AWS Fundamentals

Types of AWS Storage Services(Cont’d) 8. Amazon SQS Amazon Simple Queue Service provides a reliable, highly scalable, hosted message queuing service for temporary storage and delivery of short (up to 64 KB) text-based data messages. An Amazon SQS queue is a temporarydata repository for messages that are waiting for processing (typically a message produced by one applicationcomponent and waiting to be consumed by another). Amazon SQS messages can be sent and received by servers or distributed application components within the Amazon EC2 environment or anywhere on the Internet. Amazon SQS supports a virtually unlimited number of queues and supports unordered, at-least-once delivery of messages. 5 1

Types of AWS Storage Services(Cont’d) 9. Amazon RDS Amazon Relational Database Service (Amazon RDS) is a web service that provides the capabilities of MySQL, Oracle, or Microsoft SQL Server relational database as a managed, cloud- based service. It also eliminates much of the administrative overhead associated with launching, managing, and scaling your own relational database on Amazon EC2 or in another computing environment. 5 2

Types of AWS Storage Services(Cont’d) 10. Amazon DynamoDB Amazon DynamoDB is a fast, fully-managed NoSQL database service that makes it simple and cost-effective to store and retrieve any amount of data, and serve any level of request traffic. Amazon DynamoDB helps offload the administrative burden of operating and scaling a highly-available distributed database cluster. This storage alternative meets the latency and throughput requirements of highly demanding applications by providing extremely fast and predictable performance with seamless throughput and storage scalability. 5 3

Types of AWS Storage Services(Cont’d) 11. Amazon ElastiCache ElastiCache is a web service that makes it easy to deploy, operate, and scale a distributed; in-memory cache in the cloud. ElastiCache improves the performance of web applications by allowing you to retrieve information from a fast, managed, in- memory caching system, instead of relying entirely on slower disk-based databases. 5 4

Types of AWS Storage Services(Cont’d) 12. Amazon Redshift Amazon Redshift is a fast, fully-managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools. It is optimized for datasets that range from a few hundred gigabytes to a petabyte or more 5 5

Types of AWS Storage Services(Cont’d) 13. Databases on AmazonEC2 Amazon EC2, together with Amazon EBS volumes, provides an ideal platform for you to operate your own self managed relational database i n the cloud. Many leading database solutions are available as prebuilt, ready-to-use Amazon EC2AMIs, including IBM DB2 and Informix, Oracle Database, MySQL, Microsoft SQL Server, PostgreSQL, Sybase, EnterpriseDB, and Vertica. 5 6

What is AWS Snowball? • The AWS Snowball service uses physical storage devices to transfer large amounts of data between Amazon Simple Storage Service (Amazon S3) and an onsite data storage location at faster-than- internet speeds. • AWS Snowball can save time and money • Snowball provides powerful interfaces that we can use to create jobs, track data, and track the status of our jobs through to completion • Snowball devices are physically rugged devices that are protected by the AWS Key Management Service (AWS KMS). They secure and protect your data in transit 5 7

AWS Snowball Features AWS Snowball with the Snowball device has the following features: AWS Snowball Features 1. Fast data transfer 2. AWS OpsHub for simple management and monitoring 3. GPU support 4. Clustering 5. S3-compatible endpoint for object storage 6. Block storage 7. NFS endpoint 8. Encryption 9. Rugged and portable 10.Tamper evident 11.Tape data migration 12.End-to-end tracking 13.Secure erasure 5 8

Conclusion AWS provides us with multiple storage options right from legacy backup to modern high throughput, distributed file systems. We can go with one or more storage services to achieve your business goals. AWS provides us with high availability and high durability so that we can always be assured that your data is safe, secure and readily available for all your use cases.

