Thursday, March 21, 2019

AWS Services

     1.        Identity Access Management (IAM):
Used to control Identity (who) Access (what AWS resources).
                  1.1.        Features:
                              1.1.1.        Centralized User Access Control.
                              1.1.2.        Shared access to AWS account.
      Grant other people permission to administer and use resources in your AWS account.
                              1.1.3.        Grant Permission.
                              1.1.4.        Multifactor Authentication
      Security token based, TOTP based, Support hardware or virtual MFA device
      SMS Text Message based, not recommended now.
      U2F security key. A device that you plug into a USB port on your computer. U2F is an open authentication standard hosted by the FIDO Alliance.
      MFA can be enabled for API calls if AWS services support Temporary Security Credential.
                              1.1.5.        Identity federation.
      IAM identity providers instead of creating IAM users
      Web Identity Federation use STS service with the AssumeRoleWithWebIdentity action to request temporary security credentials.
      Web Identity Federation with Cognito
      SAML 2.0-based Federation (Windows Active Directory or OpenLDAP) use  STS service with the AssumeRoleWithSAML action to request temporary security credentials.
      IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0).
      Custom Identity broker Federation If the Organization doesn’t support SAML compatible IdP. Use AWS Security Token Service AssumeRole (recommended) or GetFederationToken expiration period of 36 hours) to obtain temporary security credentials.
                              1.1.6.        Secure access to AWS resources for applications that run on Amazon EC2
                              1.1.7.        Password Policy.
      Minimum password length
      Require at least one uppercase letter
      Require at least one lowercase letter
      Require at least one number
      Require at least one non-alphanumeric character
      Allow users to change their own password
      Enable password expiration
      Prevent password reuse
      Password expiration requires administrator reset
                              1.1.8.        Eventually Consistent.
                              1.1.9.        Integrate AWS services.
                            1.1.10.        Credential Report
      Lists all users and the status of their various credentials, including passwords, access keys, and MFA devices.
      Credential reports to assist in your auditing and compliance efforts.
      Credential report as often as once every four hours.
                            1.1.11.        PCI DSS or Payment Card Industry Data Security Standard (PCI DSS) compliant.
                  1.2.        Identities:
                              1.2.1.        Uses:
      Represent a user or service interact with AWS, Typically referred to as a service account.
      An ARN for an IAM user might look like arn:aws:iam::account-ID-without-hyphens:user/Richard
      By default, a brand new IAM user has no permissions.
      Lose or forget passwords or access keys, cannot retrieve them from IAM. Instead If IAM user password, ask administrator to reset your password for access keys generate new
                              1.2.2.        Group: IAM group is a collection of IAM users.
                              1.2.3.        Role:
       identity with permission policies that determine what the identity can and cannot do in AWS. Delegate access to users, applications, or services
      Trust Policy A document in JSON format in which you define who is allowed to assume the role.
      Permission Policy a document in JSON format in which you define what actions and resources the role can use
                              1.2.4.        Temporary Credentials
      AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources.
      Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the differences Temporary security credentials are short-term, Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested
      Do not have to distribute or embed long-term AWS security credentials with an application.                              
       
