: Explore and interact with the AWS Managemént Console and AWS Command Line Interface 2 (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 1: Arcitecting Fundamentals Cente The chief technology officer (CTO) wants cold you to explore the following questions: + What are the benefits of using AWS services? + How is the AWS global infrdstiticture organized? + How can we build ouf€loud infrastructure according to bestpractices? Teer) Cre Imagine you are meeting with your CTO as YOu prepare to build in AWS. As you familiarize yourself with AWS, here are some questions to consider 2s younavigate this module. During this module, yo learn about topics that answer these questions. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2» Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.AWS Traning and Cention Module 1: Arctecting Fundamentals PEE ate Ae ey ‘The CTO asks during the project meeting, “What are the benefits of using AWS services?” ‘The company is interested in learning about AWS services and tools that would best fit their needs. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2% Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Trang and Cention Module 1: Arcitecting Fundamentals Amazon Web Services + Global data centers + More than 200 services + Secure androbust + Payas yougo + Built for business needs s somo wn son i AWS the world’s most comprehensive anda cloud solution. AWS offers servicés such as compute, database, and storage. The AWS model, and its security practices, have made AWS the preferred ‘loud solution for businesses and put izations. ‘AWS has been delivering cloud sérvices'to customers around the world running’2 wide variety of use cases. AWS has the most operational experience of any cloud provider, and at a greater scale. AWS has unmatched experience, reliability, and performance, and an unmatched security record. AWSis continuall Hating its pace of innovation to inventinéw technologies you can use to transform your Millions of customers, small and large, are using AWS to lower costs, become more agile, and innovate faster. business. x . (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, a Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals Why customers move to AWS sity ‘Accelerate ere to market. 3 opumie eos Customers move to AWS to increase agility. ? * Accelerate time to market —8y spending ess time acquiring and managing ifrastiyettre, you can focus on developing features that deliver valuleto your customers. * Increase innovation - You can speed Rar digital transformation using AWSpwhich provides tools to more: easily access the latest technologleBand best practices. For example, youcaa use AWS to develop automations, adopt containérization, and use machine learning. + Scale seamlessly — You can préVision additional resources to support niéw features and scale existing resources up or down tp match demand. y Customers algo movto’AWS to reduce complexity and risky. ° ” + Optimize costs ~ You can reduce costs by paying for only what you use. Instead of paying for on-premises hardwate, wich you might not be using at full capa, you can pay or compute resources only while you are using tKem. + Minimize security vulnerabilities ~ Moving te AWS puts your applications and data behind the advanced physical security of the AWS data centers, With AWS, you have many tools to manage access to your resources. + Reduce management complexity =Using AWS services can reduce the need to maintain physical data centers, perform hardware mainténance, and manage physical infrastructure. For more information about tBe advantages of migrating your business to the cloud, see “The future of business is here” (httos://aws.amazon,com/campaigns/migrating to-the-cloud/). (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals AWS service categories Seve Nawerim Orbe Seary Sinemet ed comet _ “ddneny iicomplin govern 100 ins An fr AWS offers a broad set of global cloud-based products, including compute, storage, database analytics, networking, mobile, developer tools, managemenittools, Internet of Things (loT), security, and enterprise applications. These services help organizations movesster, scale, andlower IT costs. AWS covers infrastructure, foundation, and application services. ~ ‘This course focuses on the AWS services highlighted on this slide. For more information, see “Cloud Products” (httos://aws.emazon.com/prodkts/). (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 1: Arctecting Fundamentals PE adic Ee enue ate eet | ~~ ‘The CTO asks during the project meeting, “How is AWS global infrastructure organized?” In this section, you explore the AWS Infrastructure. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, “ Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.AWS Trang and Cention Module 1: Arcitecting Fundamentals AWS infrastructure topics (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 6 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals AWS data centers + AWS services ‘operate within AWS data centers, + Data centers host ‘thousandsof + Fach location uses AWS proprietary network equipment. + Data centers re organized into ‘Availability Zones. SE 55 ‘AWS pioneered cloud computing in 2006 to provide rapid and secure infrastusture. AWS continuously innovates on the design and systems of data centers to protect them from man-made and natural risks, Today, ‘AWS provides data centers ata large, global scale. , y AWS implements controls, builds automated systems, and condycts third-party audits to confirm security and compliance. As a result, the most highly regulated organizations jf the world trust AWS every day. To learn how AWS secures the data centers, see “Our Data Centers” (pitps://aws amazon.com/compliance/d a-centers/}. - (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals Availability Zones (AZs) Bi awstecon Availability Zones are @Q. + Data centre in a Region + Designed for foutt isolation 4 + interconnected oe Using high speed prvatetinks| ‘siaiity Zone + Used to achieve Ak sett | TT enceve| [04a cee [ons te a eee ; ‘A group of one or more data centers is called an Availability Zon, ‘An Availability Zone is one or more discrete data centers with fedundant power, networking, and connectivity in an AWS Region. When you launch an instance, you can sef€ct an Availability Zone or let AWS choose one for you. If you distribute your instances across multiple Availability Zones and one instance fails, you cam design ‘your application so that an instance in another Availability Zone can handle requests. To review Availability Zone information, see “Global Infrastructure” (https://aws.amazon.com/about- aws/global infrastructure) (a A a (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, ” Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals AWS Regions Each Region: + Iscompletely independent Uses AWS network Infrastructure + Has muttiple ‘Avallallty| Zones oe ene ee , oy Each AWS Region consists of multiple isolated and physical Availability Zones within a olga ‘area. This achieves the greatest possible fault tolerance and stability. In your account, you co \ Regions you need. ‘When you view your resources, you see onl Meer reine rg singe console. This is because Regions are isolated from each other and AWS mone ily replicate. resources across Regions. ‘You can run applications and wor! from a Region to reduce latency to @ndiusers. You can do this while avoiding the upfront expenses, lang-term commitments, and scaling '$ associated with maintaining and operating a global ir oY For more information about AWS Regions, see “Regions and Availability Zones” f6m/about-aws/elobal-infrastruct iors a2/). (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals Factors impacting Region selection Cost Choosing the right Region is important. You must determine the right Region'i6r your services, applications, and data, based on the following factor + Governance and legal requirements ~ Consider any legal requiréiénts based on data governance, sovereignty, or privacy laws. ) + Latency — Close proximity to customers means better performance. + Service availability ~ Not all AWS services are available ivéll Regions. *+ Cost - Different Regions have different costs. Research the pricing for the services you plan'to/use and compare costs to make the best decision for your workloads. