AWS Fundamentals

AWS Credentials(Cont’d) • AWS credentials should be saved in a secure location. If you forget or lose your root user password, you must have access to the email address associated with your account in order to reset it. If you forget or lose your access keys, you must sign into your account to create new ones. • We strongly recommend that you create an IAM user with administrator permissions to use for everyday AWS tasks and lock away the password and access keys for the root user. Use the root user only for the tasks that are restricted to the root user. • AWS Security credentials are account-specific. If you have access to multiple AWS accounts, you have separate credentials for each account. • AWS credentials must not be provided to a third party. 1 5 1

Activity: Quiz Choose the correct alternative: 1. Which type of AWS Services provide encryption and key management Your Scorecard and threat detection? Total Questions: a. Data protection service b. Interpretation Service c. Data congestion 2. AWS Global Cloud Infrastructure offer over____fully featured services? Points Scored: a. 50 b. 100 c. 150 d. 200 Correct Answers: 3. AWS identifies threats by continuously monitoring the network activity Incorrect Answers: and account behavior within your ______ environment. a. public b. private c. virtual d. abstract Reset Next

Activity: True or False Choose the correct alternative: True False Your Scorecard 1. AWS data protection services continuously protects workloads. 2. Security and compliance are not shared Total Questions: responsibilities between AWS and the customer.. Points Scored: Correct Answers: 3. AWS uses a private responsibility model in terms Incorrect Answers: of security. 4. The AWS Cost & Usage Report (CUR) itemizes usage type and operation. Compliance means conforming to a rule, such as Reset Next 5. a specification, policy, standard or law.

Securing data on AWS

Learning Objectives By the end of this module, you will be able to: • Describe on Shared Responsibility Model • Describe the way we can protect our data in transit. • Give an explanation of how we can secure our operating system and applications in AWS. • Understand AWS multi-factor authentication process.

156 Glossary This table displays vocabulary a technical terms : TERMINOLOGY MEANING 1. VPC 2. FIPS Virtual Private Cloud 3. Transit 4. Cryptographic Federal Information Processing Standard (FIPS) 140-2 5. Authentication AWS Transit Gateway connects VPCs and on-premises networks through a central hub. An encryption context is a collection of nonsecret name–value pairs. How we sign in to AWS using our credentials.

Shared Responsibility Model • Security and Compliance is a shared responsibility between AWS and the customer. • AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates • Customers should carefully consider the services they choose as their responsibilities. The integration of those services into their IT environment, and applicable laws and regulations • The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment 1 5 7

Protecting Data in Transit Data in transit is any data that is sent from one system to another. By providing the appropriate level of protection for your data in transit, you protect the confidentiality and integrity of your workload’s data. • Implement secure key and certificate management: Store encryption keys and certificates securely and rotate them at appropriate time intervals with strict access control. • Enforce encryption in transit: Enforce your defined encryption requirements based on appropriate standards and recommendations to help you meet your organizational, legal, and compliance requirements. • Authenticate network communications: Using network protocols that support authentication allows for trust to be established between the parties. • Automate detection of unintended data access: Use tools such as Amazon GuardDuty to automaticInacllryeadseeteCcotllasbuosrpaticioinous activity or attempts to move data outside of defined boundaries. 1 5 8

Securing Your Operating Systems and Applications Security is a shared responsibility between AWS and you. The shared responsibility model describes security of the cloud and security in the cloud: •Security of the cloud : AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs. •Security in the cloud : Our responsibility includes the following areas: 1. Controlling network access to your instances, for example, through configuring your VPC and security groups. 2. Managing the credentials used to connect to your instances. 3. Managing the guest operating system and software deployed to the guest operating system, including updates and security patches. For more information, see Update management in Amazon EC2. 4. Configuring the IAM roles that are attached to the instance and the permissions associated with those roles. 1 5 9

To use Identity Access Management to keep your data secure An Identity and Access Management (IAM) system defines and manages user identities and access permissions. The AWS shared responsibility model applies to data protection in AWS Identity and Access Management. AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. For data protection purposes, we recommend that you protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM). 1 6 0

It is recommended to secure your data in the following ways: • Use multi-factor authentication (MFA) with each account • Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later • Set up API and user activity logging with AWS CloudTrail • Use AWS encryption solutions, along with all default security controls within AWS services • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3 • If require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint 1 6 1

AWS Multi-Factor Authentication (AWS MFA) 1. AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. 1. A user signs in to an AWS Management Console, they will be prompted for their user name and password, as well as for an authentication code from their AWS MFA device. 1. These multiple factors provide increased security for your AWS account settings and resources. 1 6 2

Activity: Quiz Your Scorecard Choose the correct alternative: Total Questions: 1. A data that is sent from one system to another is known as? a. Transit b. Carriage c. Transport d. Moved 2. AWS is responsible for protecting the ______ infrastructure? Points Scored: a. global b. national c. state d. city Correct Answers: 3. AWS MFA is a simple best practice that adds an extra layer of Incorrect Answers: protection on top of your user name. a. top b. bottom c. right d. left Reset Next