                              1.2.5.        Root user:
                              1.2.6.        Policies:
      A JSON document about permission as Effect, Action, Resources statement.
      Policies can be Resources based or Identity based
      Managed (AWS/Customer) or Inline Policies.
      Identity based attached to User/Group/Role.
      Resource based attached to AWS resources as inline policy only
      User policy can be Bucket Policy or User Policy or both.
                  1.3.        Uses Cases:
                              1.3.1.        Access AWS using console require user password credential.
                              1.3.2.        Access AWS using CLI require access key (key id + Secret)
                              1.3.3.        SSH key access for CodeCommit
                              1.3.4.        Server Certificate to authenticate with services. Https only.
                  1.4.        Limits:
                              1.4.1.        IAM User per Account 5000
                              1.4.2.        IAM Group per Account 300
                              1.4.3.        IAM Role  per account 1000
                              1.4.4.        Managed policies attached to an IAM role is 10
                              1.4.5.        Managed policies attached to an IAM user 10
                              1.4.6.        Instance profiles in an AWS account 1000
                              1.4.7.        Server certificates stored in an AWS account 20
                              1.4.8.        Access keys assigned to an IAM user 2
                              1.4.9.        IAM user can be member of 10 Group
                            1.4.10.        managed policy cannot exceed 6,144 characters.
                            1.4.11.        Inline User policy size cannot exceed 2,048 characters
                            1.4.12.        Inline Role policy size cannot exceed 10,240 characters
                            1.4.13.        Inline Group policy size cannot exceed 5,120 characters
                  1.5.        Tips:
                              1.5.1.        User permission must be given explicitly.
                              1.5.2.        AM User cannot be renamed from AWS management console can be done using CLI or SDK tools. Need handle the renaming in the policies where the user was mentioned as a resource
                              1.5.3.                       
     2.        Virtual Private Cloud (VPC):
The original release of Amazon EC2 supported a single, flat network that's shared with other customers called the EC2-Classic platform. Earlier AWS accounts still support this platform, and can launch instances into either EC2-Classic or a VPC
                  2.1.        Features:
                              2.1.1.        Dedicated(logically isolated) virtual network on AWS.
                              2.1.2.        EC2-VPC platform comes with a default VPC that has a default subnet in each Availability Zone
                              2.1.3.        Default VPC includes an internet gateway, and each default subnet is a public subnet.
                              2.1.4.        Each instance launch into a default subnet has a private IPv4 address and a public IPv4 address
                              2.1.5.        Enable internet access for an instance launched into a non-default subnet by attaching an internet gateway to its VPC &  associating an Elastic IP address with the instance


