AWS Fundamentals IAM EC 2

With IAM, we will learn how to create users, groups, and policies. Then we will look into EC2, one of the most widely used services in AWS.

AWS Regions and Availability Zones

AWS regions

AWS regions are clusters of data centers.

Important: Most AWS services are region-scoped--meaning whatever services you set up in one region must be separately set up in another region.

  • IAM is global

  • EC2 is region-scoped

Pro tip: Not all services are found in your preferred region. Use this region table to find out what services you have access to.

Availability zones

Every region has multiple AWS availability zones (or AZ). These are discrete data centers, each with their own power. networking, and connectivity. As a result, each AZ is separate from one another: a disaster in one won't affect the others.

Note: Even though each AZ is isolated, they're still connected through high bandwidth, ultra-low latency networking.

IAM (Identity and Access Management)

IAM is the heart of your security. It consists of

  • Users

  • Groups

  • Roles

Unlike every other service, IAM is global. Whatever you set up in IAM applies to every region, not just the one you're currently on.

The first account you will ever use when setting up AWS is your root account. This account has every privilege possible.

Pro tip: Only use the root account for initial setup. Then never use it again! It has too much control.

Pro tip: It's a good idea to give users the minimal amount of permissions required to do their job. This is known as the least privilege principle.

Users, groups, roles, and policies

Users map to physical people (of course).

Groups are clusters of users that inherit the permissions you apply to those groups; they're usually grouped by functions (e.g. DevOps) or teams (e.g. engineering).

Roles are permissions we give to a machine. It's internal to usage within AWS resources. (This will probably make more sense later.)

Finally, policies apply definitions of what users, groups, and roles can and cannot do. They're written in JSON.

Note: IAM has managed policies, which are like predefined policies to make your life easier.

IAM Federation

Big enterprises that already have their own user database can set up logins using their company credentials. This is IAM Federation.

It uses the SAML standard.

Random pro tips

  • IAM is where you set up multi-factor authentication

Hands-on walkthrough

When in IAM, there is a checklist to complete.

  1. Activate multi-factor authentication on the root account

  2. Create an IAM user. This will give you a credentials table where you can save or send their sensitive security information.

    • Pro tip: Create a user with AdministratorAccess policy permissions.

  3. You can then define groups and assign permissions. It's a good idea to apply those groups to the users you create.

  4. You can then set a password policy that even forces a password reset every X days.

  5. Finally, you want to log into that admin user you created. Stop using the root account.

EC2

EC2 was the foundational service that Amazon started with. Nowadays, Amazon's more cutting-edge offerings are serverless, but EC2 is still fundamental to understanding how the cloud works.

EC2 basically allows you to rent virtual machines. There are sub-services though that go along with it:

  • EBS stores data on virtual drives

  • ELB provides load balancing across machines

  • ASG helps scale your service using an auto-scaling group

How to launch an EC2 instance

  1. Go to EC2 using the search bar.

  2. Click "Launch Instance".

  3. You will be asked to choose an AMI: an Amazon Machine Image.

    • Recommended: Choose the newest Amazon Linux, as it comes with Amazon-specific tools

  4. Select the Instance Type: how powerful you want the machine to be. For us, we'll choose whatever is free.

  5. Once you're in Configure Instance, this is where you set up the network, group, behaviour, etc. of the instance. (Most of this is usually fine as default.)

  6. Next, you will add storage. Once again, defaults are usually all fine here.

  7. Next you can add tags. These values are whatever you want them to be. They're just ways of organizing your instances and will appear in the instance's UI.

  8. Finally, you can set up Security Group: this is like the firewall for your instance.

    • Important: You want to make sure you have SSH set up here.

  9. When you launch your instance, you'll be asked to create a key pair, which provides you with a secret key to be able to SSH into your instance.

SSH into your EC2 instance

SSH allows you to control a remote machine or server using the terminal.

To SSH into your EC2 instance, run the following command:

ssh -i path/to/pem ec2-user@INSTANCE_PUBLIC_IP

  • -i path/to/pem is simply the path to where you stored the .pem file when you created a new key pair.

  • INSTANCE_PUBLIC_IP can be found in the dashboard of EC2.

Note: If you run this command though, you will receive the following error:

Permission 0644 for 'EC2.pem' are too open.
It is required tha your private key files are NOT accessible by others.

To solve this, you need to update the permissions for that file.

chmod 0400 path/to/pem

Bonus: To connect to your EC2 instance in the browser, you can simply run *EC2 Instance Connect by right-clicking the instance. Behind the scenes, this functionality adds a temporary key to your instance for easy connection.

Security Groups

Security groups are the fundamental of network security in AWS. They control how the inbound and outbound traffic allowed in EC2 machines.

Allow, inbound, and outbound rules

When you click into Security Groups under "Network & Security" in EC2 and then click into any security group, you can edit its inbound and outbound rules.

These rules define how access is defined for your EC2 instance (inbound) and how traffic out of the machine is handled (outbound). By default, anyone with your secret key can SSH into your instance and outbound traffic is 100% enabled.

Exercise: If you want to see how to mess up inbound traffic, you can delete all your inbound rules. Now if you SSH into your EC2 instance, the request will hang and then time out.

Deeper dive

Think of security groups are firewalls that regulate

  • Access to ports

  • Authorized IP ranges

  • Control of inbound traffic

  • Control of outbound traffic

Things to know about security groups:

  • Multiple EC2 instances can share the same security group

  • Security groups are always within the scope of your region

  • Security groups live outside of EC2, so if traffic is blocked, the EC2 instance won't be aware of why

Pro tip: It's a good idea to create a separate security group for SSH access. It's usually the most complex security group you'll set up

PreviousAws Solutions ArchitectNextFundamentals Math

Last updated