블로그 이미지
개발자로서 현장에서 일하면서 새로 접하는 기술들이나 알게된 정보 등을 정리하기 위한 블로그입니다. 운 좋게 미국에서 큰 회사들의 프로젝트에서 컬설턴트로 일하고 있어서 새로운 기술들을 접할 기회가 많이 있습니다. 미국의 IT 프로젝트에서 사용되는 툴들에 대해 많은 분들과 정보를 공유하고 싶습니다.
솔웅

최근에 받은 트랙백

글 보관함

calendar

          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30


Today I am going to create my Amazon EC2 instance (Amazon Linux), install Apache web server in the instance and create my public web pate.


You can create your own as well. just follow the steps below.


Refer to A Cloud Guru A Certified Developer - Associate lectures for more details.



[AWS Certificate] 로 시작하는 글들은 제가 AWS Certified Developer - Associate  을 준비하면서 배운 내용들을 메모해 두는 글입니다.

이번 글은 EC2 instance 와 어디서나 접근할 수 있는 나의 웹 페이지를 만드는 방법을 정리했습니다.

따라하시면 무료로 리눅스 서버와 개인 홈페이지 공간을 얻을 수 있습니다.




- Navigate to EC2 page. https://console.aws.amazon.com/ec2 And Click on Launch Instance button 





- Select AMI (Amazon Machine Image) as Amazon Linux




Amazon Machine Image


An Amazon Machine Image (AMI) is a special type of virtual appliance that is used to create a virtual machine within the Amazon Elastic Compute Cloud ("EC2"). It serves as the basic unit of deployment for services delivered using EC2.


Amazon Machine Images (AMI)

An Amazon Machine Image (AMI) provides the information required to launch an instance, which is a virtual server in the cloud. You specify an AMI when you launch an instance, and you can launch as many instances from the AMI as you need. You can also launch instances from as many different AMIs as you need.

An AMI includes the following:

  • A template for the root volume for the instance (for example, an operating system, an application server, and applications)

  • Launch permissions that control which AWS accounts can use the AMI to launch instances

  • A block device mapping that specifies the volumes to attach to the instance when it's launched



- Select the default t2.micro  and Click on Next:Configure Instance Details button


Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your applications. Each instance type includes one or more instance sizes, allowing you to scale your resources to the requirements of your target workload.
























- Set Defaults and Click on Next: Add Storage button



Subnet : 1 Subnet is always equal to 1 Availability (******) Exam


Amazon EC2 Spot instances allow you to bid on spare Amazon EC2 computing capacity. Since Spot instances are often available at a discount compared to On-Demand pricing, you can significantly reduce the cost of running your applications, grow your application’s compute capacity and throughput for the same budget, and enable new types of cloud computing applications.

There is no Spot capacity for instance type t2.micro in availability zone

VPCs and Subnets

To get started with Amazon Virtual Private Cloud (Amazon VPC), you create a VPC and subnets. For a general overview of Amazon VPC, see What is Amazon VPC?.


VPC and Subnet Basics

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.

When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. This is the primary CIDR block for your VPC. For more information about CIDR notation, see RFC 4632.

























































- Set as default and Click on Next: Add Tags button



You can Add Amazon EBS Volume Types here.


Amazon EBS Volume Types

Amazon EBS provides the following volume types, which differ in performance characteristics and price, so that you can tailor your storage performance and cost to the needs of your applications. The volumes types fall into two categories:

  • SSD-backed volumes optimized for transactional workloads involving frequent read/write operations with small I/O size, where the dominant performance attribute is IOPS

  • HDD-backed volumes optimized for large streaming workloads where throughput (measured in MiB/s) is a better performance measure than IOPS




- Add Tags as much as you need and Click on Next: Configure Security Group button







- Enter Security group Name and Description

- Add HTTP and HTTPS Types

- Click on Review and Launch Button



Security Groups for Your VPC

security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic. This section describes the basic things you need to know about security groups for your VPC and their rules.

You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. For more information about the differences between security groups and network ACLs, see Comparison of Security Groups and Network ACLs.




- Review your configurations and Click on Launch button




- Select 'Create a new key pair' in dropdown menu

- Enter Name the Key pair name

- Click on Download Key Pair

- Click on Launch Instance




- Click on View Instance button




- Now your instance is running



You can see your instance details here.







Not I am going to access to my instance and create my web page.

Open your Terminal (Mac) or Console window (Windows).

and Navigate to the folder where the downloaded key pare file is.




