Module 3 Final
Module 3 Final
Server
Admin
Web Developer Data Scientist
ARN Format:
arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource
arn:partition:service:region:account-id:resourcetype:resource
SG > arn:aws:ec2:region:account-id:security-group/security-group-id
Account
(ROOT)
guser2 Anil
guser3
EC2
S3
DynamoDB
EC2
dev3 ops3
admin3
dev4
dev5
Copyright IntelliPaat, All rightsreserved
IAM Features IAM Features
Security
Multi-FactorAuthentication SMS
Token
Based
Based
“Address” :{ “Address”
“Building” : “Bldg-1” ,
“Street” : ”40/1 Blvd” , “Address.Street”
“ZipCode” : 654321
Introduction to JSON – Java },
Script Object Notation “Skills[1]”
“Skills” : [ “AWS” , “Java” , “Oracle” ] ,
“cars[0].name”
“cars” : [
{ “name” : “Toyota” , “models” : [ “Prius” , “Camry” , “Corolla”] } ,
{ “name” : “Honda” , “models” : [ “Accord” , “Civic” ] },
{ “name” : “Jeep” }
]
“cars[1].models[0]”
}
{
Previous Record
“EmpID” : 12345 ,
“EmpName” : “xyz” ,
“Address” : {
“Building” : “Bldg-1” ,
“Street” : “40/1 Blvd” ,
“ZipCode” : 654321 ,
},
“Skills” : [ “AWS” , “Java” , “Oracle” ] ,
“cars” : [
{ “name” : “Toyota” , “models” : [ “Prius” , “Camry” , “Corolla”] } ,
{ “name” : “Honda” , “models” : [ “Accord” , “Civic” ] } ,
{ “name” : “Jeep” }
]
ACTIONS: What actions are allowed or denied. e.g. create EC2 instance, delete
S3 buckets, create Security Groups etc. all are different type ofACTIONS.
Group S
3
Effect, Action,
Effect, Action, Resource : “S3”
Resource : “S3”
Principal : “user-1”
"Statement " : [
{ "Effect" : "Allow" , Version
"Action " : "s3:ListBucket" , 2012-10-17, currentversion.
"Resource" : "arn:aws:s3:::aws-foundation-bucket" 2008-10-17, previous version.
}
]
}
“Statement” : [ { } , { } , { } ]
Sid : Statement ID.
Effect :Allow/Deny.
Principal : ARN of AWS user, account or service which is allowed or denied
access to a AWS resource.
Action : Specific action that is allowed or denied on an AWS resource.
Resource : ARN of the AWSresource.
Condition : Condition when a policy is in effect.
{ {
"Version": "2012-10-17", "Effect": "Allow",
"Statement": [ // Statement STARTs here "Action": [
{ "s3:ListBucket",
"Effect": "Allow", "s3:GetBucketLocation"
"Action": "s3:ListAllMyBuckets", ],
"Resource": "arn:aws:s3:::*" "Resource": "arn:aws:s3:::aws-foundation"
}, },
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::aws-
foundation/*"
}
] // Statement ENDs here
}
Use the policies defined earlier to provide access to users and groups.
Permission Policy
Role
IAM user in the same account
Trust Policy
IAM user in different account
Cannot Cannot
access EC2 access
RDS
Permissions attached to the users are taken away till the time role is getting used.
user-1
EC2 Instances
Instance Profile
EC2
Program S3
DynamoDB
Role
Identity Federation: AWS resources can be accessed by third party Identity Providers (IdP)
Web: Facebook, Google, Amazon or any OIDC
SAML2.0: LDAP or Microsoft AD
AssumeRoleWithWebIdentit
y STS
Temp Security
Credentials
Auth EC2
Authenticate Token
S3
Amazon
Google
Facebook
DynamoDB
AssumeRoleWithSAML
Application Temp Security STS
Credentials
SAML
Assertion EC2
Authenticate
S3
LDAP Identity Store
DynamoDB
Copyright IntelliPaat, All rightsreserved
Security Token Service
Temporary Security Credentials & STS
STS (Security Token Service) can be used to get temporary security credentials.
Temporary Access Key ID, Secret Access Key and Security Token
STS Call
Application
Security Token
Or
Service
User
Temp Creds
STS Calls.
“AssumeRole”: ARN of the Role, Duration (15 mins to 1 hour (Default) )
“AssumeRoleWithWebIdentity”: ARN of the Role, Auth Token, Duration (15 mins to 1 hour (Default))
“AssumeRoleWithSAML” : ARN of the Role, ARN of the SAML provider created in IAM, SAML assertion,
Duration (15 min to 1 hour (Default)
“GetFederationToken”
“GetSessionToken”
Dimensions
Statistics: Data aggregations over a period oftime.