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2” Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals AWS Local Zones Usecases: + Media and snterainment content creation g + Real-time gaming + Machine learning + Live video AWS infrastructure Local come. Connecting to. Delivering new streaming attheedge storage, dat services mn AWS low-latency. + Augmented reality sedotjenservies Regions applications (AR) and virtual reality (VR) sis lamas ‘You ean use AWS Local Zones for highly defend applications that require single it ilsecond latency to end users, for example: + Media and entertainment content éreation Includes live production, video editing, and graphics-intensive virtual workstations for artists Ih,geographic proximity + Real-time multiplayer gadifigy= includes real-time multiplayer game sessions, to maintain a reliable gameplay experience + Machine learning hosting and training - For high-performance, low latency inferencing, + Augmented (AR) and virtual reality (VR) ~ Includes immersive entertainment, data driven insights, and engaging virtual training experiences Customers€aN innovate faster because chip designers and Verification engineers solve complex, compute- intensivé;and latency-sensitive problems using applieation and desktop streaming services in AWS Local Zones. For more information, see “AWS Local anes! (hktps://aws.amozon.com/about-ows/alobl- infrastructure/localzones/). (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 4 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals CvaFront |e csgetoctom eM atge treo ginal ee coe d J ‘te amp ti whine Y “ ‘An edge location is the nearest point toa requester of an AWS service. seilggton: are located in major cities ‘around the world, They receive requests and cache copies of your: ster delivery, ‘To deliver content to end users with lower latency, you use a gl of edge locations that: suport services. CloudFront delivers customer content through 2 worldw of point of renee eeQyY locations, which consists of edge locations and Regional edge cache servers. Regional edge caches, used by default with CloudFront, are used when you have content that is or. accessed frequently enough to remain in an edge location, Regional edge caches absorb this content and provide an alternative to needing to retrieve that content tong origin server. For more information, see eq” Features” (hits: fcont/fe (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, “4 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals ‘One common use for edge locations is to serve content Goser to your customers. This diagram shows art" example of a video file stored in Amazon Simple Storage Service (Amazon $3) in South America. The file is ‘ached to an edge location near the customer serve the video file faster toa customer in Asia an x c (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals AWS Local Zone and edge location features AWS Local Zones Edge Locations + Low latency + Cachingot data A + Local data processing + Fast delivery oftontint + Consistent AWS experience + etter user sie amin monn on in ll ‘ ‘When should you use AWS Local Zones? ‘You should use AWS Local Zones to deploy AWS computé, storage, database, and other services closer to your end users for low-latency requirements. With AWS Local Zones, you can use the same AWS infrastructure, services, APIs, and toolsets that you are familiag With in the cloud. When should you use edge locations? You should use edge locations for cacKing the data (content) to provide fast delivery of content for users. Using edge locations allows for a better usenexperience, providing faster delivery to users at any location. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be « reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 1: Arctecting Fundamentals AWS Well-Architected beta tetas ‘The CTO asks during the project meeting, “How can we build ouréloud infrastructure according to best practices?” ‘The AWS Well-Architected Framework provides cofisistent guidance for AWS architecting bestpractices. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, “ Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals AWS architect responsibilities + Settechnical doud strategy + Investigate cloud services ~ Design the transformation with businessteads. specs and workload roadmap with milestones, (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, “s Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals AWS Well-Architected Framework pillars ‘Security EE Performance Efficiency = Redc ateney Operational Exalence | a | i Winlep, 29 {Rakes torent Reliability | —| Sustainability anne [Paka eS Creating technology solutions isa lot like constructing a physical building. If the foundation is not Solid, it can ‘cause structural problems that undermine the integrity and function of the building, The AWSWell-Architected Framework helps cloud architects build secure, high-performing, resilient, and efficient application infrastructures. It isa consistent approach for customers and partners to evaluate architectures and implement ‘designs that can scale over time. J > ‘The AWS Well-Architected Framework started as a whitepaper. It has: enoand ago include domain-specific lenses, hands-on labs, and the AWS Well-Architected Tool (AWS WA Tool). ‘The architectural reviews focus ofthe following: y + Security — Use AWS secbrrity best practices to build policies andiprocesses to protect data and assets. Allow auditing and traceability, Monitor, alert, and audit actions and thanges to your environment in real time. * Cost optimization’ Achieve cost efficiency while considering fluctuating resource needs. + Reliability - Méet well-defined operational thresholds for applications. This includes support to recover from failures, handlingincreased demand, and mitigating gisruption, + Performange’effciency ~ Deliver efficient performance for a set of resource lke instances, storage, databases; space, and time. + Operational excellence — Run and monitoF'ystems that deliver business value. Continually improve supporting processes and procedures...» + Sustainability - Minimize and understond your environmental impact when running cloud workicads. With the tool, you can gather data hid get recommendations to: + Minimize system failures and operational costs. * Dive deep into business and infrastructure processes. *+ Provide best practice guidance, * Deliver on the cloud computing value proposition. For more informs ntts:/ /www.wellarchi bout related labs, see “AWS Well-Architected Labs” (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, “ Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Modu 1: Archtecting Fundamentals