AWS Cloud

Foundations &
IAM
Module 1
BCSE355L - AWS Solutions Architect
Agenda

• Introduction to Cloud Computing

• Overview of AWS Global Infrastructure
• AWS shared Responsibility Model
• AWS IAM
Introduction to
Cloud
Computing
Introduction to Cloud Computing
 Cloud computing is the on-
demand delivery
Cloud of compute
Computing is the delivery of computing services such
as servers, storage, databases, networking, software,
power, database, storage,and more, over the Cloud (Internet).
analytics, intelligence,
applications, and other IT
resources through a cloud
services platform via the
internet with pay-as-you-go
pricing.
Introduction to Cloud Computing
 Cloud Computing provides an alternative to the on-premises data
centre. Cloud Computing is the delivery of computing services such
as servers, storage, databases, networking, software,
 With an on-premises data centre:
analytics, intelligence, and more, over the Cloud (Internet).
 To manage everything, such as purchasing and installing hardware,
virtualization, installing the operating system, and any other required
applications, setting up the network, configuring the firewall, and setting up
storage for data.
 Responsible for maintaining it through its entire lifecycle.
Introduction to Cloud Computing

Cloud Computing is the delivery of computing services such

as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
Introduction to Cloud Computing
 In Cloud Computing,
 Cloud vendorCloud
is responsible
Computing is thefordelivery
the hardware
of computingpurchase and maintenance.
services such
 They also provide a wide
as servers, variety
storage, of software
databases, networking,and platform as a service.
software,
analytics, intelligence, and more, over the Cloud (Internet).
 Required services can be rented.
 The cloud computing services will be charged based on usage.
 Provides an easily accessible online portal that makes handy for the user to
manage the compute, storage, network, and application resources
Introduction to Cloud Computing
 Some cloud service providers.
Cloud Computing is the delivery of computing services such
as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
Advantages to Cloud Computing
 Cost: It reduces the huge capital costs of buying hardware and software.
 Speed: Resources can be accessed in minutes, typically within a few
Cloud Computing is the delivery of computing services such
clicks. as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
 Scalability: We can increase or decrease the requirement of resources
according to the business requirements.
 Productivity: While using cloud computing, we put less operational effort.
We do not need to apply patching, as well as no need to maintain
hardware and software. So, in this way, the IT team can be more
productive and focus on achieving business goals.
Advantages to Cloud Computing
 Reliability: Backup and recovery of data are less expensive and very
fast for business
Cloud continuity.
Computing is the delivery of computing services such
as servers, storage, databases, networking, software,
 Security: Many cloud
analytics, vendors
intelligence, offer
and more, over a (Internet).
the Cloud broad set of policies,
technologies, and controls that strengthen our data security.
Types to Cloud Computing
 Cloud computing provides developers and IT departments with the ability to
focus on what matters most and avoid undifferentiated work such as
Cloud Computing is the delivery of computing services such
procurement, maintenance, and
as servers, storage, capacity
databases, planning.
networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
 As cloud computing has grown in popularity, several different models and
deployment strategies have emerged to help meet specific needs of different
users.
 Each type provides you with different levels of control, flexibility, and
management.
Types to Cloud Computing
 Public Cloud: The cloud resources that are owned and operated by a third-party
cloud service provider are termed as public clouds. It delivers computing
resources such Cloud
as Computing is the delivery of computing services such
servers, software, and storage over the internet
as servers, storage, databases, networking, software,
 Private Cloud: The cloud
analytics, computing
intelligence, resources
and more, over the that
Cloud are exclusively used inside a
(Internet).
single business or organization are termed as a private cloud. A private cloud
may physically be located on the company’s on-site datacentre or hosted by a
third-party service provider.
 Hybrid Cloud: It is the combination of public and private clouds, which is
bounded together by technology that allows data applications to be shared
between them. Hybrid cloud provides flexibility and more deployment options to
the business.
Deployment models – Cloud (public)
 A cloud-based application is fully deployed in the cloud and all parts of the
application run in the cloud.
Cloud Computing is the delivery of computing services such
 Applications in as
the cloud
servers, havedatabases,
storage, either been created
networking, in the cloud or have been
software,
analytics, intelligence, and more, over the Cloud (Internet).
migrated from an existing infrastructure to take advantage of the benefits of
cloud computing.
 Cloud-based applications can be built on low-level infrastructure pieces or can
use higher level services that provide abstraction from the management,
architecting, and scaling requirements of core infrastructure.
Deployment models – Private Cloud (on-
permises)
 The deployment of resources on-premises, using virtualization and resource
management tools, is sometimes called the private cloud.
Cloud Computing is the delivery of computing services such
 On-premises deployment doesn’t
as servers, storage, provide
databases, many
networking, of the benefits of cloud
software,
computing but analytics, intelligence, and more, over the Cloud (Internet).
it is sometimes sought for its ability to provide dedicated
resources.
 In most cases, this deployment model is the same as legacy IT infrastructure
while using application management, and virtualization technologies to try and
increase resource utilization.
Deployment models – Hybrid
 A hybrid deployment is a way to connect infrastructure and applications between
cloud-based resources and existing resources that are not located in the cloud.
Cloud Computing is the delivery of computing services such
 The most common method
as servers, storage,of hybrid networking,
databases, deployment is between the cloud and
software,
analytics, intelligence, and more, over the Cloud (Internet).
existing on-premises infrastructure to extend, and grow, an organization's
infrastructure into the cloud while connecting cloud resources to the internal
system
Types to Cloud Services