                  2.2.        Components:
                              2.2.1.        Subnet
      Allowed CIDR block size is between /28(2^4) - /16(2^16)
      Subnet's traffic is routed to an internet gateway, the subnet is known as a public subnet.
      VPN-only subnet, doesn't have a route to the internet gateway, but has its traffic routed to a virtual private gateway.
      Currently, we do not support IPv6 traffic over a Site-to-Site VPN connection
       Five reserved IP addresses are 10.0.0.0: Network address, 10.0.0.1: Reserved by AWS for the VPC router, 10.0.0.2: Reserved by AWS for DNS purpose. 10.0.0.3: Reserved by AWS for future use, 10.0.0.255: Network broadcast address
      Can associate a single IPv6 CIDR block with an existing VPC in your account, or when you create a new VPC. The CIDR block uses a fixed prefix length of /56.
                              2.2.2.        Route table:
      Contains a set of rules, called routes, that are used to determine where network traffic is directed
      VPC automatically comes with a main route table that you can modify.
      cannot delete the main route table,
      A subnet can only be associated with one route table(main or custom) at a time, but you can associate multiple subnets with the same route table,
      On creation subnets Automatically associated with the main route table for the VPC.
      Every route table contains a local route for communication within the VPC over IPv4. If your VPC has more than one IPv4 CIDR block, your route tables contain a local route for each IPv4 CIDR block
      Route table must be updated for any subnet that uses gateways like Internet gateway, an egress-only Internet gateway, a virtual private gateway, a NAT device,
      a peering connection, or a VPC endpoint in your VPC
       most specific route wins
      ClassicLink is a feature that enables you to link an EC2-Classic instance to a VPC
                              2.2.3.        Elastic Network Interface (ENI)
      virtual network interface can include the following attributes:
      primary private IPv4 address
      one or more secondary private IPv4 addresses
      one Elastic IP address per private IPv4 address
      one public IPv4 address, which can be auto-assigned to the network interface for eth0 when you launch an instance
      one or more IPv6 addresses.
      one or more security groups
      MAC address
      source/destination check flag
      Description
      Each instance in your VPC has a default network interface (the primary network interface).
      Cannot detach a primary network interface from an instance
      Use Cases
      Create a management network.
      Use network and security appliances in your VPC.
      Create dual-homed instances with workloads/roles on distinct subnets
      Create a low-budget, high-availability solution.
                              2.2.4.        Security group
      security group acts as a virtual firewall for your instance to control inbound and outbound traffic.
       An instance can be assigned 5 security groups with each security group having 50 rules
      Security groups act at the instance level, grant access to a specific CIDR range, or to another security group in the VPC or in a peer VPC
      can specify allow rules, but not deny rules
      don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC
      By default, a security group includes an outbound rule that allows all outbound traffic.
      Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules
      A security group name cannot start with sg-
      security group name must be unique within the VPC.
      Names and descriptions can be up to 255 characters in length.
      Names and descriptions are limited to the following characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*.              
      Security groups are evaluated as a Whole or Cumulative bunch of rules with the most permissive rule taking precedence.
      Security groups are associated with ENI (network interfaces).
      Security groups are Stateful and they use Connection tracking to track information about traffic to and from the instance.
      Stale Security Group, VPC has a VPC peering connection with another VPC, a security group rule                         can reference another security group in the peer VPC. This allows instances associated with the referenced security group to communicate with instances associated with the referencing security group.    
      can't use the security groups that you've created for use with EC2-Classic with instances in your VPC  
      Changes applied Immediately to the All instances.                                       
                              2.2.5.        NACL
      A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
      VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound traffic
      Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
      A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.                               
                              2.2.6.        Internet Gateway
      horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.
      An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.                      
      An internet gateway supports IPv4 and IPv6 traffic.
      Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).                              
                              2.2.7.        Nat Gateway
      NAT device to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating connections with the instances. NAT device forwards traffic from the instances in the private subnet to the internet or other AWS services, and then sends the response back to the instances. When traffic goes to the internet, the source IPv4 address is replaced with the NAT device’s address and similarly, when the response traffic goes to those instances, the NAT device translates the address back to those instances’ private IPv4 addresses.                       
      NAT devices are not supported for IPv6 traffic—use an egress-only Internet gateway instead
      Needs to be launched in the Public Subnet
      Needs to be associated with an Elastic IP address or public IP address
      Source/Destination flag disabled
      Associated Security group allows Outbound Internet traffic from instances in the private subnet and disallows Inbound Internet traffic
      Route table configured to direct Internet traffic to the NAT device
      AWS offers two kinds of NAT devices—a NAT gateway(recommended) or a NAT instance.
      NAT gateways is recommend, as they provide better availability and bandwidth over NAT instances.
      Net Gateway NAT gateway is a AWS managed.
      A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to 45 Gbps.  If require more, distribute the workload by splitting resources into multiple subnets, and creating a NAT gateway in each subnet.
      Exactly one Elastic IP address associate with a NAT gateway, cannot disassociate an Elastic IP address from a NAT gateway after it's created. To use a different Elastic IP address create a new NAT gateway
      NAT gateway supports the following protocols: TCP, UDP, and ICMP
      A private IP address from the IP address range of subnet automatically assigned to NAT gateway when created
      A NAT gateway cannot be accessed by a ClassicLink connection.
      A NAT gateway can support up to 55,000 simultaneous connections to each unique destination.
      NAT gateway cannot send traffic over VPC endpoints, AWS Site-to-Site VPN connections, AWS Direct Connect, or VPC peering connections. If instances in the private subnet must access resources over a VPC endpoint, a Site-to-Site VPN connection, or AWS Direct Connect, use the private subnet’s route table to route the traffic directly to these devices.
      Amazon provides Amazon Linux AMIs that are configured to run as NAT instances. These AMIs include the string amzn-ami-vpc-nat in their name
      NAT Instance High Availability can be achieved by creating one NAT instance per availability zone, Private subnet route tables to the same zone NAT instance, Configure Auto Scaling group with min and max size set of 1