For more information about the AWS WA Tool, see “AWS Well-Architected Too!” (bitosi//aws.amazon.com/wel- architected tool). For more information about the console, see AWS Well-Architected Tool in thé AWS Management Console For more information about the console, see AWS Well-Architected Tool in the AWS ‘Management Console (https://console.aws.amazon.com/wellarchitectedly (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, ” Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals AWS Well-Architected Tool + Based on the AWS well-Architected Framework + Can review your applcatonsand warkicads + Cetra place for | ws wat Achiected best practices and Toot bee 7 Define ardoeerat” | Apply best + Usedin tens ot “2 _ thousandsof workicadreviews them to the latest AWS architectural best practices. Itis designed to help architects and their managers ‘The AWS WA Too! isa self-service tool you can use to review the tego workloads and compare ‘AWS workloads without the need for an AWS SA. This service is ba! the AWS Well-Architected Freméwork. y ‘To complete a Well-Architected review, use the tool in theconsle. All details are stored securely in your account. You can share results with your SA or partner resource for collaboration on the review or temediation steps. / For more information about AWS WA Tool best practites, see “New — AWS Well-Architecte Tool - Review Workloads Against Best Practices” in the AWS News Blog (https://aws.amazon.conv/bldgs/aws/new-aws-well- i review . ‘ For more information about the AWS\Well-Architected Framework (https://aws.amazon.com/architecturé/well-architected/). Y Y ) 15, se "AWS Well-Architected” (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, “ Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 1: Arctecting Fundamentals (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 0 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Traning and Cention Module 1: Arcitecting Fundamentals Pa Consider how you would answer the solutions following questions: + What are the bene services? + How is the AWS global infrastructure organized? + How can we build our cloud irifrastructure according to best practices? of using AWS Imagine you are now ready to talk to the Chief Technology Officer, discuss what you have learned, and-present solutions. ‘Think about how you would answer the questions froit’the beginning of the lesson. Your answers should include the following solutions: + Use AWS services to increase agility while decreasing complexity and risk + AWS global infrastructure is organized into AWS Regions. These Regions contain Availability Zones. You can also use AWS Local Zones and edge locations. . * Use the Well-Architected Framework, which helps cloud architects bulld Secure, high-performing, resilient, and efficient application infrastructures. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, so Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Trang and Cention Module 1: Arcitecting Fundamentals Module review v AWS services Y AWS infrastructure Next, you will review: Knowledge check ‘&) Lab introduction In this module you learned about: v AWS Well-Architected Framework (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, st Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals Knowledge check (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, es Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Modus 1: Arctecting Fundamenias OC et Monitoralarms for disaster response. Maintain applicaton-leve code in the AWS Cloud. Manage access toa group of AWS accounts ‘Analyze solutions for business needs and requirement (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, s Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Modus 1: Arctecting Fundamenias Knowledge check question 1 and answer Monitoralarms for disaster response. Maintain applicaton-leve code in the AWS Cloud. Manage access toa group of AWS accounts eens ‘The correct answer is D. AWS architects analyzegolutions for business needs and requirements. To learn more about being a successful Solutions Architect on AWS, see “Successful solution’ architects do these five things” on the AWS Training @ad Certification Blog (https: site amazon. senbes uta and. certification/successful-solutions-ardhitects-do-these-five-things) yw a < (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, sa Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Modus 1: Arctecting Fundamenias oe ee ted ‘Avaliabilty Zone Region Edge location Outposts (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, ss Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Modus 1: Arctecting Fundamenias Knowledge check question 2 and answer ‘The correct answer is A, Availability Zone, ‘An Availability Zone is one or more discrete data centefS with redundant power, networking, and connectivity in an AWS Region. For more information, see “Regions and Availability Zones” (httpsi//aws.amazon,com/about aws/elobal-infrastructure/regions_az/). A (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, se Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 1: Arcitecting Fundamentals Poe oe ed Loca data regulations Operating system requirements Latency to end users Support for hybrid networking Programming languageof your application (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 7 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Modus 1: Arctecting Fundamenias Knowledge check question 3 and answer Support for hybrid networking Programming languageot your application ’ y ‘The correct answers are A, local data regulations, and 8, ~ 2 Choosing the right AWS Region is important. You must determine the right Region for your service’, applications, and data, based on the following factor” - 4. Governance and legal requirements ~ Consider any legal requirements based on data governance, sovereignty, or privacy laws. » ‘ 2. Latency ~ Close proximity tocustomers means better performance. = 3. Service availability — Not all AWS sétvices are available in all Regions, 3 4. Cost Different Regions have, different costs. Research the pricing forthe services you plan to use and compare costs to make the best decision for your workloads. ©2002 Amazon Web Sans, eo te alae. Aight reared o Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Modus 1: Arctecting Fundamenias oe eee te) Stronger security policies for resources Decreased latency to resources High availability for resources ‘There s no bene!it to this design (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, *0 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Modus 1: Arctecting Fundamenias Knowledge check question 4 and answer Stronger security polktes for resources Decreased latency to resources fi to this desig ‘The correct answer is C, high availability for resources. . Availability Zones are multiple isolated areas within 2 particulargeographic location. When you launch an instance, you can select an Availability Zone or let AWS choose one for you. if you distribute your instances across multiple Availability Zones and one instance fails, you can design your application so that an instance in another Availability Zone can handle requests. y »), (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 6 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 1: Arcitecting Fundamentals Poe oe eed Operational excalence Security Resilience Performance efficiency (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, ot Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.AWS Traning and Cention Modus 1: Arctecting Fundamenias Knowledge check question 5 and answer Performance efficiency ‘The correct answer is B, security. 