Cloud Computing is the delivery of computing services such

as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
Types to Cloud Services
 Infrastructure as a Service (IaaS):
 IT infrastructures like servers and virtual machines (VMs), storage,
Cloud Computing is the delivery of computing services such
networks, asoperating systems
servers, storage, can
databases, be rented
networking, software, from a cloud service
vendor. analytics, intelligence, and more, over the Cloud (Internet).

 Creating VM running Windows or Linux, can install anything that is

required.
 Using IaaS, no need to care about the hardware or virtualization
software,
 Using IaaS, need to manage everything else.
 Using IaaS, provides maximum flexibility, but more effort need for
maintenance.
Types to Cloud Services

 Platform as a Service (PaaS):

 Provides anCloud on-demand environment
Computing is the delivery for such
of computing services developing, testing,
as servers, storage, databases, networking, software,
delivering,analytics,
and managing software
intelligence, and applications.
more, over the Cloud (Internet).

 The developer is responsible for the application, and the PaaS

vendor provides the ability to deploy and run it.
 Using PaaS, the flexibility gets reduce, but the management of the
environment is taken care of by the cloud vendors
Types to Cloud Services
 Software as a Service (SaaS):
 Provides aCloud
centrally
Computing hosted andofmanaged
is the delivery software
computing services such services to the
end-users.as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
 Delivers software over the internet, on-demand, and typically on a
subscription basis.
 E.g., Microsoft One Drive, Dropbox, WordPress, Office 365, and
Amazon Kindle.
 SaaS is used to minimize the operational cost to the maximum
extent.
Types to Cloud Services