Activity: Quiz Your Scorecard Choose the correct alternative: Total Questions: 1. AWS Storage services provides a _____ range of services . a. wide b. long c. appropriate d. All 2. Object storage solutions like Amazon ________ are ideal for building Points Scored: modern applications from scratch. a. S3 b. EBS c. EFS d. Durable Correct Answers: 3. How many percentage of durability do Amazon S3 Glacier offers ? Incorrect Answers: a. 50% b. 67% c. 78% d. 99% Reset Next

Activity: True or False Choose the correct alternative: True False Your Scorecard 1. Cloud storage is one the building blocks of platform as a service. 2. Cloud storage vendors do not offers services Total Questions: from all around the world Points Scored: Correct Answers: 3. S3 stands for simple storage services. Incorrect Answers: 4. AWS has so many storage services to select most appropriate service for your needs. Reset Next

Amazon Simple Storage Service

Learning Objectives By the end of this module, you will be able to: • Describe on AWS simple storage services • Identify key features of Amazon S3 • Disclaim about Amazon S3 history • Explain about working of Amazon S3 • Explain about Amazon S3 storage classes

Glossary This table displays vocabulary of a technical terms : TERMINOLOGY MEANING 1. Infrastructure the basic physical and organizational structures and facilities 2. Scalability the capacity to be changed in size or scale 3. Configuration an arrangement of parts or elements in a particular form, figure, or combination 6 4

AWS Storage Services • Amazon Simple Storage Service is a service offered by Amazon Web Services (AWS) that provides object storage through a web service interface. • Amazon S3 can be employed to store any type of object, which allows for uses like storage for Internet applications, backup and recovery, disaster recovery, data archives, data lakes for analytics, and hybrid cloud storage. • Amazon S3 provides management features so that you can optimize, organize, and configure access to your data to meet your specific business, organizational, and compliance requirements. 6 5

Key features of Amazon S3 • Data Management: Amazon S3 offers a range of storage classes designed for different use cases. For example, you can store mission-critical production data in S3 Standard for frequent access, save costs by storing infrequently accessed data in S3 Standard. • Data protection: S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive redundantly store objects on multiple devices across a minimum of three Availability Zones in an AWS Region. • Ease of use: Amazon S3 is easy-to-use object storage with a simple web service interface that you can use to store and retrieve any amount of data from anywhere on the web. • Security: Store your data in Amazon S3 and secure it from unauthorized access with encryption features and access management tools. • Event Notification: Amazon S3 Event Notifications feature to receive notifications when certain events happen in your S3 bucket. To enable notifications, add a notification configuration that identifies the events that you want Amazon S3 to publish. 6 6

How Amazon S3 works? 6 7 1. Create a Bucket to store your data. You can choose a Region where your bucket and object(s) reside to optimize latency, minimize costs, or address regulatory requirements. 2. Upload Objects to your Bucket. Your data is durably stored and backed by the AmazonS3 Service Level Agreement. 3. Optionally, set access controls. You can grants others access to your data from anywhere in the world. 4. Create buckets, upload objects, and set access controls using the AWS Management Console. 5. The console provides a point-and-click web-based interface for accessing and managing all of your Amazon S3 resources. 6. The Amazon S3 Getting Started Guide shows you how to start using Amazon S3 from the console. Developers building applications can use the AWS SDK for .NET, the AWS SDKfor Java.

Amazon S3 Classes Amazon S3 offers four different storage classes that offer different levels of durability, availability, and performance requirements. 6 8

Activity: Quiz Your Scorecard Choose the correct alternative: Total Questions: 1. Amazon S3 is which type of storage service a. block b. object c. simple d. secure 2. Storage classes available with Amazon S3 are: Points Scored: a. S3standard b. Infrequent access c. Glacier d. All Correct Answers: 3. Amazon S3 offers encryption services for _________. Incorrect Answers: a. Data in Flight b. Data in motion c. Data in rest d. Both 1 & 2 Reset Next

Activity: True or False Choose the correct alternative: True False Your Scorecard 1. AWS stands for Amazon web services 2. S3 stands for simple storage services Total Questions: Points Scored: 3. Amazon S3 is an example of PaaS Correct Answers: Incorrect Answers: 4. Object in S3 can be delivered through Amazon cloudfront. 5. Reset Next

Amazon IAM (Identity And Access Management)

Learning Objectives By the end of this module, you will be able to: • Define AWS Security Services • Describe AWS Security Hub • Identify types of Security services • Give an eexplanation on Identity and Access Management • Describe about IAM identities • Identify IAM process in AWS. • Explain about Active Directory Federation Services(AD FS) • Explain about Web identity Federation and it’s process of working.