2 » y ‘The principle of least privilege (POLP) is @ concept in computer sedi that limits users' access rights tony what is strictly required to do their jobs. =e ~ y . (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, «2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Modus 1: Arctecting Fundamenias Lab 1: Explore and interact with the AWS Management Console and AWS Command Line interface & (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, r Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals Connecting to an AWS service ‘AW Management Corie "hia "RN Caren Ue ce ws ch ‘Do ‘Setar aevepen GORD ‘You can use the following tools to interact with(AWS: + AWS Management Console — This is the €asiest piace to start interacting with AWS serviées. It is a graphical user interface (GU!) to manage your AWS account and take actions. + AWS Command Line interface (AWS CLI) — This is a tool to manage AWS servicesusing the command line. ‘AWS CI version 1 is preinstalled @n,Amazon Linux and Amazon Linux 2 distribut¥ons. + Software development kits (SDKs) ~ AWS provides AWS SDKs and the Cloud Development kit (AWS CDK) in ‘many common programming languages. You use these software development frameworks for defining and provisioning your cloud infrastructure using code. All of these tools 6fINEEt to the same underlying AWS API to create resources and manage your AWS services. Tolearn about installing, updating, and uninstalling the AWS CLI, see “Installing or updating the latest version of the AWSCU" ifthe AWS Command Line Interface User Guide for Version 2 (oi 1ws.amazon.com/cli/latest/userguide/clihap- install htm)). ‘To learn how to get started using the AWS CDK))sée “Getting started with the AWS CDK" in the AWS Cloud Development Kit (CDK) v2 Developer Guide (nttos://docs.aws.amazon.com/cdk/latest/fuide/retting started.html). (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, oe Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 1: Arcitecting Fundamentals Lab tasks (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 6s Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 1: Arcitecting Fundamentals WE End of Module 1 (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, ee Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Traning and Cention Module 2: Account Secuty Na tatty DLP et caro (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, ° Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,Module 2: Account Secuty {ANS Tang and Catcason PUREST TEE How many AWS accounts does your organization use? Al 8B. 2-10 C More than 10 D. I don’t know (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 6 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty Module overview + Business requests + Principals and identities + Security policies + Managing multiple accounts + Module review + Knowledge check (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, Co Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 2: Account Secuty Business The security specialist needs to know: recta} + What are the best practices to manage access to AWS accounts and resources? + How can we give users access t6 only the resources they need? * What is the best way to ffanage multiple accounts? Imagine your security specialist meets with’you to discuss how to start building accounts.mith least privilege in AWS. Here are some questions they are askingabout account security. At the end of this module, you meet withithe’security specialist and present Somie solutions, (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 70 Printed by: [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted. Printed by: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.AWS Trang and Cention Module 2: Account Securty AWS account root user Aroot user: + Has full access to all AWS services + Camot be rectricted ina single account modet + Shouldnot beused | saepeamiecom aws count for day-to-day Poems Interactions with AWS so ee ee el ‘ ‘When you fist create an AWS account, you begif with a root user. This user has complete access‘to all AWS. services and resources in the account. Access'the root user identity by signing in with the email address and password provided when you created the actount. AWS strongly recommends that you not use root account Credential for day-to-day interactions Vth AWS. Create users for everyday tasks. You éan manage and aust users with relative ease. A Create your additional users and assign permissions to these users following the principle of least privilege. Grant users only the level Of access they require and nothing more. You can'start by creating an administrator user. Manage the account with the administrator user instead of the root user. A ‘Asa best-practicé, require multi-factor authentication (MFA) for youl root user. It provides you with an extra layer of security for your AWS accounts. Use your root user only for tasks that require it. For ier Maton ‘about the root user, see “AWS accduint roct user” in the AWS Identity ond Access ‘Management User Guide (httes://docs.aws.amazoficém/IAM/latest/UserGuide/id_root-user.html). For information about least privilege and IAM Best practices, see “Grant least privilege” inthe AWS identity ond ‘Access Management User Guide (https://4acs.aws.amazon.com/IAM/latest/UserGuide/best. f ractices.htmiigrant least privilege] (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, ” Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty AWS Identity and Access Management (IAM) saci ae Te cass BE | swscsonne users Groups, and B&B Credentials + Manage access to. = AWS services and Aaithonaation a on ~ ease or o (63192 anaoon Leen oe enn ron IAM is a web service that helps you securely control access to AWS resources. Use IAM to control who is, ‘authenticated (signed in) and authorized (has permissions) tousé resources. ‘Think of IAM as the tool to centrally manage access to lauinching, Configuring, managing, and terminating your resources. You have granular control over access permissions. This control is based on resources and helps you define who has permissions to which API calls, You manage access in AWS by creating and using security policies. You learn about IAM (iérs, IAM user groups, and roles in this section. / For more information about |AM) see “What is IAM?" in the AWS identity ond Actess Management User Guide (nttis://docs.aws.amazon.cam/AM/latest/UserGuide/introduction htm!). For more information about policy types and their uses, see “Policies and permissions in 1AM" (https://docssatiia.amazon.com/IAM/latest/UserGuide/access Bolicies.htm!). (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, ” Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty Principals A principal: lo + Can make a request tor an ston oF operation onan AW resource + canbea person Splation. federated ust of ssumedrale aws E > E ome Ideney power am on. f aie federated user ) =o 62122 seam ili «mtb rpm com ‘A principal is an entity that can request an actign or operation on an AWS resource. (AM uses and IAM roles are Se ries comenon princtone voaiecaat gry fea about ther hte lege) The principal can also be an AWSSer¥ice, as Amazon Elastic Compute Cloud (Amazon EC2), a Security ‘Assertion Markup Language 2:0 (SAML 2.0) provider, or an identity provider {ldP). With an 1dP, you manage identities outside of AWS IAM, foprexample, Login