Cloud Computing is the delivery of computing services such

as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
Amazon Web
Services
AWS Global Infrastructure
AWS Responsibility Model
AWS IAM
AWS
 AWS – Amazon Web services – launched in 2006, providing cloud technologies,
to build solutions to transform industries, communities and lives for the better.
Cloud Computing is the delivery of computing services such
 It includes a mixture of infrastructure-as-a-service (IaaS), platform-as-a-service
as servers, storage, databases, networking, software,
(PaaS) and packaged software-as-a-service
analytics, intelligence, (SaaS)
and more, over the offerings. AWS offers tools
Cloud (Internet).
such as compute power, database storage and content delivery services.
 Amazon.com Web Services launched its first web services in 2002 from the
internal infrastructure that the company built to handle its online retail
operations.
 In 2006, it began offering its defining IaaS services. AWS was one of the first
companies to introduce a pay-as-you-go cloud computing model that scales to
provide users with compute, storage and throughput as needed.
How AWS works
 AWS is separated into different services; each can be configured in different
ways based on the user's needs. Users can see configuration options and
Cloud Computing is the delivery of computing services such
individual serverasmaps
servers,for an AWS
storage, service.
databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
 The AWS portfolio includes the following categories of services:
 Compute, Storage, DB, Infrastructure Management, Application development
 Data management, Migration, Hybrid cloud, Networking, Development tools,
 Management, Monitoring, security, Governance,
 Big data management, Analytics, AI, Mobile Development, Message and notifications.
AWS Global
Infrastructure
AWS Global Infrastructure
 AWS Cloud infrastructure is built around AWS Regions and Availability Zones.
 AWS Region is a physical location in the world where we have multiple
Cloud Computing is the delivery of computing services such
Availability Zones.
as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
 Availability Zones consist of one or more discrete data centers, each with
redundant power, networking, and connectivity, housed in separate facilities.
 Availability Zones offer you the ability to operate production applications and
databases that are more highly available, fault tolerant, and scalable than would
be possible from a single data center.
AWS Global Infrastructure
 AWS Global Infrastructure is designed and built to deliver a flexible, reliable,
scalable and secure cloud computing environment with high quality global
Cloud Computing is the delivery of computing services such
network performance.
as servers, storage, databases, networking, software,
 AWS continuallyanalytics,
updates intelligence, and more, over the Cloud (Internet).
its global infrastructure footprint.
 AWG Global Infrastructure map https://aws.amazon.com/about-aws/global-
infrastructure/#AWS_Global_Infrastructure_Map
AWS Global Infrastructure
 AWS Global Infrastructure has launched in 33 regions, each with multiple
availability zones. 105 availability zones with 600+ CloudFront POPs and 13
Cloud Computing is the delivery of computing services such
Regional edge caches.
as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
AWS Regions
 AWS Region is a geographical area
 Data replication across Regions is
Cloud Computing is the delivery of computing services such
controlled by us.as servers, storage, databases, networking, software,
 Communicationanalytics,
between intelligence, and more, over the Cloud (Internet).
Regions uses
AWS backbone network infrastructure
 Each Region provides full redundancy
and connectivity to the network
 A Region typically consist of two or more
Availability Zones
AWS Regions
 The AWS Cloud infrastructure is built around Regions.
 AWS has 22 Regions worldwide.
Cloud Computing is the delivery of computing services such
 To achieve faultastolerance and stability,
servers, storage, databases, Regions
networking,are isolated from one another.
software,
analytics, intelligence, and more, over the Cloud (Internet).
 Resources in one Region are not automatically replicated to other Regions.
When you store data in a specific Region, it is not replicated outside that Region.
 It is your responsibility to replicate data across Regions, if your business needs
require it.
AWS Regions
 AWS Regions that were introduced before March 20, 2019 are enabled by
default.
Cloud Computing is the delivery of computing services such
 Regions that were introduced
as servers, storage, after March
databases, 20, 2019—such
networking, software, as Asia Pacific (Hong
analytics, intelligence, and more, over the Cloud (Internet).
Kong) and Middle East (Bahrain)—are disabled by default. You must enable
these Regions before you can use them.
 Using the AWS Management Console to enable or disable a Region.
 Some Regions have restricted access. An Amazon AWS (China) account provides
access to the Beijing and Ningxia Regions only.
AWS Regions
 For accessibility:
 Snapshot from the
https://aws.amazon.com/abo
Cloud Computing is the delivery of computing services such
ut-aws/global- as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
infrastructure/regions_az/
website that shows a picture of
downtown London including
the Tower Bridge and the
Shard. It notes that there are
three Availability Zones in the
Asia Paciffic region.
 End of accessibility
description.
Selecting a Regions
 The AWS Cloud infrastructure is built around Regions.
 AWS has 22 Regions worldwide.
 An AWS Region is a physical
Cloud Computinggeographical location
is the delivery of with
computing one such
services or more Availability Zones.
Availability Zones inasturn consist
servers, of one
storage, or morenetworking,
databases, data centers.
software,
 To achieve fault tolerance
analytics,and stability,and
intelligence, Regions
more, are
overisolated
the Cloudfrom one another. Resources in one
(Internet).
Region are not automatically replicated to other Regions. When you store data in a specific
Region, it is not replicated outside that Region. It is your responsibility to replicate data across
Regions, if your business needs require it. AWS Regions that were introduced before March 20,
2019 are enabled by default. Regions that were introduced after March 20, 2019—such as Asia
Pacific (Hong Kong) and Middle East (Bahrain)—are disabled by default. You must enable these