The EC2KeyPair.pem.txt is the one I downloaded now.

MyEC2KeyPair.pem.txt is old one what I've used.


change permission of EC2KeyPair.pem.txt file


CHMOD 400 EC2KeyPair.pem.txt 




Type ssh ec2-user@'your IPv4 Public IP' -I EC2KeyPair.pem.txt

Type yes

and then you can log in to your Amazon Linux Instance


Type sudo su 

You are now with super user permission.




Type yum update -y to update Operation System




Type yum install httpd -y to install Apache Server



navigate to Web root page


cd /var/www/html



There is no file in the folder now.


I am going to my web page now.


Type nano index.html (or vi index.html)


I have created the web page as below to display my blog.


<html>

<h1> iframe - Changsoo's Blog - </h1>


<iframe id="blog"

    title="Changsoo's Blog"

    width="100%"

    height="100%"

    src="http://coronasdk.tistory.com">

</iframe>    

</html>



Now I can see the index.html file in the folder.

I will start my Apache server.


service http start




Now enter 34.228.166.148 in URL bar in your browser then you can see the page below.






You can type my Public DNS (IPv4) to get the page in your browser as well.


http://ec2-34-228-166-148.compute-1.amazonaws.com/




Now I have my Amazon Linux server (EC2 instance) and public web page.






Termination Protection is turned off by default, you must turn it on.


If you want to terminate the instance then


1. Action - Instance Settings - Change Termination Protection



2. Click on Yes, Enable button.




3. Actions - Instance State - Terminate




On an EBS-backed instance, the default action is for the root EBS volume to be deleted when the instance is terminated.

EBS Root Volumes of your DEFAULT AMI's cannot be encrypted.

You can also use a third party tool (such as bit locker etc.) to encrypt the root volume, or this can be done when creating AMI's (lab to follow) in the AWS console or using the API.



저작자 표시 비영리 동일 조건 변경 허락
신고


EC2 (Elastic Compute Cloud)



What is EC2?


Provides resizable compute capacity in the Cloud Designed to make web-scale cloud computing easier A true virtual computing environment Launch instances with a variety of operating systems Run as many or few systems as you desire.




Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Amazon EC2’s simple web service interface allows you to obtain and configure capacity with minimal friction. It provides you with complete control of your computing resources and lets you run on Amazon’s proven computing environment. Amazon EC2 reduces the time required to obtain and boot new server instances to minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change. Amazon EC2 changes the economics of computing by allowing you to pay only for capacity that you actually use. Amazon EC2 provides developers the tools to build failure resilient applications and isolate them from common failure scenarios.


* EC2 Options (***)


On Demand Instances - Pay for compute capacity by the hour with no long-term commitments or upfront payments

With On-Demand instances, you pay for compute capacity by the hour with no long-term commitments or upfront payments. You can increase or decrease your compute capacity depending on the demands of your application and only pay the specified hourly rate for the instances you use. 

On-Demand instances are recommended for:

  • Users that prefer the low cost and flexibility of Amazon EC2 without any up-front payment or long-term commitment
  • Applications with short-term, spiky, or unpredictable workloads that cannot be interrupted
  • Applications being developed or tested on Amazon EC2 for the first time


Reserved Instances- Provide you with a significant discount (up to 75%) compared to On-Demand Instance pricing

Reserved Instances provide you with a significant discount (up to 75%) compared to On-Demand instance pricing. In addition, when Reserved Instances are assigned to a specific Availability Zone, they provide a capacity reservation, giving you additional confidence in your ability to launch instances when you need them.

For applications that have steady state or predictable usage, Reserved Instances can provide significant savings compared to using On-Demand instances. See How to Purchase Reserved Instances for more information.

Reserved Instances are recommended for:

  • Applications with steady state usage
  • Applications that may require reserved capacity
  • Customers that can commit to using EC2 over a 1 or 3 year term to reduce their total computing costs

Spot Instances - Purchase compute capacity with no upfront commitment and at hourly rates usually lower than the On-Demand rate

Amazon EC2 Spot instances allow you to bid on spare Amazon EC2 computing capacity for up to 90% off the On-Demand price. Learn More.