Attribute
NAT gateway
NAT instance
Availability
Highly available. NAT gateways in each Availability Zone are implemented with redundancy. Create a NAT gateway in each Availability Zone to ensure zone-independent architecture.                                 
Use a script to manage failover between instances.
Bandwidth
Can scale up to 45 Gbps.
Depends on the bandwidth of the instance type.
Maintenance
Managed by AWS
Managed by you
Performance
Software is optimized for handling NAT traffic.
A generic Amazon Linux AMI that's configured to perform NAT.
Cost
Charged depending on the number of NAT gateways you use, duration of usage, and amount of data that you send through the NAT gateways.                                  
Charged depending on the number of NAT instances that you use, duration of usage, and instance type and size.                                 
Type and size
Uniform offering; you don’t need to decide on the type or size.
Choose a suitable instance type and size, according to your predicted workload.                                 
Public IP
addresses
Choose the Elastic IP address to associate with a NAT gateway at creation.                                 
Use an Elastic IP address or a public IP address with a NAT instance. You can change the public IP address at any time by associating a new Elastic IP address with the instance.                                 
Private IP
addresses
Automatically selected from the subnet's IP address range when you create the gateway.                                 
Assign a specific private IP address from the subnet's IP address range when you launch the instance.                                 
Security
groups
Cannot be associated with a NAT gateway. You can associate security groups with your resources behind the NAT gateway to control inbound and outbound traffic.                                 
Associate with your NAT instance and the resources behind your NAT instance to control inbound and outbound traffic.                                 
Network
ACLs
Use a network ACL to control the traffic to and from the subnet in which your NAT gateway resides.                                 
Use a network ACL to control the traffic to and from the subnet in which your NAT gateway resides.                                 
Flow logs
Use flow logs to capture the traffic.
Use flow logs to capture the traffic.
Port forwarding
Not supported
Manually customize the configuration to support port forwarding.
Bastion servers
Not supported.
Use as a bastion server.
Timeout behavior
When a connection times out, a NAT gateway returns an RST packet to any resources behind the NAT gateway that attempt to continue the connection (it does not send a FIN packet).                                 
When a connection times out, a NAT instance sends a FIN packet to resources behind the NAT instance to close the connection.                                 
IP fragmentation
Supports forwarding of IP fragmented packets for the UDP protocol. Does not support fragmentation for the TCP and ICMP protocols.

Supports reassembly of IP fragmented packets for the UDP, TCP, and ICMP protocols.                                 

                              2.2.8.        Egress-Only Internet Gateways:
      Egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component allows outbound communication over IPv6 from instances in VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with instances.
      An egress-only Internet gateway is for use with IPv6 traffic only
      Cannot associate a security group with an egress-only Internet gateway. use security groups for instances in the private subnet to control the traffic to and from those instances.                               
      network ACL to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic.                               
                              2.2.9.        DHCP Option Sets
      Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. The options field of a DHCP message contains the configuration parameters. Some of those parameters are the domain name, domain name server, and the netbios-node-type
                            2.2.10.        DNS
      Launch an instance into a default VPC, AWS provide the instance with public and private DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance
      Launch an instance into a nondefault VPC, aws provide the instance with a private DNS hostname and might provide a public DNS hostname, depending on the DNS attributes enableDnsHostnames, enableDnsSupport specified for the VPC and if instance has a public IPv4 address
      custom DNS domain names defined in a private hosted zone in Amazon Route 53, the enableDnsHostnames and enableDnsSupport attributes must be set to true. 
      Amazon EC2 instance limits the number of packets that can be sent to the Amazon-provided DNS server to a maximum of 1024 packets per second per network interface. This limit cannot be increased. The number of DNS queries per second supported by the Amazon-provided DNS server varies by the type of query, the size of response, and the protocol in use                      
                            2.2.11.        VPC Endpoint
      VPC endpoint enables creation of a private connection between VPC and another AWS service using its private IP address
      VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
      Traffic between your VPC and the other service does not leave the Amazon network.
      Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints
      Two types of VPC endpoints: interface endpoints and gateway endpoints.
      An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service like API Gateway,CloudFormation,CloudWatch, CodeBuild, AWS Config, EC2 API, ELB API, SQS, SNS, KMS, Kenissi and others.
      A gateway endpoint is a gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service like S3, DynamoDB.An endpoint route is automatically deleted when you remove the route table association from the endpoint (by modifying the endpoint), or when you                              delete endpoint.                                
      Endpoint cannot be created between a VPC and an AWS service in a different region.
      Endpoint cannot be transferred from one VPC to another, or from one service to another