Regions before you can use them. You can use the AWS Management Console to enable or
disable a Region. Some Regions have restricted access. An Amazon AWS (China) account
provides access to the Beijing and Ningxia Regions only. To learn more about AWS in China, see:
 https://www.amazonaws.cn/en/about-aws/china/.
Selecting a Regions
 Factors to be considered for selecting the optimal Region or Regions where you store data and
use AWS services.
 Data governance and legal
Cloud requirements.
Computing is the delivery of computing services such
 Local laws might as
require that storage,
servers, certain information
databases,benetworking,
kept within software,
geographical boundaries.
 Such laws might restrict the Regions where you can offer content or services.
analytics, intelligence, and more, over the Cloud (Internet).
 Ex: European Union (EU) Data Protection Directive.
 Run your applications and store your data in a Region that is as close as possible to the user
and systems that will access them. This will help you reduce latency.
 CloudPing is one website that you can use to test latency between your location and all AWS Regions.
 To learn more about CloudPing, see: http://www.cloudping.info/
 Not all services are available in all Regions.
 Variation in the cost of running services, which can depend on which Region you choose.
 For example, as of this writing, running an On-Demand t3.medium size Amazon Elastic Compute Cloud
(Amazon EC2) Linux instance in the US East (Ohio) Region costs $0.0416 per hour, but running the same
instance in the Asia Pacific (Tokyo) Region costs $0.0544 per hour.
Availability Zones
 Each Region has multiple Availability Zones.
 Each Availability Zone is a fully isolated
Cloud Computing is the delivery of computing services such
partition of the AWS infrastructure.
as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
 AZ consist of discrete data centers
 They are designed for fault isolation
 They are interconnected with other AZ by
using high speed private networking
 You can choose your AZ
 AWS recommends replicating data and
resources across AZ for resiliency
Availability Zones
 Each Availability Zone provides the
 ability to operate applications and databases that are more highly available,
Cloud Computing is the delivery of computing services such
 fault-tolerant, and
as servers, storage, databases, networking, software,
 scalable than would be intelligence,
analytics, possible withanda more,
singleover
datathecenter.
Cloud (Internet).
 Each Availability Zone can include multiple data centers (typically three), and at
full-scale, they can include hundreds of thousands of servers. They are fully
isolated partitions of the AWS Global Infrastructure.
 Availability Zones have their own power infrastructure, and they are physically
separated by many kilometers from other Availability Zones—though all
Availability Zones are within 100 km of each other.
Availability Zones
 All Availability Zones are interconnected with high-bandwidth, low-latency networking
over fully redundant, dedicated fiber that provides high-throughput between Availability
Cloud Computing is the delivery of computing services such
Zones. as servers, storage, databases, networking, software,
 The network accomplishes synchronous
analytics, intelligence, replication
and more, between
over the Cloud Availability Zones.
(Internet).
 Availability Zones help build highly available applications. When an application is
partitioned across Availability Zones, companies are better isolated and protected from
issues such as lightning, tornadoes, earthquakes, and more.
 You are responsible for selecting the Availability Zones where your systems will reside.
Systems can span multiple Availability Zones. AWS recommends replicating across
Availability Zones for resiliency. You should design your systems to survive the
temporary or prolonged failure of an Availability Zone if a disaster occurs.
AWS Data Centers
 AWS Data centers are designed for security
 They are where the data resides and data
Cloud Computing is the delivery of computing services such
processing occurs
as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
 Each data center has redundant power,
networking, and connectivity, and is housed
in a separate facility.
 A data center typically has 50,000 to 80,000
physical servers.
Availability Zones
 Customers do not specify a data center for the deployment of resources.
 Data center is the location where the actual data resides.
Cloud Computing is the delivery of computing services such
 Amazon operates state-of-the-art,
as servers, highlynetworking,
storage, databases, availablesoftware,
data centers.
analytics, intelligence, and more, over the Cloud (Internet).
 Although rare, failures can occur that affect the availability of instances in the
same location.
 If you host all your instances in a single location that is affected by such a
failure, none of your instances will be available.
 Data centers are securely designed with several factors in mind:
Availability Zones
Data centers are securely designed with several factors in mind:
 Each location is carefully evaluated to mitigate environmental risk.
 Data centers have Clouda Computing
redundant is the deliverythat
design of computing services
anticipates suchtolerates failure while
and
as servers, storage, databases, networking, software,
maintaining service levels.
analytics, intelligence, and more, over the Cloud (Internet).
 To ensure availability, critical system components are backed up across multiple
Availability Zones.
 To ensure capacity, AWS continuously monitors service usage to deploy infrastructure to
support availability commitments and requirements.
 Data center locations are not disclosed and all access to them is restricted.
 In case of failure, automated processes move data traffic away from the affected area.
AWS uses custom network equipment sourced from multiple original device
manufacturers (ODMs).
Point of Presence
 AWS provides a global network of Point of Presence locations
 Consists of edge locations and much smaller number of Regional Edge caches
Cloud Computing is the delivery of computing services such
 Used with Amazon CloudFront
as servers, storage, databases, networking, software,
 A global Contentanalytics,
Delivery intelligence, and more, over the Cloud (Internet).
Network (CDN), that delivery content to end users with
reduced latency
 Regional Edge caches used for content with infrequent access.
Point of Presence