Spot instances are recommended for:

  • Applications that have flexible start and end times
  • Applications that are only feasible at very low compute prices
  • Users with urgent computing needs for large amounts of additional capacity
- Remember with spot instances;
: If you terminate the instance, you pay for the hour
: If AWS terminates the spot instance, you get the hour it was terminated in for free


Dedicated Hosts Instances


A Dedicated Host is a physical EC2 server dedicated for your use. Dedicated Hosts can help you reduce costs by allowing you to use your existing server-bound software licenses, including Windows Server, SQL Server, and SUSE Linux Enterprise Server (subject to your license terms), and can also help you meet compliance requirements. Learn more.

  • Can be purchased On-Demand (hourly).
  • Can be purchased as a Reservation for up to 70% off the On-Demand price.


* EC2 Instance Types (*****)


- General Purpose

T2 : Low Cost EC2 Instances with Burstable Performance.

      T2 instances are Burstable Performance Instances that provide a baseline level of CPU performance with the ability to burst above the baseline. The baseline performance and ability to burst are governed by CPU Credits. Each T2 instance receives CPU Credits continuously at a set rate depending on the instance size.  T2 instances accrue CPU Credits when they are idle, and use CPU credits when they are active.  T2 instances are a good choice for workloads that don’t use the full CPU often or consistently, but occasionally need to burst (e.g. web servers, developer environments and databases). For more information see Burstable Performance Instances.


M4M4 instances are the latest generation of General Purpose Instances. This family provides a balance of compute, memory, and network resources, and it is a good choice for many applications.


M3This family includes the M3 instance types and provides a balance of compute, memory, and network resources, and it is a good choice for many applications.


- Compute Optimized

C4 : Highest Compute Performance on Amazon EC2.

       C4 instances are the latest generation of Compute-optimized instances, featuring the highest performing processors and the lowest price/compute performance in EC2.


C3 Features:

  • High Frequency Intel Xeon E5-2680 v2 (Ivy Bridge) Processors
  • Support for Enhanced Networking
  • Support for clustering
  • SSD-backed instance storage


- Memory Optimized


X1X1 Instances are optimized for large-scale, enterprise-class, in-memory applications and have the lowest price per GiB of RAM among Amazon EC2 instance types.


R4R4 instances are optimized for memory-intensive applications and offer better price per GiB of RAM than R3.


R3R3 instances are optimized for memory-intensive applications and offer lower price per GiB of RAM.


- Accelerated Computing


P2P2 instances are intended for general-purpose GPU compute applications. 


G3G3 instances are optimized for graphics-intensive applications.


F1F1 instances offer customizable hardware acceleration with field programmable gate arrays (FPGAs).



- Storage Optimized


I3 : High I/O Instances

This family includes the High Storage Instances that provide Non-Volatile Memory Express (NVMe) SSD backed instance storage optimized for low latency, very high random I/O performance, high sequential read throughput and provide high IOPS at a low cost.


D2D2 instances feature up to 48 TB of HDD-based local storage, deliver high disk throughput, and offer the lowest price per disk throughput performance on Amazon EC2.






Prerequisite concept


What is EBS?


Amazon Elastic Block Store (EBS)


Amazon Elastic Block Store is an AWS block storage system that is best used for storing persistent data. Often incorrectly referred to as Elastic Block Storage, Amazon EBS provides highly available block level storage volumes for use with Amazon EC2 instances.



* Amazon EBS Volume Types


- General Purpose SSD (GP2)

- Provisioned IOPS SSD (IO1)

- Throughput Optimized HDD (ST1)

- Cold HDD (SC1)

- Magnetic (Standard) : can boot OS, Lowest cost per gigabyte




- EBS Consists of;

: SSD, General Purpose - GP2 - (Up to 10,000 IOPS)

: SSD, Provisioned IOPS - I01 - (More than 10,000 IOPS)

: HDD, Throughput Optimized - ST1 - frequently accessed workloads

: HDD, Cold - SC1 - less frequently accessed data.

: HDD, Magnetic - Standard - cheap, infrequently accessed storage


- You cannot mount 1 EBS volume to multiple EC2 instances, instead use EFS.


* IOPS 


Input/output operations per second (IOPS, pronounced eye-ops) is an input/output performance measurement used to characterize computer storage devices like hard disk drives (HDD), solid state drives (SSD), and storage area networks (SAN). Frequently mischaracterized as a 'benchmark', IOPS numbers published by storage device manufacturers do not relate to real-world application performance.[1][2]


아이옵스(Input/Output Operations Per Second, IOPS)는 HDD, SSD, SAN 같은 컴퓨터 저장 장치를 벤치마크하는 데 사용되는 성능 측정 단위다. IOPS는 보통 인텔에서 제공하는 Iometer 같은 벤치마크 프로그램으로 측정된다.


