AWS

AWS Solution
AWS Services (IAM, VPC, etc.)
AWS
• With over 200 fully-featured services available across the world,
Amazon Web Services (AWS) is the most widely used cloud platform
globally.
Key
differentiator
s for AWS
• Gartner named AWS as a leader for the 12th year in a row in the 2022 Gartner
Magic Quadrant for Cloud Infrastructure & Platform Services.
• AWS is innovating fast, especially in new areas such as machine learning and
artificial intelligence, the Internet of Things (IoT), serverless computing,
blockchain, and even quantum computing.
• It’s not always possible to move all workloads into the cloud, and for that
purpose, AWS provides a broad set of hybrid capabilities in the areas of
networking, data, access, management, and application services.
• For example, VMware Cloud on AWS allows customers to seamlessly run existing
VMware workloads on AWS with the skills and toolsets they already have without
additional hardware investment.
• If you want to run your workload on-premise, then AWS Outposts enables you to
utilize native AWS services, infrastructure, and operating models in almost any
data center, co-location space, or on-premises facility if you prefer to run your
workload on-premise.
AWS Solution
• Amazon Web Services offers purpose-built services, ready-to-deploy
software packages, and customizable architectures with instructional
information to rapidly solve business challenges.
• Solutions are built by AWS and AWS Partners to address specific
industry, cross-industry, and technology use cases.
• The AWS Solution Provider Program (SPP) helps you to resell and
deliver AWS Services to end customers as part of your unique
offerings. This program is designed for system integrators (SIs),
Managed Service Providers (MSPs), value-added resellers (VARs),
and public sector organizations.
• As an AWS Solution Provider, you will increase your technical
expertise and access funding benefits to manage, service, support,
and directly bill your customers.
AWS Services (IAM, VPC, etc.)
• Amazon Web Services offers a broad set of global cloud-based products
including compute, storage, databases, analytics, networking, mobile,
developer tools, management tools, IoT, security, and enterprise
applications: on-demand, available in seconds, with pay-as-you-go pricing.
• From data warehousing to deployment tools, directories to content delivery,
over 200 AWS services are available.
• New services can be provisioned quickly, without the upfront fixed expense.
• This allows enterprises, start-ups, small and medium-sized businesses, and
customers in the public sector to access the building blocks they need to
respond quickly to changing business requirements.
• https://mindmajix.com/top-aws-services
• Amazon Identity and Access Management (IAM)
• Amazon Virtual Private Cloud (VPC)
Amazon Identity and Access Management
(IAM)
• AWS Identity and Access Management (IAM) is a web service that helps
you securely control access to AWS resources.
• With IAM, you can centrally manage permissions that control which AWS
resources users can access. You use IAM to control who is authenticated
(signed in) and authorized (has permissions) to use resources.
• When you create an AWS account, you begin with one sign-in identity that
has complete access to all AWS services and resources in the account. This
identity is called the AWS account root user and is accessed by signing in
with the email address and password that you used to create the account.
• We strongly recommend that you don't use the root user for your everyday
tasks. Safeguard your root user credentials and use them to perform the
tasks that only the root user can perform.
IAM features
• Shared access to your AWS account
• You can grant other people permission to administer and use resources in your AWS account
without having to share your password or access key.
• Granular permissions
• You can grant different permissions to different people for different resources. For example, you
might allow some users complete access to Amazon Elastic Compute Cloud (Amazon EC2), Amazon
Simple Storage Service (Amazon S3), Amazon DynamoDB, Amazon Redshift, and other AWS services.
For other users, you can allow read-only access to just some S3 buckets, or permission to administer
just some EC2 instances, or to access your billing information but nothing else.
• Secure access to AWS resources for applications that run on Amazon EC2
• You can use IAM features to securely provide credentials for applications that run on EC2 instances.
These credentials provide permissions for your application to access other AWS resources. Examples
include S3 buckets and DynamoDB tables.