Cloud Computing is the delivery of computing services such

as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
Point of Presence
 Amazon CloudFront is a content delivery network (CDN) used to distribute content to end users
to reduce latency.
 Amazon Route S3 Cloudis a Domain
ComputingName
is the System (DNS)
delivery of service.
computing Requests
services such going to either one of
these services will as
beservers,
routed to the nearest
storage, edgenetworking,
databases, location automatically
software, in order to lower latency.
 AWS Points of Presence areintelligence,
analytics, located in most of the
and more, major
over cities(Internet).
the Cloud around the world. By continuously
measuring internet connectivity, performance and computing to find the best way to route
requests, the Points of Presence deliver a better near real-time user experience.
 They are used by many AWS services, including Amazon CloudFront, Amazon Route 53, AWS
Shield, and AWS Web Application Firewall (AWS WAF) services.
 Regional edge caches are used by default with Amazon CloudFront. Regional edge caches are
used when you have content that is not accessed frequently enough to remain in an edge
location.
 Regional edge caches absorb this content and provide an alternative to that content having to be
fetched from the origin server.
AWS Infrastructure features
 First, it is elastic and scalable. This means
resources can dynamically adjust to
increases or Cloud Computing isinthe delivery
decreases of computing services such
capacity
as servers, storage, databases, networking, software,
requirements. It analytics,
can also rapidly adjust to
intelligence, and more, over the Cloud (Internet).
accommodate growth.
 Second, this infrastructure is fault tolerant,
which means it has built-in component
redundancy which enables it to continue
operations despite a failed component.
 Finally, it requires minimal to no human
intervention, while providing high availability
with minimal down time
AWS Shared
Responsibility
Model
AWS Shared Responsibility Model
 Security and compliance are a shared responsibility between AWS and the
customer.
 Shared responsibility model is designed to
 help relieve the customer’s operational burden
 provide the flexibility and customer control that enables the deployment of customer
solutions on AWS, the customer remains responsible for some aspects of the overall
security.
 The differentiation of who is responsible for what is commonly referred to as
security “of” the cloud versus security “in” the cloud.
AWS Shared Responsibility Model
 AWS operates, manages, and controls the components from the software virtualization
layer down to the physical security of the facilities where AWS services operate.
 AWS is responsible for protecting the infrastructure that runs all the services that are
offered in the AWS Cloud.
 This infrastructure is composed of the hardware, software, networking, and facilities
that run the AWS Cloud services.
 The customer is responsible for
 the encryption of data at rest and data in transit.
 ensure that the network is configured for security and that security credentials and logins are
managed safely.
 responsible for the configuration of security groups
 configuration of the operating system that run on compute instances that they launch (including
updates and security patches)
AWS Shared Responsibility Model