                            2.2.12.        VPC peering
      VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately.
      create a VPC peering connection between own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region. 
      VPC peering connection cannot be created between VPCs that have matching or overlapping CIDR blocks.
      Transitive peering is not support.     
      PC peering does not support Edge to Edge Routing Through a Gateway or Private Connection. In a VPC peering connection, the VPC does not have access to any other connection that the peer VPC may have and vice versa
      Only one VPC peering connection can be established between the same two VPCs at the same time
      Maximum Transmission Unit (MTU) across the VPC peering connection is 1500 bytes (jumbo frames are not supported).
      Instance’s public DNS hostname does not resolve to its private IP address across peered VPCs.             
                            2.2.13.        Elastic IP Address
      Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing.
      do not support Elastic IP addresses for IPv6
      If associate an Elastic IP address with the eth0 network interface of the instance, its current public IPv4 address (if it had one) is released to the EC2-VPC public IP address pool. If you disassociate the Elastic IP address, the eth0 network interface is automatically assigned a new public IPv4 address within a few minutes. This doesn't apply if you've attached a second network interface to your instance. 
      There are differences between an Elastic IP address that you use in a VPC and one that you use in EC2-Classic
      can move an Elastic IP address from one instance to another. The instance can be in the same VPC or another VPC, but not in EC2-Classic
      Elastic IP addresses remain associated with AWS account until explicitly released.
      Small hourly charge applied when EIP aren't associated with a running instance, or when they are associated with a stopped instance or an unattached network interface
      limited to five Elastic IP addresses
      In EC2-Classic An Elastic IP is disassociated from your instance when you stop it.
      In EC2-Classic associate an Elastic IP address with an instance. 
      In Ec2-Classic Elastic IP address is already associated with another instance, the address is automatically associated with the new instance.
      cannot apply tags to an Elastic IP address in EC2-Classic                                                                  
                            2.2.14.        Classiclink
      ClassicLink allows to link an EC2-Classic instance to a VPC in account, within the same region. This allows to associate the VPC security groups with the EC2-Classic instance, enabling communication between EC2-Classic instance and instances in VPC using private IPv4 addresses. ClassicLink removes the need to make use of public IPv4 addresses or Elastic IP addresses to enable communication between instances in these platforms
      ClassicLink is available to all users with accounts that support the EC2-Classic platform
      There is no additional charge for using ClassicLink
                            2.2.15.        Bastion Host
      Bastion hosts (also called “jump servers”) are often used as a best practice for accessing privately accessible hosts
      Bastion host is deployed in the Public subnet and acts as a proxy or a gateway between you and your instances
      Bastion host allows you to login to instances in the Private subnet securely without having to store the private keys on the Bastion host (using ssh-agent forwarding or RDP gateways)
                            2.2.16.        VPN Connections
      AWS Site-to-Site VPN,  create IPsec VPN connection between VPC and remote network. A virtual private gateway provides two VPN endpoints (tunnels) for automatic failover. customer gateway on the remote side of the Site-to-Site VPN connection.
      AWS Client VPN is a managed client-based VPN service that enables to securely access AWS resources in your on-premises network.
      AWS VPN CloudHub create multiple AWS Site-to-Site VPN connections via your virtual private gateway to enable communication between these networks
      Third party software VPN appliance, create a VPN connection to your remote network by using an Amazon EC2 instance in your VPC that's running a third party software VPN appliance. AWS does not provide or maintain third party software VPN appliances; however, you can choose from a range of products provided by partners and open source communities
      AWS Direct Connect provides a dedicated private connection from a remote network to your VPC.
      A virtual private gateway is the VPN concentrator on the AWS side of the VPN connection
      A customer gateway is a physical device or software application on customer side of the VPN connection.
      CGW must initiate the tunnels
      Type of routing can depend on the make and model of VPN devices. Static Routing If your device does not support BGP(Border Gateway Protocol).BGP-capable devices are recommended as the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down.
      Only IP prefixes known to the virtual private gateway, either through BGP advertisement or static route entry, can receive traffic from your VPC
      Virtual private gateway does not route any other traffic destined outside of the advertised BGP, static route entries, or its attached VPC CIDR.
     3.        EC2
     4.        S3
     5.        RDS
     6.        SQS

AWS Services

      1.         Identity Access Management (IAM): Used to control Identity (who) Access (what AWS resources).                   1....