IOPS 측정값은 벤치마크 프로그램에 따라 다르다. 구체적으로는 임의 접근과 순차 접근 여부, 벤치마크 프로그램의 쓰레드 갯수와 큐의 크기, 데이터 블록 크기, 읽기 명령과 쓰기 명령의 비중 등에 따라 달라지며, 이외에도 많은 변수들이 있다. 일반적으로는 종합 IOPS, 임의 접근 읽기(Random Access Read) IOPS, 임의 접근 쓰기(Random Access Write) IOPS, 순차 접근 읽기(Sequential Access Read) IOPS, 순차 접근 


* SSD 


반도체를 이용하여 정보를 저장하는 장치이다. 하드디스크드라이브에 비하여 속도가 빠르고 기계적 지연이나 실패율, 발열·소음도 적으며, 소형화·경량화할 수 있는 장점이 있다.

솔리드 스테이트 드라이브(Solid State Drive)의 영문 머리글자를 딴 약자이다. 하드 디스크 드라이브(HDD)와 비슷하게 동작하면서도 기계적 장치인 HDD와는 달리 반도체를 이용하여 정보를 저장한다. 임의접근을 하여 탐색시간 없이 고속으로 데이터를 입출력할 수 있으면서도 기계적 지연이나 실패율이 현저히 적다. 또 외부의 충격으로 데이터가 손상되지 않으며, 발열·소음 및 전력소모가 적고, 소형화·경량화할 수 있는 장점이 있다.

플래시 방식의 비휘발성 낸드플래시메모리(nand flash memory)나 램(RAM) 방식의 휘발성 DRAM을 사용한다. 플래시 방식은 RAM 방식에 비하면 느리지만 HDD보다는 속도가 빠르며, 비휘발성 메모리를 사용하여 갑자기 정전이 되더라도 데이터가 손상되지 않는다. 반면 DRAM 방식은 빠른 접근이 장점이지만 제품 규격이나 가격, 휘발성이라는 문제점이 있다. 따라서 데이터 저장과 안전성이 높은 플래시메모리 기반의 SSD를 주로 사용한다.

대용량 SSD가 개발되면서 노트북PC나 데스크톱PC에도 활용할 수 있게 되었다.

[네이버 지식백과] SSD [Solid State Drive] (두산백과)


AWS AMI (Amazon Machine Images)

An Amazon Machine Image (AMI) provides the information required to launch an instance, which is a virtual server in the cloud. You specify an AMI when you launch an instance, and you can launch as many instances from the AMI as you need. You can also launch instances from as many different AMIs as you need.




* Instance Store vs. Amazon EBS


I’m not sure whether to store the data associated with my Amazon EC2 instance in instance store or in an attached Amazon Elastic Block Store (Amazon EBS) volume. Which option is best for me?

Some Amazon EC2 instance types come with a form of directly attached, block-device storage known as the instance store. The instance store is ideal for temporary storage, because the data stored in instance store volumes is not persistent through instance stops, terminations, or hardware failures. You can find more detailed information about the instance store at Amazon EC2 Instance Store.

For data you want to retain longer-term, or if you need to encrypt the data, we recommend using EBS volumes instead. EBS volumes preserve their data through instance stops and terminations, can be easily backed up with EBS snapshots, can be removed from instances and reattached to another, and support full-volume encryption. For more detailed information about EBS volumes, see Features of Amazon EBS.


* Instance Store 

Physically attached to the host computer

Type and amount differs by instance type

Data dependent upon instance lifecycle

Instance store data persists if:

- The OS in the instance is rebooted

- The instance is restarted


Instance store data is lost when:

- An underlying instance drive fails

- And EBS-backed instance is stopped

- The instance is terminated

Virtual Private Cloud

VPC Networking

Elastic Load Balance


* Amazon EBS


Persistent block level storage volumes

Magnetic

General Purpose(SSD)

Provisioned IOPS(SSD)

data independent of instance lifecycle





저작자 표시 비영리 동일 조건 변경 허락
신고


AWS IAM


Amazon Identity and Access Management (IAM) is an implicit service, providing the authentication infrastructure used to authenticate access to the various services.





What Is IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).


AWS Identity and Access Management (IAM)







Identity Federation : Facebook, Active Directory, Google account etc.