Cloud Computing is the delivery of computing services such

as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
AWS Responsibility, Security of the cloud
 AWS is responsible for security of the cloud.
 AWS shared responsibility model, AWS operates, manages, and controls the
Cloud Computing is the delivery of computing services such
components from the storage,
as servers, bare databases,
metal host operating
networking, software, system and hypervisor
analytics, intelligence, and more, over the Cloud (Internet).
virtualization layer down to the physical security of the facilities where the
services operate.
 It means that AWS is responsible for protecting the global infrastructure that
runs all the services that are offered in the AWS Cloud.
 The global infrastructure includes AWS Regions, Availability Zones, and edge
locations.
AWS Responsibility, Security of the cloud
 AWS Responsibilities:
 Physical security of data centers
 Cloud Computing
Controlled, need-based access is the delivery of computing services such
as servers, storage, databases, networking, software,
 Hardware and
analytics, software
intelligence, and more, over the Cloud (Internet).
infrastructure
 Storage decommissioning, host OS
access logging and auditing
 Network infrastructure
 Intrusion detection
 Virtualization infrastructure
 Instance isolation
Customer responsibility: Security in the
cloud
 Customer Responsibilities:
 Amazon Elastic Compute Cloud
(Amazon EC2) instance
CloudOSComputing is the delivery of computing services such
 Including patching,
as maintenance
servers, storage, databases, networking, software,
 Applications analytics, intelligence, and more, over the Cloud (Internet).
 Passwords, role-based access etc
 Security group configuration
 OS or host-based firewalls
 Including intrusion detection or
prevention systems
 Network configuration
 Account Management
 Login and permission setting for each
user
Customer responsibility: Security in the
cloud
 Customer responsibilities include selecting and securing any instance operating
systems, securing the applications that are launched on AWS resources, security group
configurations, firewall configurations,
Cloud Computing network
is the delivery configurations,
of computing services such and secure account
management. as servers, storage, databases, networking, software,
 Customers use AWSanalytics, intelligence,
services, and more, complete
they maintain over the Cloud (Internet).
control over their content.
 Customers are responsible for managing critical content security requirements,
including:
 What content they choose to store on AWS
 Which AWS services are used with the content
 In what country that content is stored
 The format and structure of that content and whether it is masked, anonymized, or encrypted
Who has access to that content and how those access rights are granted, managed, and revoked
Customers retain control of what security they choose to implement to protect their own data,
environment, applications, IAM configurations, and operating systems.
Service characteristics and security
responsibility (1 of 3)
 Infrastructure as a service (IaaS)
 Customer has more flexibility over configuring networking and storage setting.
Cloud Computing is the delivery of computing services such
 Customer is responsible for managing
as servers, storage, databases,more aspects
networking, of the security
software,
analytics, intelligence, and more, over the Cloud (Internet).
 Customer configures the access controls
Service characteristics and security
responsibility (2 of 3)
 Platform as a service (PaaS)
 Customer does not need to manage the underlying infrastructure
Cloud Computing is the delivery of computing services such
 AWS handles theas OS, DBstorage,
servers, patching, firewall
databases, configuration,
networking, software, and disaster recovery
analytics, intelligence, and more, over the Cloud (Internet).
 Customer can focus on managing code on managing code or data
Service characteristics and security
responsibility (3 of 3)
 Software as a service (PaaS)
 Software is centrally hosted
 Cloud Computing
Licensed on a subscription model or is the delivery of computing
pay-as-you-go basis. services such
as servers, storage, databases, networking, software,