with Amazon, Facebook, or Google. You can give these external identities permissions to use AWS resources in your account» ) - Federated users artextefnal identities that are not managed directly by AWS IAM. For more information about federated users, see “identity federation in AWS” ( (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, ” Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Trang and Cention Module 2: Account Securty AWS account tat user: WAM users are users within an AWS. + Each user has their own credentats. + They are authorized 10 perform specific AWS actions based ‘on permissions 2 By default, a new IAM user has no permission$ t9.do anything. The user is not authorized to perform any AWS, ‘operations or access any AWS resources, Art advantage of having individual IAM users is that you can assign permissions individually to each user. For example, in this diagram yowhotetthree IAM users—an administrator, develope and auditor—and their permissions within an AWS accouit, The administrator has permissions to access an $3 bucket, an EC2 instance, anda list of (AM users in yUPaétount, The auditor has read-only permissions to $3 and AWS IAM, but not EC2. ‘The developer only has permissions to the EC2 instance. ‘Asa best practice/requife multi-factor authentication (MFA) for yoUr IAM users and set up an IAM user password policy. “ For moré information about IAM users, see “IAM users” ih the AWS Identity and Access Management User Guidé (Https://docs.aws.amazon.com/IAM/latest/WserGuide/id_users.html). (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, % Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Trang and Cention Module 2: Account Securty 1AM users and AWS API calls a AWS Command Une AWS SDKs: Interface (AWS CLI) ‘AWS Management Console Provide the type of credentials required for the type of access that a user will need. / Ways to access AWS services: f » 1. AWS Management Console access Create/a password for a user. 2. Programmatic access ~ The IAM useremight need to make API calls, use the AWS CLI, or use the AWS Tools for Windows PowerShell or AWSIAPI tools for Linux. In that case, you will ¢réate an access key (access key ID and a secret access key) for that user. ae ‘As 2 best practice, appl the printiple of leat privilege. This means that you create only the credentials that the user needs. For example, do not create access keys for a user who tequires access only through the console, AWS requires differettfypes ‘of security credentials, depending on how you access AWS, For more iniforpration, see “Understanding and getting Your AWS credentials” in the AWS General Reference (nttosy amazon.com /general r i). For information about password creation, sée "Managing passwords for 1AM users” in the AWS Identity Access ‘and Management User Guide (nitos://docs.aws.amazon.com/lAM/fitest/UserGuide/id credentials passwords admin-change-usechtml)- (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 1 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Trang and Cention Module 2: Account Secuty Programmatic access Access Key 10: AKIAIDSFOONNTEXAWPLE Secret Access Key: wlal rAURNFENT/X7MDENG/DPxRFICYEXAMPLEKEY wis cu Aws sok G8 sree Python Wer Programmatic access gives your IAM user the credentials to makeAPI calls in the AWS CLI or AWS SDKs. AWS provides an SDK for programming languages such as Java, Python and .NET. When programmatic access is granted to your |AM user, if will create a unique key pair made up of an access key ID and secret access key. Use your key pair to configure the AWS CL! or make API calls through an AWS SDK. ‘Tosset up AWS CLI in your client, enter the aws€onfigure command. The example code shows thé-four elements required to configure your IAM user in AWSCU: ‘AWS Access Key ID + AWS Secret Access Key + Default region name * Default output format {jsBiiiyam|, yami-stream, text, table) For more information about configuring your key pair in AWS CLl, see “Configuration basics” in the AWS Command Line interface User Guide (https://docs.aws.amazon.com/dli/iatest/userguide/cli-configure- quickstart html} (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, ” Printed by: sathwickdutt [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.AWS Trang and Cention Module 2: Account Securty Setting permissions with IAM policies erences ["Trnazonecaneadonivaccess | ———» 7 AmazorSSFulacces games [AmazonSSRescOniyAcess “ernstator ol sr x vast ‘auditor 7 [AmazoniSSReedOniyacce ‘Toallow IAM users to create or modify resources and perform tasks, do the following: 1. Create or choose IAM policies that grant AM,users permission to access the specific resources and API actions they will need 2. Attach the policies to the 1AM users or groups that require those permissions. Users only have the permissions you spéCifyiin the policy. Most users have multiple'policies. Together, they represent the permissions for that uger. Inthe diagram, you choose to givé'the Amazon $3 administrator full access t0 $3, but you do not grant full access to all services in youeAWSlaccount. You attach the AmazonEC2ReadOnlyAccess and ‘AmazonS3ReadOnlyAccess policies to an auditor who needs to know what resources exist in your account. The auditor should not be able to modify or delete anything, ‘As a best practicd attach only the policies needed to complete the work required by that user. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, * Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Trang and Cention Module 2: Account Securty 1AM user groups B mu oe = ince Ea Em El] ies teers win the group, 6 ‘An IAM user group is a collection of [AM users. Witfl user groups, you can specify permissions for multiple Users, which makes it easier to manage the permissions. ‘A.usercan be a member of more thane User group. In the diagram, Richard is a member of the Analysts ‘group and the Billing group. Richard gets permissions from both IAM user groups. ." For more information aboutuser groups, $€e "IAM user groups” (httos://docs.aws.amazorf‘cam/lAM/istest/UserGuide/id groups.html). (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, *” Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Trang and Cention Module 2: Account Securty 1AM roles + Delegateset permisionsto specific users oF ca foe a oe A = cee| ~~ Comms a assumedrole JAM roles deliver temporary AWS credentials. They're easy to manage because multiple employees and applications can use the same role, There are no charges for using roles. For example, in this diagram the IAM users Richard, Ana, afidShirley are members of the Analysts user group. ‘As members of the Analysts group, these users inherit permissions assigned to the group. There islso an |AM role called DevApp1 that is being used for testing purposes. DevApp1 hasiits own set of permiséions. Ana and Shirley can assume the role and temporarily use the petmissions specific to the DevApp1 role. ‘While they assume this role, Ana and Shirley oftly have the permissions granted by the Fole and do not follow their group's inherited permissions. J ‘The following are examples of how Yolumight use 1AM roles: . + Cross-account access — Developer Diego requires access to an $3 butket in the Prod account. + Temporary account access ~ Contractor Carlos requires temporary access to an $3 bucket in the Prod account. + Least privilege — Require Diego to use IAM roles to delete a DytamoDB table. + Audit — AdministratorAna wants to track who used an|AMfole. + Access for AWS services — Amazon Lex needs to use Amst#on Polly to synthesize speech responses for your bot. y + 1AM rolesiforEc2 —An application running on Amfiazon EC2 requires access to an $3 bucket and a DynamoDB table. + SAMI federation - Administrator Ana want3t6 use IAM with identities stored in an external IdP. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, wo Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty Assuming a role Trusted entities SQ Use on APHealito oe Return temporory security coders, tn eo —P e snl ATC rpm i ‘You assume a role using a trusted entity, such as aly JAM user, an AWS service, or a federated user. IAM users assume roles in the AWS Mnagetient Console or AWS Command Line Irterface (AWS CUI). This action uses the AssumeRole API. AWS services can use the same API cal to assumé roles in your AWS accounts. Your federated users use eitherthe AssuumefoleWithSAML or AssumeRoleWithWebidentity API cals. ‘The API call is made to AWS Security Token Service (AWS STS). AWS STS is 2 web service that provides ‘temporary, limited: privilege credentials for IAM or federated users. It returns a set of temporary security credentials consistingjof.an access key ID, a secret access key, and a'security token. These credentials are then used to access AWS resources. The AssumeRole API is typically.used for cross-account access or federation. For more jnfétmation about AWS STS, see the AWS Security Token Service API Reference (1 s.aw8.amazon.co jatest/APIRefer Icome.htm), For more information about using IAM roles, sée “Using IAM roles” in the AWS Identity and Access ‘Management User Guide (httns://docs.a\ ‘on.com/IAM/latest/UserGuide/id roles use.htmi). (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, a Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty IAM policy assignments , E we ose El = fa ; a, wast oser AWS resources 1AM provides you with the tools to cffate and manage all types of IAM policies (managed policies and inline policies). To add permissions to an IAM identity (IAM user, group, or role), you create a policy, validate the policy, and then attach the policy to the identity. You can attach multiple policies to an identity, and each policy «an contain multiple perroisSions ‘You learn more about JAM policies in the next section. Use roles to delegate access to users, appli resources ions, or services that don't normally have access to your AWS (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, e Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 2: Account Secuty Security policies to only the resafrees they ne | = ‘The security specialist asks, “How can we give users aéCess to only the resources they need?” ‘The security team has users and roles set up. The company wants your advice aboutsetting up permissions in security policies. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Trang and Cention Module 2: Account Securty Security policy categories A policy is attached to an identity or resource to define its permissions, AWS/evaluates these policies when @ principal, such as a user, makes a request. J Inthe diagram, the policy types are responsible for either setting maximum permissions or granting ¥ permissions. IAM permissions boundaries and AWS Organizations service control policies (SCPs) help set, \»” maximum permissions on actions in your account. |AM identity-bgsed and resource-based policies grant permissions to allow or deny actions in your account. / The following policy types, listed in order of frequency, are available for use in AWS. You leaen abbut each of these policy types in more detail later in this module, » Policy types ~ + Identity-based policies — Attach managed and inline policies to 1AM identitiés This includes users, groups to which users belong, and roles: hy . + Resource-based policies — Attach inline policies to resources. The most cémmon examples of resource-based policies are Amiazon $3 bucket policies and VAM role trust policies, + AWS Organizations service control policies (SCPs) — Use Organizations SCPs to define the maximum ‘permissions for account members of an organization or organizational unit (OU). + IAM permissions boundaries - AWS supports permissions boundaries for |AM entities (users or roles). Use IAM permissions bollndaries to set the maximum permissions that an IAM entity can receive. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, a Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty Granting permissions + Wdentity-based policies are assigned to users, ‘groups. and roles. + Resource-based policies are assigned to + Resource-based policies ae checked When someone tries toaccess the 6 stint mite — x Identity-based policies are JSON permissions policy documents thatigortrol: + What actions an IAM identity (users, groups of users, and roles) can perform + On which resources + Under what conditions Resource-based policies are ISON policy documerits that you attach to a resource such as an/Amazon $3 bucket. ‘These policies grant the principal permission to perf@imh specific actions on that resource and define under ‘what conditions this applies. Resource-based policies are inline policies. There are no managed resource-based policies. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, as Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty Types of identity-based policies LW AWS managed (emmorver managed ee » You can choose to use existing AWS policies. Some are managed by AWS, You also have the option to create ‘your own policies. Identity-based policies can be categorized by the'Tollowing types: + Managed policies ~ Standalone identity-based policies that you can attach to multiple.users, groups, and ‘oles in your AWS account. There are tw6 types of managed policies: © AWS managed policies - Managed policies that are created and managed by AWS. They are built to provide specific service accéss or permissions for job functions. © Customer managed policies - Managed policies that you create and mahnage in your AWS account. ‘Customer managed pflicies provide more precise control over your policies than AWS managed olicies. 4 + Inline polices Policies MORYBU ade directly toa single user, group, rele. nine policies maintaina strict ‘one-to-one relationship between a policy and an identity. They are deleted when you delete the identity. Regarding inline of customer managed policies: ‘An inline policy is One that you create and embed directly to'én 1AM group, user, or role. Inline policies can't be reused on other identities or managed outside of the identity where they exist. As a best practice, use customer managed folicies instead of inline polices. 