Glossary This table displays vocabulary of a technical terms : TERMINOLOGY MEANING 1. AWS 2. Security Amazon Web Service 3. Hub 4. EC2 The techniques used for authentication and protection against theft of proprietary information and intellectual property 5. Federation The connection point in a computer device where data from many directions converge Elastic Compute Cloud The unionization of software, infrastructure and platform services from disparate networks that can be accessed by a client via the internet 7 3

AWS Security • AWS Security is one of the most important factors when implementing cloud services as you must ensure that the data we are storing on the Cloud remains restricted, controlled, monitored, maintained, and secured to the correct level. • AWS security services assist you in safeguarding sensitive data and information while also meeting compliance and confidentiality standards. • AWS has developed a number of AWS security services and management tools to help us protect our data and environment from unwanted exposures, vulnerabilities, and threats. • AWS enables us to automate tedious security processes so we can concentrate on different task of development. 7 4

AWS Security Hub • AWS Security Hub is known as a cloud security management posture so it’s going to encompass all security services underneath it’s hood • AWS Security Hub is a cloud security posture management service that performs security best practices 7 5

Types of security services Given below are the topmost used security tools for AWS environment: Identity Access Management Amazon GuardDuty Amazon Macle AWS Config AWS Cloud Trail 7 6

Identity Access Management • AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. • IAM can specify who can access which services and resources, and under which conditions. • IAM policies manage permissions of our workforce and systems to ensure least-privilege permissions. Increase Collaboration 7 7

IAM Concepts IAM deals with four principle entities: users, groups, roles and policies. These entities detail who a user is and what that user is allowed to do within the environment. 7 8

IAM Concepts(Cont’d) • Users A user is one of the most basic entities in IAM. A user is typically a person or a service, such as an application or platform, which interacts with the environment. An IT teams assigns users authorization credentials, such as a username and password, which validate the user's identity. Users can then access resources that are assigned through permissions or policies. • Groups A group is a collection of users that share common permissions and policies. Any permissions associated to a group are automatically assigned to all users in a group. • Roles A role is a generic identity that is not associated with any specific user. Roles do not use passwords and can be assumed by authorized users. Roles enable varied users to temporarily assume different permissions for different tasks. • Policies. Policies are AWS objects that are attached to users, groups, roles or resources that define the permissions granted to those identities. When a user tries to access a resource, the request is checked against the associated policies. If the request is permitted, then it is granted. If not, it is denied. 7 9

How does IAM work in AWS? • IAM is fully interoperable with most compute, container, storage, database and other AWS cloud offerings. However, IAM is not fully compatible with all offerings on the platform, so it is best to check compatibility before implementing the service. • For example, Amazon Elastic Compute Cloud (EC2) does not fully support resource-level permissions or authorization based on tags. • The common IAM process breaks down into four distinct phases: Make a request Send details to AWS Authorize the request Process the request 8 0

Active Directory Federation Services (AD FS) • A customer have the option to utilize a third-party federation service to assign external directory users access to AWS resources. • The benefits of this approach include leveraging existing passwords and password policies, roles and groups. This guide provides a walk-through on how to automate the federation setup across multiple accounts/roles with an Active Directory backing identity store. Increase Collaboration 8 1