 Services are typically accessed via web browser, mobile app, or application programming
analytics, intelligence, and more, over the Cloud (Internet).
interface (API)
 Customers do not need to manage the infrastructure that supports the service
AWS Shared Responsibility Model
Deployment
 Who is responsible – AWS or the customer?
 Upgrades and patches to the OS on the EC2
instance - Cloud Computing is the delivery of computing services such
as servers, storage, databases, networking, software,
 Physical Security of the data center
analytics, intelligence, and more, over the Cloud (Internet).
 Virtualization infrastructure
 EC2 security group settings
 Configuration of applications that run on the
EC2 instance
 Oracle upgrades or patched if the oracle
instance runs as an Amazon RDS instance
 S3 bucket access configuration
AWS Shared Responsibility Model
Deployment
 Who is responsible – AWS or the customer?
 Upgrades and patches to the OS on the EC2
instance – The customer
Cloud Computing is the delivery of computing services such
 Physical Security of as
theservers,
data center - AWS
storage, databases, networking, software,
 Virtualization infrastructure
analytics,- AWS
intelligence, and more, over the Cloud (Internet).
 EC2 security group settings - Customer
 Configuration of applications that run on the EC2
instance - Customer
 Oracle upgrades or patched if the oracle instance
runs as an Amazon RDS instance – AWS
 Oracle upgrades or patches, if oracle runs on an
EC2 instance - Customer
 S3 bucket access configuration - Customer
AWS Shared Responsibility Model
Deployment
 Who is responsible – AWS or the customer?
 Ensuring that the AWS Management Console is not
hacked? Cloud Computing is the delivery of computing services such
 Configuring the subnet
as servers, storage, databases, networking, software,
 Configuring the VPCanalytics, intelligence, and more, over the Cloud (Internet).
 Protecting against network outages in AWS Regions
 Securing the SSH keys
 Ensuring network isolation between AWS customers
data
 Ensuring low-latency network connection between
the web server and S3 bucket
 Enforcing multi-factor authentication for all user
logins?
AWS Shared Responsibility Model
Deployment
 Who is responsible – AWS or the customer?
 Ensuring that the AWS Management Console is not
hacked? - AWS Cloud Computing is the delivery of computing services such
 Configuring the subnet - Customer
as servers, storage, databases, networking, software,
 Configuring the VPC-analytics,
Customer intelligence, and more, over the Cloud (Internet).
 Protecting against network outages in AWS Regions-
AWS
 Securing the SSH keys - Customer
 Ensuring network isolation between AWS customers
data - AWS
 Ensuring low-latency network connection between
the web server and S3 bucket - AWS
 Enforcing multi-factor authentication for all user
logins? - Customer
AWS Identity
and Access
Management
(IAM)
AWS Identity and Access Management
(IAM)
 Use IAM to manage access to AWS resources –
 A resource is an entity in an AWS account that you can work with
Cloud Computing is the delivery of computing services such
 Example, An Amazon EC2 instance or an Amazon S3 bucket
as servers, storage, databases, networking, software,
 Example – Control who intelligence,
analytics, can terminate Amazon
and more, over theEC2
Cloudinstances
(Internet).
 Define fine-grained access rights =
 Who can access the resource
 Which resource can be accessed and what can the user do to the resource
 How resources can be accessed
 IAM is no-cost AWS account feature.
IAM: Essential Components
 Use IAM to manage access to AWS resources –
 A resource is an entity in an AWS account that you can work with
Cloud Computing is the delivery of computing services such
 Example, An Amazon EC2 instance or an Amazon S3 bucket
as servers, storage, databases, networking, software,
 Example – Control who intelligence,
analytics, can terminate Amazon
and more, over theEC2
Cloudinstances
(Internet).
 Define fine-grained access rights =
 Who can access the resource
 Which resource can be accessed and what can the user do to the resource
 How resources can be accessed
 IAM is no-cost AWS account feature.
Authenticate as an IAM user to gain
access