• Multi-factor authentication (MFA)
• You can add two-factor authentication to your account and to individual users for extra security.
With MFA you or your users must provide not only a password or access key to work with your
account, but also a code from a specially configured device. If you already use a FIDO security key
with other services, and it has an AWS supported configuration, you can use WebAuthn for MFA
security.
• Identity federation
• You can allow users who already have passwords elsewhere—for example, in your corporate network or with an
internet identity provider—to get temporary access to your AWS account.
• Identity information for assurance
• If you use AWS CloudTrail, you receive log records that include information about those who made requests for
resources in your account. That information is based on IAM identities.
• PCI DSS Compliance
• IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has
been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS). For more
information about PCI DSS, including how to request a copy of the AWS PCI Compliance Package, see PCI DSS Level 1.
• Integrated with many AWS services
• For a list of AWS services that work with IAM, see AWS services that work with IAM.
• Eventually Consistent
• IAM, like many other AWS services, is eventually consistent. IAM achieves high availability by replicating data across
multiple servers within Amazon's data centers around the world. If a request to change some data is successful, the
change is committed and safely stored. However, the change must be replicated across IAM, which can take some
time. Such changes include creating or updating users, groups, roles, or policies. We recommend that you do not
include such IAM changes in the critical, high-availability code paths of your application. Instead, make IAM changes in
a separate initialization or setup routine that you run less frequently. Also, be sure to verify that the changes have
been propagated before production workflows depend on them. For more information, see Changes that I make are
not always immediately visible.
• Free to use
• AWS Identity and Access Management (IAM) and AWS Security Token Service (AWS STS) are features of your AWS
account offered at no additional charge. You are charged only when you access other AWS services using your IAM
users or AWS STS temporary security credentials.
How Amazon IAM works?
• With AWS Identity and Access Management (IAM), you can specify
who or what can access services and resources in AWS, centrally
manage fine-grained permissions, and analyze access to refine
permissions across AWS.
When do I use IAM?
• When you are performing different job functions
• You use IAM every time you access your AWS account.
• Service user, administrator or IAM administrator
• When you are authorized to access AWS resources
• signed in to AWS as the AWS account root user, as an IAM user, or by assuming an IAM role.
• When you sign-in as an IAM user
• IAM user is an identity within your AWS account that has specific permissions for a single person or
application
• When you assume an IAM role
• IAM role is an identity within your AWS account that has specific permissions
• It is similar to an IAM user, but is not associated with a specific person
• You can temporarily assume an IAM role in the AWS Management Console by switching roles
• When you create policies and permissions
• You grant permissions to a user by creating a policy, which is a document that lists the
actions that a user can perform and the resources those actions can affect.
 Amazon Virtual Private Cloud (VPC)
• Amazon Virtual Private Cloud (VPC) is a service that lets you launch AWS resources in a
logically isolated virtual network that you define. You have complete control over your
virtual networking environment, including selection of your own IP address range,
creation of subnets, and configuration of route tables and network gateways. You can
use both IPv4 and IPv6 for most resources in your VPC, helping to ensure secure and
easy access to resources and applications.
• As one of AWS's foundational services, Amazon VPC makes it easy to customize your
VPC's network configuration. You can create a public-facing subnet for your web servers
that have access to the internet.
• It also lets you place your backend systems, such as databases or application servers, in a
private-facing subnet with no internet access. Amazon VPC lets you to use multiple
layers of security, including security groups and network access control lists, to help
control access to Amazon Elastic Compute Cloud (Amazon EC2) instances in each subnet.
• Amazon Virtual Private Cloud is a commercial cloud computing service that provides a
virtual private cloud, by provisioning a logically isolated section of Amazon Web Services
Cloud. Enterprise customers can access the Amazon Elastic Compute Cloud over an IPsec
based virtual private network.
Benefits of Amazon VPC
• Increased Security
• Secure and monitor connections, screen traffic, and restrict instance access
inside your virtual network.