Activity: True or False Choose the correct alternative: True False Your Scorecard 1. AWS MFA is a simple best practice that adds an extra layer of protection. 2. An Identity and Access Management system do Total Questions: not define user identities. Points Scored: Correct Answers: 3. A multiple factors authentication provide low Incorrect Answers: security for your AWS account settings. 4. AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud Data in transit is any data that is unsent from one Reset Next 5. system to another

Database Fundamentals for AWS

Learning Objectives By the end of this module, you will be able to: • Describe on Amazon RDS • Describe about Relational Database Service (RDS) • Give an explanation on RDS Security Groups • Describe about reading replicas with MySQL RDS Across reqions • Explain about DynamoDB and NoSQL. • Explain about DynamoDB vs Amazon RDS Database.

167 Glossary This table displays vocabulary of a technical terms : ACRONYM FULL FORM 1. RDS Amazon Relational Database Service 2. SQL Software Query Language 3. MySQL 4. PostgreSQL An open-source relational database management system 5. AWS It is a free and open-source relational database management Amazon Web Service

Amazon RDS • Amazon RDS is available on several database instance types - optimized for memory, performance, or I/O - and provides you with six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server • The AWS Database Migration Service can be used to easily migrate or replicate your existing databases to Amazon RDS • Amazon Relational Database Service makes it easy to set up, operate, and scale a relational database in the cloud • Amazon Relational Database Service provides cost-efficient and resizable capacity • Amazon Relational Database Service frees us to focus on our applications 1 6 8

Amazon RDS video for a better understanding : 1 6 9

How does Amazon RDS work? • Administrators control Amazon RDS with the AWS Management Console, Amazon RDS API calls or the AWS Command Line Interface •They use these interfaces to deploy database instances to which users can apply specific settings • Amazon provides several instance types with different combinations of resources, such as CPU, memory, storage options and networking capacity • Each type comes in a variety of sizes to suit the needs of different workloads • RDS users can use AWS Identity and Access Management to define and set permissions for who can access an RDS database 1 7 0

AWS Relational Database Service (RDS) Architecture 1. AWS came across with an amazing all-in-one service, RDS. 1. RDS architecture includes every aspect of the traditional management system. 1. It includes everything from EC2 (Elastic Compute Cloud) to DNS (Domain Name System). 1. Every part of the RDS architecture has its own separate set of features completely different from each other. 1 7 1

A diagrammatical representation of RDS has attached below. 1 7 2

The benefits and drawbacks of Amazon RDS Following are the several pros and cons on using Amazon RDS. PROS Amazon RDS helps organizations deal with the complexity of managing large relational databases. Other benefits include the following: Ease of use. Cost-effectiveness. Reducing the workload RDS splits up compute and storage CONS Some downsides of using Amazon RDS include the following: Lack of root access Downtime 1 7 3

Amazon RDS Multi-AZ Deployments • Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments • Amazon RDS can provide enhanced availability and durability for RDS database (DB) instances • Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ) • Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable • Amazon RDS performs an automatic failover to the standby, so that you can resume database operations as soon as the failover is complete 1 7 4

RDS Security Groups • Security groups control the access that traffic has in and out of a DB instance • Three types of security groups are used with Amazon RDS: o VPC security groups, DB security groups, and EC2- Classic security groups • In simple terms, these work as follows: o A VPC security group controls access to DB instances and EC2 instances inside a VPC o A DB security group controls access to EC2- Classic DB instances that are not in a VPC o An EC2-Classic security group controls access to an EC2 instance 1 7 5

Read Replicas with MySQL RDS Across Regions • We can create cross-region read replicas for Amazon RDS database instances • We can create up to five in-region and cross-region replicas per source with a single API call or a couple of clicks in the AWS Management Console • Here’s a global scale-out model • We can use this feature to implement a cross-region disaster recovery model, scale out globally, or migrate an existing database to a new region 1 7 6

DyanamoDB and NoSQL • Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale • DynamoDB offers built-in security, continuous backups, automated multi-region replication, in- memory caching, and data export tools 1 7 7

DyanamoDB and NoSQL(Cont’d) • DynamoDB is a database for unstructured data. • It is the key-value database solution for many different industries. It’s used in mobile and web applications. It’s used for gaming, IoT, and pretty much anything that demands low-latency data access. 1 7 8

DynamoDB vs Amazon RDS Database • RDS and DynamoDB are both database services offered by AWS. • Being able to decide whether to go with DynamoDB or a certain type of RDS database will help you stand out from the crowd. DB Options RDS DynamoDB Type of Database Relational Database Key-value Defining Features Relational data models; Unorganized data models; Complex queries, joins, and Used for Transactions updates Use Cases Traditional relational Name/value pair data; database for OLTP; Unpredictable data structure; Well-formed data structure; High I/O needs Existing app requires an RDS Scales dynamically 1 7 9