Cloud Computing is the delivery of computing services such

as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
IAM MFA

Cloud Computing is the delivery of computing services such

as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
Authorization: What actions are permitted

Cloud Computing is the delivery of computing services such

as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
IAM: Authorization
 Assign permissions by creating an IAM policy.
 Permissions determine Which resource and operations are allowed.
Cloud Computing is the delivery of computing services such
 All permission are implicitly
as servers, denied
storage, by default
databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
 If something is explicitly denied, it is never allowed.
 Best practice: Follow the principle of least privilege.
IAM policies
 An IAM policy is a document that defines permissions
 Enable fine grained access control
Cloud Computing is the delivery of computing services such
 Two types of policies – identity-based and resource-based
as servers, storage, databases, networking, software,
 Identity based policies
analytics, intelligence, and more, over the Cloud (Internet).
 Attach a policy to any IAM entity – IAM user, IAM group or IAM role.
 Policy specify
 Actions that may be performed by the entity
 Actions that may not be performed by the entity
 A single policy can be attached to multiple entities
 A single entity can have multiple policies attached to it
 Resource-based policies
 Attached to a resource (such as an S3 bucket)
Authorization: What actions are premitted

Cloud Computing is the delivery of computing services such

as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
Resource-based policies
 Identity-based policies are attached to a
user, group or role.
Cloud Computing is the delivery of computing services such
 Resource-basedaspolicies are attached
servers, storage, databases,to
networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
a resource (not user, group or role)
 Characteristics of resource based
policies
 Specifies who has access to the resource
and what actions they can perform on it
 The policies are inline only, not managed
 They are supported only by some AWS
services
IAM permissions

Cloud Computing is the delivery of computing services such

as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
IAM Groups
 An IAM group is a collection of IAM users
 A group is used to grant the same
Cloud Computing is the delivery of computing services such
permissions to multiple
as servers, users.
storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
 Permissions granted by attaching IAM policy or
policies to the group
 A user can belong to multiple groups
 There is no default group
 Groups cannot be nested.
IAM Roles
 An IAM role is an IAM identity with specific permissions
 Similar to an IAM user – Attach permissions policies to it
Cloud Computing is the delivery of computing services such
 Different from an IAM user
as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
 Not uniquely associate with one person
 Intended to be assumable by a person, application or service
 Role provides temporary security credentials
 Example of how IAM roles are used to delegate access. –
 Used by an IAM user in the same AWS account as the role
 Used by an AWS service – such as Amazon EC2 – in the same account as role
 Used by an IAM user in a different AWS account than the role.
IAM Roles

Cloud Computing is the delivery of computing services such

as servers, storage, databases, networking, software,
analytics, intelligence, and more, over the Cloud (Internet).
Thank you
Module 1
BCSE355L - AWS Solutions Architect