Active Directory Federation Services (Cont’d) 1. Make a request. The IAM process starts with a person or an application called the principal. Every principal has credentials under an AWS root account and must already be signed into AWS to make requests. A principal then makes a request or takes an action involving a resource. 2. Send details to AWS. Every request to AWS includes necessary details such as the actions, the resources involved, any policies related to the principal, data about the resources involved. These details are used to evaluate and authorize the request. 3. Authorize the request. AWS checks the principal's authentication and compares the associated policies against the request. In this phase, IAM evaluates whether the user or application has permission to perform the requested action on the desired resource. 4. Process the request. When the request of an authenticated principal is authorized, the request can be processed. This typically involves performing a desired action on an intended resource, such as getting data from a storage instance. AWS will generate any suitable responses to the principal, such as data streams and success or failure messages. 8 2

ADFS Federated Authentication Process The following describes the process a user will follow to authenticate to AWS using Active Directory and ADFS as the identity provider and identity brokers: 1. Active Directory Federation Services portal sign-in page can be accessed by corporate and provides Active Directory authentication credentials. 2. AD FS authenticates the user against Active Directory. 3. Active Directory returns the user’s information, including AD group membership information. 4. AD FS dynamically builds ARNs by using Active Directory group memberships for the IAM roles and user attributes for the AWS account IDs, and sends a signed assertion to the users browser with a redirect to post the assertion to AWS STS. 5. Temporary credentials are returned using STS AssumeRoleWithSAML. 6. The user is authenticated and provided access to the AWS management console. 8 3

Web Identity Federation Role • Web Identity Federation for authentication and authorization can be use optionally if we are writing an application targeted at large numbers of users. • Web identity federation removes the need for creating individual IAM users. Instead, users can sign in to an identity provider and then obtain temporary security credentials from AWS Security Token Service (AWS STS). The app can then use these credentials to access AWS services. • Web identity federation supports the following identity providers: o Login with Amazon o Facebook o Google 8 4

The following diagram shows web identity federation work. 8 5

Overview 1. The app calls a third-party identity provider to authenticate the user and the app. The identity provider returns a web identity token to the app. 2. The app calls AWS STS and passes the web identity token as input. AWS STS authorizes the app and gives it temporary AWS access credentials. The app is allowed to assume an IAM role (GameRole) and access AWS resources in accordance with the role's security policy. 3. The app calls DynamoDB to access the GameScores table. Because it has assumed the GameRole, the app is subject to the security policy associated with that role. The policy document prevents the app from accessing data that does not belong to the user. 8 6

Activity: Quiz Choose the correct alternative: 1. AWS security services assist you in safeguarding___data and Your Scorecard information. Total Questions: a. sensitive b. relative c. moderate d. zero 2. IAM deals with _____principle entities. Points Scored: a. 2 b. 4 c. 6 d. 8 Correct Answers: 3. A ____ is a collection of users that share common permissions and Incorrect Answers: policies. a. bunch b. group c. collection d. flock Reset Next

Activity: True or False Choose the correct alternative: True False Your Scorecard 1. AWS security services protect our data and environment from unwanted exposures 2. Corporate user accesses the noncommercial Total Questions: Active Directory Federation Services portal Points Scored: Correct Answers: 3. Web identity federation removes the need for Incorrect Answers: creating individual IAM users. 4. The IAM process starts with fillings a necessary details to evaluate a request. Active Directory returns the user’s information, Reset Next 5. including AD group membership information.

Amazon VPC (Virtual Private Cloud) And Networking

Learning Objectives By the end of this module, you will be able to: • Define AWS VPC • Build your own VPC • Describe Network Access Control Lists • Give an explanation on Dynamic Host Configuration Protocol (DHCP) Option Sets • Describe about Elastic IP Addresses (EIPs) • Describe about Elastic Network Interfaces (ENIs) • Explain about Endpoints & VPC Peering • Explain about Network Access Control Lists (ACLs) • Identify NAT Gateways • Describe about VPC Flow Logs. • Explain about VPC Security