Metrics
EC
2 Standalone Metrics
Metrics
cpu cpu
EC2 disk EBS disk
n/w n/w
cpu cpu
n/w n/w
Copyright IntelliPaat, All rightsreserved
Metrics
h Metrics andNamespaces and Namespaces
RReessoouurrcceeM
Meetrtricicss– EECC22
NetworkIn (Bytes)
CPU Utilization
NetworkOut (Bytes)
Network Interface
NetworkPacketsIn(Count)
Attached Disks
NetworkPacketsOut (Count)
AutoScalingGroupName
CPU Utilization
Attached Disks
ImageId
Instancetype
BurstBalance Percent
DeleteRequests (Count)
NumberOfObjects (Count)
ListRequests (Count)
Copyright IntelliPaat, All rightsreserved
Metrics
h Metrics andNamespaces and Namespaces
Resource Metrics – S3
DeleteRequests (Count)
NumberOfObjects (Count)
ListRequests (Count)
Copyright IntelliPaat, All rightsreserved
Metrics
h Metrics andNamespaces and Namespaces
Resource Metrics–DynamoDB
PutItem
GlobalSecondaryIndexName StreamLabel TableName DeleteItem
UpdateItem
GetItem
BatchGetItem
Table Item Attributes Scan
Min, Max, Avg, Count, Sum
Query
BatchWriteItem
ConsumedReadCapacityUnits ProvisionedReadCapacityUnits
ConsumedWriteCapacityUnits ProvisionedWriteCapacityUnits
OnlineIndexPercentageProgress WriteThrottleEvents
OnlineIndexThrottleEvents ThrottledRequests
GroupDesiredCapacit
GroupMinSize GroupMaxSize
y
GroupInServiceInstance
GroupPendingInstances GroupStandbyInstances
s
GroupTerminatingInstances GroupTotalInstances
EC2 Metrics
DynamoDB
Metrics
EBS Metrics
Statistics Console
S3 Metrics
Statistics User
CPUUtilization Action
BytesDownloaded Action
Alarm States
Alarm Threshold and Period. (Threshold of 75% for 3 consecutive times)
OK – Within Threshold.
ALARM – CrossedThreshold.
Time
CloudWatchlogs are used to monitor, store and access log files from variousAWS resources including EC2 etc.
Logs
agent
Cronjob which ensures that the agent daemon runs all the time
Copyright IntelliPaat, All rightsreserved
hLogs CloudWatch Logs
CloudWatch LogComponents
Log Event 3
Log Groups: Group of Log Streams.
Log Stream
Log Stream
/etc/awslogs/awscli.conf
/etc/awslogs/awslogs.conf
/var/log/awslogs.log
General Section:
state_file
logging_config_file
Logstream Section:
log_group_name = value
log_stream_name = value
file = value
batch_count = integer
batch_size = integer
Free Tier
3 dashboards up to 50 metrics per month
Basic monitoring at 5 mins interval of EC2, EBS, ELB, RDS are free.
https://aws.amazon.com/cloudwatch/pricing/
Pricing
Dashboards: $3.00 per dashboard per month
Detailed monitoring for EC2 instances
Custom Metrics
CloudWatch EC2
Kinesis
EMR
S3
CloudWatch S3 EC
2
Use Case
AssumeRoleWithWebIdentity.
GetFederationToken.
Use Case
● IAM Access Analyzer helps identify resources in your organization and accounts
● IAM Access Analyzer validates IAM policies against policy grammar and best
practices.
● IAM Access Analyzer generates IAM policies based on access activity in your
Use Case
Assume Arnav Desai is a security administrator for Example Corp. He works with several
development teams and monitors their access across multiple accounts. To get his
development teams up and running quickly, he initially created multiple roles with broad
permissions that are based on job function in the development accounts. Now, his
developers are ready to deploy workloads to production accounts. The developers need
access to configure AWS, however, Arnav only wants to grant them access to what they
need. To determine these permissions, he uses access advisor APIs to automate a process
that helps him understand the services developers accessed in the last six months. Using
this information, he authors policies to grant access to specific services in production. I’ll
now show you an example to achieve this in one account using AWS CLI commands.
IAM
Policy Simulator
Working of policy
stimulator
The simulator assesses the policies you select and
determines the effective permissions for each of
the actions you specify. The simulator employs the
same policy evaluation engine as real-world
requests to AWS services.
Benefits
Benefits
Benefits
● Improves your security posture by recording user activity and events, and set up
automated workflow rules with Amazon EventBridge.
● Captures and consolidate user activity and API usage across AWS Regions and
accounts on a single, centrally controlled platform.
.
Copyright IntelliPaat, All rightsreserved
AWS Config
Benefits
● Continuous monitoring
● Continuous assessment
US : 1-800-216-8930 (TOLLFREE)
sales@intellipaat.com