DynamoDB vs Amazon RDS Database(Cont’d) DB Options RDS DynamoDB Availability SLA: 99.99% Multi-AZ enabled SLA: 99.95% Scalability Vertical scaling with Seamless, on-demand Performance interruptions in application horizontal scaling Automatically optimized for Encryption the scenario by AWS system Depends on data model, Pricing indexing, queries ran, and AES-256 encryption for data storage optimization on RDS DB server 1 On-Demand: Pay for what AWS KMS for encrypting 8 you use; data at rest 0 More expensive than Reserved Instances On-Demand: charges for the data reads and writes your app performs on the table (unpredictable traffic)

Summed Up • RDS makes it easy to set up, operate, and scale a relational database. • DynamoDB is an AWS fully-managed, high-performance, NoSQL database. 1 8 1

Activity: Quiz Your Scorecard Choose the correct alternative: Total Questions: 1. Who control Amazon RDS? a. Administrators b. Manager c. Coordinator d.Receptionist 2. How many instances do Amazon provides? Points Scored: a. few b. several c. finite d. infinite Correct Answers: 3. How many types of security groups do Amazon RDS provide? Incorrect Answers: a. One b. Two c. Three d. Four Reset Next

Activity: True or False Choose the correct alternative: True False Your Scorecard 1. Amazon provides several instance types with different combinations of resources. 2. The AWS Database Migration Service can be Total Questions: used to transpose our new databases to RDS. Points Scored: Correct Answers: 3. RDS provide an amazing all-in-one service Incorrect Answers: 4. Amazon Relational Database Service provides fixed size capacity. The whole architecture of RDS includes every Reset Next 5. aspect of the traditional management system

Load Balancing with Elastic Load Balancing(ELB)

Learning Objectives By the end of this module, you will be able to: • Describe ELB and its features. • Give an explanation on we can configure an application load balancer in AWS. • Describe internet-facing Classic Load Balancers

Elastic Load Balancing Load balancing divides the amount of work that a computer has to do among multiple computers so that users get faster result. Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances. ELB helps an IT team adjust capacity according to incoming application and network traffic. ELB can be enabled within a single availability zone or across multiple availability zones to maintain consistent application performance. ELB provides cost-efficient and resizable capacity. ELB frees us to focus on our applications. Elastic Load Balancing can also be used in an Amazon Virtual Private Cloud (“VPC”) to distribute traffic between application tiers in a virtual network that you define. 1 8 6

ELB offers following enhanced features: • Detection of unhealthy Elastic Compute Cloud (EC2) instances. • Spreading instances across healthy channels only. • Flexible cipher support. • Centralized management of Secure Sockets Layer (SSL) certificates. • Optional public key authentication. • Support for both IPv4 and IPv6. 1 8 7

Steps to configure an application load balancer in aws : Step 1: Launch the two instances on AWS management console named InstanceA and InstanceB. Go to services and select load balancer. 1 8 8

Steps to configure an application load balancer (Cont’d) : Step 2: Click on create load balancer 1 8 9

Steps to configure an application load balancer (Cont’d) : Step 3: Select Application Load Balancer and click on create. 1 9 0

Steps to configure an application load balancer (Cont’d) : Step 4: Here you are required to configure the load balancer. Write the name of the load balancer. Choose the scheme as internet facing. 1 9 1

Steps to configure an application load balancer (Cont’d) : Step 5: Add at least 2 availability zones. Select us-east-1a and us-east-1b 1 9 2

Steps to configure an application load balancer (Cont’d) : Step 6: We don’t need to do anything here. Click on Next: Configure Security Groups 1 9 3

Steps to configure an application load balancer (Cont’d) : Step 7: Select the default security group. Click on Next: Configure Routing 1 9 4

Steps to configure an application load balancer (Cont’d) : Step 8: Choose the name of the target-group to be my-target-group. Click on Next: Register Targets 1 9 5

Steps to configure an application load balancer (Cont’d) : Step 9: Choose the instanceA and instanceB and click on Add to registered. Click on Next : Review. 1 9 6

Steps to configure an application load balancer (Cont’d) : Steps 10 : Click on the create button to finalize our configuration: Step 10: Review all the configurations and click on create 1 9 7

Steps to configure an application load balancer (Cont’d) : Step 11 : Congratulations!! You have successfully created load balancer. Click on close. 1 9 8

Steps to configure an application load balancer (Cont’d) : Step 12: This highlighted part is the DNS name which when copied in the URL will host the application and will distribute the incoming traffic efficiently between the two instances. 1 9 9

Steps to configure an application load balancer (Cont’d) : Step 13: This is the listener port 80 which listens to all the incoming requests 2 0 0