PCI DSS Compliance (Payment Card Industry -PCI- Data Security Standard -DSS- Compliance)

Multi-Factor Authentication - ID+PW and MFA Devices Code (i.e. Google Authenticator etc.)

Password Policy


IAM Policies

: A document that defines one or more permissions

: Can be attached to users, groups and roles

: Written in JavaScript Object Notification(JSON)

: Select from pre-defined AWS list of polices or create your own policy






Concepts to know




Amazon S3

From Wikipedia, the free encyclopedia


Amazon S3 (Simple Storage Service) is a web service offered by Amazon Web Services. Amazon S3 provides storage through web services interfaces (RESTSOAP, and BitTorrent).[1] Amazon launched S3 on its fifth publicly available web service[citation needed], in the United States in March 2006[2] and in Europe in November 2007.[3]

Amazon says that S3 uses the same scalable storage infrastructure that Amazon.com uses to run its own global e-commerce network.[4]

Amazon S3 is reported to store more than 2 trillion objects as of April 2013.[5] This is up from 10 billion as of October 2007,[6] 14 billion in January 2008, 29 billion in October 2008,[7] 52 billion in March 2009,[8] 64 billion objects in August 2009,[9] and 102 billion objects in March 2010.[10] S3 uses include web hosting, image hosting, and storage for backup systems. S3 guarantees 99.9% monthly uptime service-level agreement (SLA),[11] that is, not more than 43 minutes of downtime per month.[12]



SAML

위키백과, 우리 모두의 백과사전.

SAML(Security Assertion Markup Language, 샘엘[1])은 인증 정보 제공자(identity provider)와 서비스 제공자(service provider) 간의 인증 및 인가 데이터를 교환하기 위한 XML 기반의 개방형 표준데이터 포맷이다. 보안 어서션 마크업 언어[2]보안 추가 마크업 언어[3]라고도 한다. SAML은 OASIS 보안 서비스 기술 위원회의 산물이다. SAML은 2001년으로 거슬러 올라가며, 최근의 주요 SAML 업데이트는 2005년에 게시되었다. 그러나 프로토콜 개선은 선택적, 추가 표준들을 통해 꾸준히 추가되어오고 있다.

SAML이 기술하는 가장 중요한 요구사항은 웹 브라우저 통합 인증(SSO)이다. 통합 인증은 인트라넷 수준에서 일반적이지만(이를테면 쿠키를 사용하여) 인트라넷 밖으로 확장하는 것은 문제가 있으며 상호 운용 사유 기술들이 범람하게 되었다. (이 밖에 브라우저 SSO 문제를 해결하기 위한 최근의 접근은 오픈ID 커넥트 프로토콜이 있다)[4]







About SAML 2.0-based Federation

AWS supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0), an open standard that many identity providers (IdPs) use. This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS APIs without you having to create an IAM user for everyone in your organization. By using SAML, you can simplify the process of configuring federation with AWS, because you can use the IdP's service instead of writing custom identity proxy code.





Identity Broker

Federating users by creating a custom identity broker application


If your identity store is not compatible with SAML 2.0, then you can build a custom identity broker application to perform a similar function. The broker application authenticates users, requests temporary credentials for users from AWS, and then provides them to the user to access AWS resources.




AWS STS (Security Token Service)


The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more detailed information about using this service, go to Temporary Security Credentials.




ADFS


Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries.






Web Identity Federation with Mobile Applications


Introducing Web Identity Federation

AWS Security Token Service (STS) now offers Web Identity Federation (WIF). This allows a developer to federate their application from Facebook, Google, or Amazon with their AWS account, allowing their end users to authenticate with one of these Identity Providers (IdP) and receive temporary AWS credentials. In combination with Policy Variables, WIF allows the developer to restrict end users' access to a subset of AWS resources within their account.

To help you understand how web identity federation works, you can use the Web Identity Federation Playground. This interactive website lets you walk through the process of authenticating via Login with Amazon, Facebook, or Google, getting temporary security credentials, and then using those credentials to make a request to AWS.

This article shows how WIF can be used to give many users a "Personal File Store" all housed within a single Amazon S3 bucket without the need for any backend infrastructure. It is adapted from a previous article which used a custom Token Vending Machine hosted in AWS Elastic Beanstalk.




The AWS Web Identity Federation Playground


We added support for Amazon, Facebook, and Google identity federation to AWS IAM earlier this year. This poweful and important feature gives you the ability to grant temporary security credentials to users managed outside of AWS.