Glossary This table displays vocabulary of a technical terms : TERMINOLOGY MEANING 1. AWS Amazon Web Services, inc. 2. Public Cloud A shared cloud infrastructure 2. Private Cloud A cloud service that is exclusively offered to one organization 4. VPC A virtual private cloud is a private cloud within a public cloud 5. EC2 Elastic Compute Cloud 5. Federation 6. Scalability the unionization of software, infrastructure and platform services from disparate networks that can be accessed by a client via the internet the measure of a system's ability to increase or decrease in performance and cost 9 1

Glossary MEANING the overall design of a system and the logical and physical TERMINOLOGY interrelationships between its components 7. Architecture internet protocol address 8. IP Address a hardware device that acts as a \"gate\" between two networks 9. Gateway capable of action and/or change 10. Dynamic pertains to the arrangement of the hardware and software of IT system 11. Configure Classless Inter-Domain Routing 12. CIDR The load on a communications device or system 14. Traffic 9 2

Amazon VPC • A virtual private cloud (VPC) define and launch AWS resources in a logically isolated virtual network • A virtual private cloud is the logical division of a service provider's public cloud multi-tenant architecture to support private cloud computing • A model enables an enterprise to achieve the benefits of private cloud such as more granular control over virtual networks and an isolated environment for sensitive workloads while still taking advantage of public cloud resources 9 3

Benefits of Amazon VPC Following are benefits of Amazon Virtual Private Cloud: • Scalability: Because a VPC is hosted by a public cloud provider, customers can add more computing resources on demand. • Easy hybrid cloud deployment: It's relatively simple to connect a VPC to a public cloud or to on- premises infrastructure via the VPN. (Learn about hybrid clouds and their advantages.) • Better performance: Cloud-hosted websites and applications typically perform better than those hosted on local on-premises servers. • Better security: The public cloud providers that offer VPCs often have more resources for updating and maintaining the infrastructure, especially for small and mid-market businesses. For large enterprises or any companies that face extremely tight data security regulations, this is less of an advantage. 9 4

How does virtual private cloud work? • In a virtual private cloud model, the public infrastructure-as-a-service (IaaS) provider is responsible for ensuring that each private cloud customer's data remains isolated from every other customer's data both in transit and inside the cloud provider's network. • This can be accomplished through the use of security policies requiring some or all of the following elements: Encryption Tunneling Private IP addressing Allocating VLAN • A virtual private cloud user can define and directly manage network components, including IP addresses, subnets, network gateways and access control policies. 9 5

uses e niscraypti The key technologies that isolate a VPC from the rest of the cloud :ovnir.tual statsIaIpVutatIiwpataIihtvpespytaiItrestwVoktstnaLLpaodnpl,mwIwtVipbPPnnsnhyh,hnrohuaseehahdrdcrniruh.nauPau,PatAitehlaannisplhtLfeeaeetiraickyafesscankeeoldbdavebysbtraebCftorriiaiiNfiiiANstetyehcacb,nneekccwfaoottdnlrrrrseulunvuOie,iiiireeenNehins.elsggsahctenttteccooratnireoegessdiiSaeetsellltftr. 9• 6• VPN VLAN Subnets

Building Your Own Custom VPC 1. Sign in to the AWS Management Console. 2. Click on the VPC service under Networking and Content Delivery. 3. Click on the \"Your VPCs\" appearing on the left side of the console. Increase Collaboration 9 7

Building Your Own Custom VPC(Cont’d) 4. Click on the Create VPC to create your own custom VPC. Increase Collaboration 9 8

Building Your Own Custom VPC(Cont’d) 5. Fill the details to create a custom VPC. Where, Name tag: It is the name of the VPC that you give to your VPC. IPv4 CIDR block: Make this address block as big as possible. For example,10.0.0.0/16. IPv6 CIDR block: We can also provide IPv6 CIDR block. Tenancy: We make it as Default. 9 9

Building Your Own Custom VPC(Cont’d) 6. The below figure shows that VPC has been created. Once done, click on the Create button to create the subnet. In a similar way, you can now create a private subnet. 1 0 0