2 For more information, see “Use customer managed policies instead of inline policies" (oi .2Ws.amazon.com/AM/I actices.htmiltb rn inline). (©2023 Amazon Web Sonics, rec alas. A rights reserved 6 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Secuty Identity-based policy example Oresee e017, “Sat Oo erec: sw, ae fe smn, estonia 1 osenras mrmmectrtien Tbe Qe rchrommer tomar 7 AISON identity-based policy document includes these elementsy + Version ~The Version policy element specifies the language syntax rules that are to be used to process a policy. To use all of the available policy features, include the vale “2012-10-17” for the version in your policies. * Effect — Use Allow or Deny to indicate whether the policy allows or denies access. *+ Action (or NotAction) ~ Include a list of actionsthat the policy allows or denies. *+ Resource (or NotResource) ~ You must specify a list of resources to which the actions apply, + Condition (or NotCondition) ~ Specify thetirelmstances under which the policy grants permission. ‘The NotAction, NotResource, and NotC6ndition policy elements are not mentionedia this course, When you attach the example policy statement to your JAM user, for example, that user is allowed to stop and start EC2 instances in your account as long as the condition is met. Here, the EC2 instances your IAM user can control must have a tag with Key “Owner” and value equal to the IAM user fame. In the Resource element, the policy lists an AWS Resource Name (ARN) with a wildcard (star) character. Wildcards are use to apply a policy element to more than one resource or action. This policy applies for resources in any account number and Region with any resource ID. It can be reused in multiple accounts without having to rewrite the policy with your AWS account!iD. For méré information, see “Policies and permission@iin \AM” in the AWS Identity and Access Management User Guide (httpsi//docs.aws.amazon,com/1AM/i iserGuide/access_policies.html). (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, ” Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty Explicit allow and explicit deny ‘Thissectlon from a policy allows access ‘This section from a poliey denies access Ths is called an explicit alow. Thisis called an expliat deny. I aiterAtow vesont ‘An IAM policy is made up of explicit allow stategfens, explicit deny statements, or both. ‘An explicit allow, shown in the first policy, hihoties ‘your IAM user, group, or role to take the listed actions against a set of your resources. The poligyallows list and get actions on all objects in an $3 bucket called DOC- EXAMPLE-BUCKET, When you use 2 wildcard character after the bucket name and Slash, it covers all objects in that bucket. 4 A ‘An explicit deny, shown in the secofid policy, stops your IAM user, group, of Fole when trying to take an action listed for a set of your resolrces. In the second policy example, all actions in Amazon EC2 or Amazon $3 on any resource are denied. Use allow and deg in yourstatement to guide what actions yaUr principals can take in your account. f 4 A (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, ry Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty How IAM policies are evaluated soa EE Eze se It isimportant to know the AWS evaluation logic when builditig!AM policies for your account. This wayyou can sive your users and applications only the access they need. , ‘AWS evaluates al policies that are applicable tothe fquest context. The following is a surimafy ofthe AWS evaluation logic for policies within a single account. + By default, al requests are implicitly denied with the exception of the AWS account yeOt user, which has ull access. This is called an implicit deny” + An explicit allow in an identity-based of resource-based policy overrides this eéfaul. + An explicit deny in any policy overrides any allows. . Explicit deny is useful aS'a safety’measure because it overrides explicitallow. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, « Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty Using a resource-based policy arnt Ls coc Sanne ‘aie | y ee ee » “Venson?)“2012-10-17% Resource-based policies are attached to a single resource, like an Sucre ‘or AWS Lambda function. You let ‘more about $3 buckets and Lambda functions later in this course, . \With resource-based policies, you choose who has access Withe'fesource and what actions they ca perform on it. Ifyou create a resource-based policy, you must ist the-principal account, user, role, or federated user to which You want to alow or deny acess. you ef tingn ta permssons poly to ateh 4 user or role, you cannot include this element. The principalis implied as that user or role. In your resource-based policies, the resource element is optional. If you do not include this element, the resource to which the action applies iithe resource to which the policy is attached. In the example, the principal is anVAWS account ID. The set of resourcesis: all objects in the bucket DOC- EXAMPLE BUCKET that are within the folder called folder123. The butket policy allows. specific AWS account to upload objects to your buckets folder — ‘AWS identity based policies and resource-based polices afevaluated together. Recall how IAM policies are evaluated. If any explicit deny statement is found in anyAM policy, the action is denied. fat least one allow statement exigts with no explicit deny, the action(s allowed. For more information about identity-based polities, see “Identity-based policies and resource-based policies” in the AWS Identity and Access Management User Guide (httos://docs.aws.amazon.com/IAM/test/UserGuide/access policies identity vs-resource.html). (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, %0 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty Defense in depth #-2 8-8-2 fate Ammon SSVPC edpont SSbucet wiipalcy —YPCendpcee Schley — Identity-based Resourcaibaced A "heed poles ad Note Catute erety ] ‘oaether Defense in depths a strategy focused on creating multiple layers of security. ‘Apply a defense-in-depth approach with mujtiplé security controls to all layers. For example, apply t to the edge of the network, virtual private cloud (VPC), load balancing, and every instance, compute service, operating system, application, and code. Applicat Security is as critical as instance security, Inthe diagram, different users try to aecess a document in your $3 bucket. Each User needs an identity-based policy assigned to either their uSeror a role they assume to access AWS, They then navigate through layers of resource-based policies—first VPC endpoint policy, then a bucket policy for the $3 bucket. Your users are able to access the documents they need for their task. You will learn more about VPC endpoints and $3 buckets later inthis course. 7 4 For more information, see *Policy evaluation logic” in the AWS identity and Access Management User Guide ( jw3.aimazon.com/IAMY/latest efesBnce policies evaluation-logic htm) (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, ot Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty 1AM permissions boundaries 1AM permissions boundaries: + Limit the user's permissions + Donot provide permissions.on their ‘AWS supports permissions boundaries for \AM entities—ySers or roles. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-besed policy can grant to an 1AM entity Permissions boundaries act as ite. ‘An entity's permissions boundary allows it tofetform only the actions that are allowed by both its identity- based policies and its permissions boundaries. For more information about permissfjes bounares, see “Permissions boundarleseIAM entities” nthe AWS Identity and Access Management User-Guide (ttps://docs.aws.amazon.com/IAM/latest/UserGuide/access policies boundariés.htm)), S **For Accessibilty: Diagram showing the two policy categories, set maxifnum permissions and grant permissions. Connected to set maximum peri IAM permission boundaries. Partially overlapping JAM permission boundaries and connected to grant permissions is |AM identity based policies. The areas of overlap is labeled “limit$ actions allowed.” End Description. “ (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, °2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 2: Account Secuty Managing multiple accounts eA EE eer be. ‘The security specialist asks, “What is the best way to manage multiple accounts?” ‘The company wants your ad about ways to mangé more than one account. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, 2 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Trang and Cention Module 2: Account Securty Reasons to use multiple accounts + Develop a malti- account strategy Many teams | Security f\ siting Isolation Business and process controls cree 6 ‘As you expand your use of AWS, you ha¥é Several reasons that you might want to create a multi-account structure in your organization: + To group resources for categorization and discovery + To improve your security posture with 2 logical boundary + Tolimit potential impactlin €88€ of unauthorized access + To simplify management of user access to different environments (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty Without AWS Organizations + IAM polices onty apply to individual principals na single + Policies to enforce restrictions must be ‘managed within each account. + The generation of multiple bills ic required, 6 00 amin te wnt armed ‘Managing multiple accounts is more challenging without AWS Organizations. FOr example, because IAM policies ‘only apply toa specific AWS account, you must duplicate and manage IAM polices in each account to deploy standardized permissions across all accounts. S/S (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, os Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty With AWS Organizations + ceamearearcy: | oom & um emerge aceon ‘organizational units 2 (0us). 13} Apply service control policies (SCP) to controt a} ‘maximum cal permissionsinevery | acme ecountundee an ou. j + Take advantage of aus AW consolidated billing, 6 10 amine te wit troll “ ‘AWS Orgenizations provides these key features: *+ Centralized management of all your AWS accounts f + Consolidated billing for all member accounts + Hierarchical grouping of your accounts to meet your budgetary, security, or compliance needs + Policies to centralize control over the AWS services afid AP! actions thet each account can access * Policies to standardize tags across the resources in your organization's accounts * Policies to control how AWS artifical intelligence (Al) and machine learning (ML) services carcollect and store data * Policies that configure automatic ondupsre resources in your organization's accouits * Integration and support for AM + Integration with other AWS services." *+ Global access 4 + Data replication that i eventually consistent + No cost foruse For more information abot ahetance for SCPs, see “inheritance fr séhvce control policies” inthe AWS Organizations User Guide idocs.aw: .com/organizations/latest/user manage policies inheritance auth.htm ‘For accessibility;\An AWS organization containing 2 management account which has two OUs. Each of these (Us has oneeehild AWS account and child OU. Each of these child OUs has multiple child AWS accounts. A policy is appliedifo a top OU and is active on all child AWS a€cbunts and child OUs. End description, (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, oe Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty How IAM policies interact with SCPs + $€Ps allow only whatis at the Intersection of JAM permissionsand SOPs. + SCPs do not grant permissions; they 3et ae a filter. 6 110 amen te wn anol “ ‘An SCP is a type of organization policy that you can use to manage pertfissiansin your organization. CPs: * Offer central control over the maximum available permissions forall Agcounts in your organization + Help your accounts stay within your organization's access control guidelines + Are available only in an organization that has all features turned on ) ) / 'SCPs aren't available if your organization turns on only thegestlidated billing features. 5 ‘Attaching an SCP to an Organizations entity (root, OU, or account) defines a guardrail. SPs Set limits upon the actions that the IAM users and roles in the affectedlaccounts can perform. To grant permissions, you need to attach identity-based or resource-based policies to IAM users, or to the resources in youeorganization's accounts. When an IAM user or role belongs to,an account that is a member of an organization, the SCPs limit the user's or role's effective permissions, oY In the example, an SCP allows alllEC2land $3 actions. A collection of IAM jdesitty-based permissions allow all EC2 and IAM actions. The effective allowed permissions for the IAM identity are all EC2 actions. It excludes both ‘S3 and IAM actions because theyre not explicitly allowed in both poligy types. For more information about SCPs, see “How to Use Service Conte Policies in AWS Organizations” in the AWS Security Blog (httpsil,aws,gmszon.com/blogs/security/how toxilbe-service-control-policies-in-aws- ‘Srganizations). ~ ’ y (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, 7 Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Trang and Cention Module 2: Account Securty Using policies for a layered defense 4 te fee, + ScPs and permissions Doundariesact asa filter to limit permissions, When a principal tries to use the consdle, the AWS API, or the AWS CLI, that princiial Sends a request to AWS. \With AWS you can configure severalfesourcesto determine whether to grantor deny the request. In this example you observe the following layers of defense: * First, the action must be‘élfoWed by any SCPs configured for the organization. + Next, the action must be included within any applied permissions boundaries. * Finally, the identity-based policy must allow and not explicitly deny the action, In.an 1AM entity (User or role), a permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaties. This adds an additional layer to protect against ‘i)|AM identity-based policy that allows overly permissive actions for that entity. For more infotmation, see “Policy evaluation logie” (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference policies evaluation-logic. html) (©2023 Amazon Wb Sones, reo” ts alas. Alright reserved, oe Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,AWS Traning and Cention Module 2: Account Secuty (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, °° Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Traning and Cention Module 2: Account Secuty Ped Consider how you would answer the Pes teents following questions: + What are the best practices to manage access to AWS accounts and resources? + How can we give users access to only the resources they need? + What is the best way to manage multiple accounts? eae Imagine you are now ready to talk to the security specialist and pfésentsolutions that meet their architectural needs. ‘Think about how you would answer the questions from the beginning of the lesson about account security. Your answers should include the following solutions: + Create IAM users, user groups, and roles to mariage access to AWS accounts and resources, + Build security policies with allow and denyStatements. Use permissions boundariesas alprotective layer. *+ Use SCPs in AWS Organizations to manage multiple accounts. (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, co Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted.AWS Trang and Cention Module 2: Account Secuty Module review In this module you learned about: ¥ Principals and identities ¥ Security policies ¥ Managing multiple accounts Next, you review: Knowledge check (© 2028 Amazon Web Sences, rc. or te alates. Alright reserved, Printed by: sathwickdutt [email protected], Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission, Violators will be prosecuted,