In order to help you to learn more about how this feature works and to make it easier for you to test and debug your applications and websites that make use of it, we have launched the Web Identify Federation Playground:




IAM (Identity Access Management)


Allows you to manage users and their level of access to the AWS Console. It is important to understand IAM and how it works, both for the exam and for administrating a company's AWS account in real life.


* What does IAM give you?

- Centralised control of your AWS account

- Shared Access to your AWS account

- Granular Permissions

- Identity Federation (including Active Directory, Facebook, Linkedin etc.)

- Multifactor Authentication

- Provide temporary access for users/devices and services where necessary

- Allows you to set up your own password rotation policy

- Integrates with many different AWS services

- Supports PCI DSS Compliance


* Critical Terms

Users -End Users 

Groups - A collection of users under one set of permissions

Roles - You create roles and can then assign them to AWS resources

Policies - A document that defines one (or more permissions)


- AWS Identity and Access Management(IAM) allows you to securely control access to AWS services and resources for your users

- Policies which are written in JSON allow you to define granular access to AWS resources

- The people or systems that use our AWS resources, like admins, end users or system that need permissions to access your AWS data

- Groups are a collection of users that all inherit the same set of permissions and can be used to reduce your user management overhead.

- IAM roles can be assumed by anyone who needs them and it does not have an access key or password associated with it.

- AWS also has a list of IAM best practices to ensure that your environment is secure and safe




* Security Token Service (STS)

Grants users limited and temporary access to AWS resources.

Users can come from three sources


- Federation (typically Active Directory)

  : Uses Security Assertion Markup Language (SAML)

  : Grants temporary access based off the users Active Directory credentials. Does not need to be a user in IAM

  : Single sign on allows users to log in to AWS console without assigning IAM credentials


- Federation with Mobile Apps

  : Use Facebook/Amazon/Google or other OpenID providers to log in.

  

- Cross Account Access

  : Let's users from one AWS account access resources in another

  


* Understanding key Terms


- Federation : combining or joining a list of users in one domain (such as IAM) with a list of users in another domain (such as Active Directory, Facebook etc.)


- Identity Broker : a service that allows you to take an identity from point A and join it (federate it) to point B. (*****)


- Identity Store : Services like Active Directory, Facebook, Google etc.


- Identities : a user of a service like Facebook etc.





Recap


* IAM consists of the following

- Users

- Groups (A way to group our users and apply polices to them collectively)

- Roles

- Policy Documents


* Summary

- IAM is universal. It does not apply to regions at this time.

- The "root account" is simply the account created when first setup your AWS account. It has complete Admin access.

- New Users have NO permissions when first created

- New Users are assigned Access Key ID & Secret Access Keys when first created

- These are not the same as a password, and you cannot use the Access key ID & Secret Access Key to Login in to the console. You can use this to access AWS via the APIs and Command Line however.

- You only get to view these once. If you lose them, you have to regenerate them. So save them in a secure location.

- Always setup Multifactor Authentication on your root account.

- You can create and customise your own password rotation policies.





Quiz


IAM 

: IAM allows you to manage users, groups and roles and their corresponding level of access to the AWS Platform

: Centralised control of your AWS account

: Integrates with existing active directory account allowing single sign on

: Fine-grained access control to AWS resources


* Web Identity Federation : Allow users to use their social media account to gain temporary access to the AWS platform


* AssumeRoleWithWebIdentity : API call that used to obtain temporary security credentials when authenticating using Web Identity Federation


* AssumeRoleWithSAML : API call that to request temporary security credentials from the AWS platform when federating with Active Directory


* Steps performing when using active directory to authenticate to AWS

1) The user navigates to ADFS webserver, 2) The user enter in their single sign on credentials, 3) The user's web browser receives a SAML assertion from the AD server, 4) The user's browser then posts the SAML assertion to the AWS SAML end point for SAML and the AssumeRoleWithSAML API request is used to request temporary security credentials. 5) The user is then able to access the AWS Console.


* SAML 

: Security Assertion Markup Language

: AWS sign-in endpoint for SAML is https://signin.aws.amazon.com/saml


* Web Identity Federation steps

1) A user authenticates with facebook first. They are then given an ID token by facebook. An API call called AssumeRoleWithWebIdentity is then used in conjunction with the ID token. A user is then granted temporary security credentials.



저작자 표시 비영리 동일 조건 변경 허락
신고