• Save Time
• Spend less time setting up, managing, and validating your virtual network.
• Manage and Control your Environment
• Customize your virtual network by choosing your own IP address range,
creating subnets, and configuring route tables.
How Amazon VPC works?
• Amazon Virtual Private Cloud (Amazon VPC) gives you full
control over your virtual networking environment, including
resource placement, connectivity, and security.
• Get started by setting up your VPC in the AWS service console.
• Next, add resources to it such as Amazon Elastic Compute Cloud (EC2) and
Amazon Relational Database Service (RDS) instances.
• Finally, define how your VPCs communicate with each other across accounts,
Availability Zones, or AWS Regions.
• In the example below, network traffic is being shared between two
VPCs within each Region.
Example VPC
• The VPC has one subnet in each of the Availability Zones in the
Region, EC2 instances in each subnet, and an internet gateway
to allow communication between the resources in your VPC and
the internet.
Features
• Virtual private clouds (VPC)
• A VPC is a virtual network that closely resembles a traditional network that you'd operate
in your own data center. After you create a VPC, you can add subnets.
• Subnets
• A subnet is a range of IP addresses in your VPC. A subnet must reside in a single Availability
Zone. After you add subnets, you can deploy AWS resources in your VPC.
• IP addressing
• You can assign IP addresses, both IPv4 and IPv6, to your VPCs and subnets. You can also
bring your public IPv4 and IPv6 GUA addresses to AWS and allocate them to resources in
your VPC, such as EC2 instances, NAT gateways, and Network Load Balancers.
• Routing
• Use route tables to determine where network traffic from your subnet or gateway is
directed.
• Gateways and endpoints
• A gateway connects your VPC to another network. For example, use an internet gateway to
connect your VPC to the internet. Use a VPC endpoint to connect to AWS services privately,
without the use of an internet gateway or NAT device.
• Peering connections
• Use a VPC peering connection to route traffic between the resources in two VPCs.
• Traffic Mirroring
• Copy network traffic from network interfaces and send it to security and monitoring
appliances for deep packet inspection.
• Transit gateways
• Use a transit gateway, which acts as a central hub, to route traffic between your
VPCs, VPN connections, and AWS Direct Connect connections.
• VPC Flow Logs
• A flow log captures information about the IP traffic going to and from network
interfaces in your VPC.
• VPN connections
• Connect your VPCs to your on-premises networks using AWS Virtual Private
Network (AWS VPN).
Working with Amazon VPC
• You can create and manage your VPCs using any of the following interfaces:
• AWS Management Console: Provides a web interface that you can use to
access your VPCs.
• AWS Command Line Interface (AWS CLI): Provides commands for a broad set
of AWS services, including Amazon VPC, and is supported on Windows, Mac,
and Linux. For more information, see AWS Command Line Interface.
• AWS SDKs: Provides language-specific APIs and takes care of many of the
connection details, such as calculating signatures, handling request retries, and
error handling. For more information, see AWS SDKs.
• Query API: Provides low-level API actions that you call using HTTPS requests.
Using the Query API is the most direct way to access Amazon VPC, but it
requires that your application handle low-level details such as generating the
hash to sign the request, and error handling. For more information, see
Amazon VPC actions in the Amazon EC2 API Reference.
Pricing for Amazon VPC
• There's no additional charge for using a VPC.
• There are charges for some VPC components, such as NAT gateways,
IP Address Manager, traffic mirroring, Reachability Analyzer, and
Network Access Analyzer.
• Public IPv4 addresses are charged.
Use Cases
• Launch a Simple Website or Blog
• Improve your web application security
posture by enforcing rules on inbound and
outbound connections.
• Host Multi-tier Web Applications
• Define network connectivity and restrictions
between your web servers, application
servers, and databases.
• Create Hybrid Connections
• Build and manage a compatible VPC network
across your AWS services and on premises.