AWS Fundamentals IAM EC 2
Last updated
Last updated
With IAM, we will learn how to create users, groups, and policies. Then we will look into EC2, one of the most widely used services in AWS.
AWS regions are clusters of data centers.
Important: Most AWS services are region-scoped--meaning whatever services you set up in one region must be separately set up in another region.
IAM is global
EC2 is region-scoped
Pro tip: Not all services are found in your preferred region. Use this to find out what services you have access to.
Every region has multiple AWS availability zones (or AZ). These are discrete data centers, each with their own power. networking, and connectivity. As a result, each AZ is separate from one another: a disaster in one won't affect the others.
Note: Even though each AZ is isolated, they're still connected through high bandwidth, ultra-low latency networking.
IAM is the heart of your security. It consists of
Users
Groups
Roles
Unlike every other service, IAM is global. Whatever you set up in IAM applies to every region, not just the one you're currently on.
The first account you will ever use when setting up AWS is your root account. This account has every privilege possible.
Pro tip: Only use the root account for initial setup. Then never use it again! It has too much control.
Pro tip: It's a good idea to give users the minimal amount of permissions required to do their job. This is known as the least privilege principle.
Users map to physical people (of course).
Groups are clusters of users that inherit the permissions you apply to those groups; they're usually grouped by functions (e.g. DevOps) or teams (e.g. engineering).
Roles are permissions we give to a machine. It's internal to usage within AWS resources. (This will probably make more sense later.)
Finally, policies apply definitions of what users, groups, and roles can and cannot do. They're written in JSON.
Note: IAM has managed policies, which are like predefined policies to make your life easier.
Big enterprises that already have their own user database can set up logins using their company credentials. This is IAM Federation.
It uses the SAML standard.
IAM is where you set up multi-factor authentication
When in IAM, there is a checklist to complete.
Activate multi-factor authentication on the root account
Create an IAM user. This will give you a credentials table where you can save or send their sensitive security information.
Pro tip: Create a user with AdministratorAccess policy permissions.
You can then define groups and assign permissions. It's a good idea to apply those groups to the users you create.
You can then set a password policy that even forces a password reset every X days.
Finally, you want to log into that admin user you created. Stop using the root account.
EC2 was the foundational service that Amazon started with. Nowadays, Amazon's more cutting-edge offerings are serverless, but EC2 is still fundamental to understanding how the cloud works.
EC2 basically allows you to rent virtual machines. There are sub-services though that go along with it:
EBS stores data on virtual drives
ELB provides load balancing across machines
ASG helps scale your service using an auto-scaling group
Go to EC2 using the search bar.
Click "Launch Instance".
You will be asked to choose an AMI: an Amazon Machine Image.
Recommended: Choose the newest Amazon Linux, as it comes with Amazon-specific tools
Select the Instance Type: how powerful you want the machine to be. For us, we'll choose whatever is free.
Once you're in Configure Instance, this is where you set up the network, group, behaviour, etc. of the instance. (Most of this is usually fine as default.)
Next, you will add storage. Once again, defaults are usually all fine here.
Next you can add tags. These values are whatever you want them to be. They're just ways of organizing your instances and will appear in the instance's UI.
Finally, you can set up Security Group: this is like the firewall for your instance.
Important: You want to make sure you have SSH set up here.
When you launch your instance, you'll be asked to create a key pair, which provides you with a secret key to be able to SSH into your instance.
SSH allows you to control a remote machine or server using the terminal.
To SSH into your EC2 instance, run the following command:
-i path/to/pem is simply the path to where you stored the .pem file when you created a new key pair.
INSTANCE_PUBLIC_IP can be found in the dashboard of EC2.
Note: If you run this command though, you will receive the following error:
To solve this, you need to update the permissions for that file.
Bonus: To connect to your EC2 instance in the browser, you can simply run *EC2 Instance Connect by right-clicking the instance. Behind the scenes, this functionality adds a temporary key to your instance for easy connection.
Security groups are the fundamental of network security in AWS. They control how the inbound and outbound traffic allowed in EC2 machines.
When you click into Security Groups under "Network & Security" in EC2 and then click into any security group, you can edit its inbound and outbound rules.
These rules define how access is defined for your EC2 instance (inbound) and how traffic out of the machine is handled (outbound). By default, anyone with your secret key can SSH into your instance and outbound traffic is 100% enabled.
Exercise: If you want to see how to mess up inbound traffic, you can delete all your inbound rules. Now if you SSH into your EC2 instance, the request will hang and then time out.
Think of security groups are firewalls that regulate
Access to ports
Authorized IP ranges
Control of inbound traffic
Control of outbound traffic
Things to know about security groups:
Multiple EC2 instances can share the same security group
Security groups are always within the scope of your region
Security groups live outside of EC2, so if traffic is blocked, the EC2 instance won't be aware of why
Pro tip: It's a good idea to create a separate security group for SSH access. It's usually the most complex security group you'll set up