Hello Cloud Guru and welcome to this lesson in this lesson we're going to look at

the AWS resource access manager or am so I want to talk a bit about account
isolation in AWS for a minute you might hear something called a multi-account
strategy in AWS this means you can use different AWS accounts to separate
concerns like administration building or to minimize the so-called blast radius
around any mistakes or security vulnerabilities Now using a multi account
strategies great what percentage challenge when you need to create and share
resources across account that's where resource access manager comes in if you
have multiple individual AWS accounts or an AWS organization you can create
resources centrally and use AWS REM to share those Resources with other accounts
this means that you can reduce operational overhead because you won't be
duplicating resources in each of your account which can be a real pain to manage
every type of resource in AWS using our am currently at the time of this
recording he's a Services have resource types that you can share out so that's at
mesh Aurora CO to build easy too easy to image Builder license manager resource
groups and Route 53 so let's hear let's say we want to launch ec2 instances in a
shared subnet across accounts say we have to AWS accounts account one and account
too and we have a private subnet an account one that we want to share an account
to is able to see this private Subnet in account one this lets account to create
resources and account one's private subnet like ec2 instances what's important to
understand here is that account to has no control over account ones private
subnet so it can't alter the Subnet in any way with the exception of adding tags
in other words is something that isn't copy from a count one to account to it's
just shared and I want to show you one more example in the AWS Management console
using RDS so here I have two different accounts account one on the left and
account to on the right account one has this Aurora database cluster called
database one now I want to be able to clone that database in account to that you
can see here I don't have access we can grant access using our am so over here to
count one will go to the REM console and will select create a resource share will
give this name call the Aurora cluster resource type you see all the different
resource types that we can select will select Aurora DB clusters and you'll see
that database one is available for sharing that check box and you'll see it
selected here now we want to allow an external account this is what is referred
to as a principal I'm going to enter the AWS account number for account number 2
it's a piece that in here and click add so now we're going to be granting account
number to access to this cluster and account number one we can skip the tags and
will create the resource share now you can see I have one here in the deleted
State and that was just me testing this prior to recording the video so you can
actually ignore that one the one we're interested here is the world cluster share
that we just created whose status is active now you'll notice if you go over here
to account to and click refresh you don't see anyting well why is that what we
have to go into the share here and you'll see that the shared resource is in the
associated status with the shared principal the account itself is in the
associating State REM works by sending an invitation from a count one to account
to that you have to first accept so we'll go to our am an account to and under
shared with me under resource shares will see a pending invitation will click on
this and click accept resource share he'll go from pending click okay two
accepted and if we go back to RDS and click refresh we now see database one
shared from account number one so if we select this and under actions we can
create a clone of the state of base and start working with it in our own account
so that's just a simple example of how we can use AWS resource access manager to
share resources across accounts or within an AWS organization so that's pretty
much all you need to know for the exam about REM feel free to reach out with any
questions if not move on to the next lesson thanks

hello and welcome back in this

lesson we're going to be talking AWS single sign-on or SSO using a multi-account
strategy in a previous lesson and we know this is a best practice but managing
user permissions for all those individual accounts can be a real headache we can
make this a lot easier using AWS single sign-on so let's see how this works
single sign-on or SSO is a service that helps since we managed access to AWS
accounts and business applications so these can be third-party applications like
Office 365 Salesforce Dropbox GitHub and so on this is just a small sampling of
the ever-growing list of business applications that integrate with AWS SSO into
being able to centrally manage your account you can sign into AWS account and
third-party accounts in one place using the AWS SSO portal with your existing
corporate identities what dance is so you can manage user permissions for all
your AWS resources across all your accounts using AWS organizations so here's an
example of using granular account level permissions with us out what say you want
to Grant your security team administrative access to only the AWS accounts
running your security tools but then you only want to Grant him auditor level
permissions to other AWS accounts is SSO to set this up now we covered active
directory in the previous lesson here's how that works with SSO so we mention SSO
allows you to log into business applications like G suite and Office 365 SSO also
integrates with active directory or any saml 2.0 identity provider for example as
you're a d to log into the AWS SSO portal with their active directory credentials
this can also be used to Grant access to AWS organizations so structures like oh
used for development and production environments it could also gain access to any
saml 2.0 enabled application so I just mentioned saml 2.0 a couple of times so
what exactly is that security assertion markup language or sam'l is a standard
for logging users into applications based on their sessions in another context so
for example one context being your Microsoft ad environment and another context
being your business application like G Suite allows you to log into the G Suite
application for example using your a d context and all sinon activities are
recorded in AWS cloud trail this helps you meet your audit and compliance
requirements just one important exam tip for you if you see saml 2.0 in an exam
question look for SSO in one of the answers so that's pretty much all I wanted to
cover on AWS SSO if you have any questions feel free to reach out if not please
move on to the next lesson thanks

okay hello Club bruising welcome to this lesson

congratulations here at the very end of the advanced I am section you've done
really really well to get through this section of the course I know some of these
services are not what you use in your everyday work but they're worth a number of
points on the exam so you do well to understand these Concepts so with that let's
review what we've learned in this section of the course what we learned about
directory service and its relationship to active directory now for the exam you
don't need to know active directory in detail but you should understand it
conceptually and how it interacts with these various Services ultimately
directory Services all about connect AWS Resources with on-premise assaidi a very
common use case that you'll see on the exam is when you want to use single
sign-on to log into any domain-joined ec2 instance we also learned about AWS
managed Microsoft ad these are real active directory domain controllers running
Windows Server running inside AWS and we learned about a d trust this is where
you can send your existing active directory to on-premise to Sadie using a t
trust will use a d trust to extend existing active directory inside AWS to your
on-premises environment now with these managed Services you want to understand
where the responsibilities are divided between AWS and you was a customer so for
example things like patching scale-out user and group management Etc next week
covered simple lady now we referred to Simply Diaz the baby brother to manage
Microsoft ad and it does support a lot of AD compatible features will one main
feature does not support our trust which means that you can't join simple 82 your
on-premises a d if you want to do that you'll need to use a D connector this is a
directory Gateway or proxy for your on-premises Sadie next week covered Cloud
directory this is a service for developers looking to work with hierarchical data
unclog directory has nothing to do with Microsoft a d another service we covered
that also has to do with a d is Cognito user pools this is a managed user
directory that works with social media identities so I know it can be a bit
confusing because AWS lumps all of these various Services together under the
title directory service even though they're all distinct services on their own
summer aad compatible and some are not so you want to go back and review which r
a d vs980 compatible Services next we talked about I am policies the most
important thing you'll need to understand is an a r n the Amazon resource name to
make sure you understand the syntax cuz it can get a little complicated also
understand the structure of an IAM policy remember this is just a Json document
which is composed of a number of discrete statements each statement contains an
effect and action and a resource to remember the effect of something like allow
or deny the action is an API call so for example get object on S3 or create table
on dynamodb and that resource is the end the inside AWS that the policy is
affected for so an S3 bucket or dynamodb table and also understand the difference
between resource policies and how AWS evaluates policies example you have two
policies that are in effect for the same resource one has an allow one has Adonai
always remember that deny supersedes allow we also covered AWS managed vs.
customer managed policies understand that AWS managed policies can't be edited by
you is the customer and you can create as many customer managed policies as you
like we also talked about permissions boundaries remember permission boundaries
don't allow or deny permissions on their own they simply Define the maximum
permissions and identity can have next week covered resource access manager this
allows resource sharing between accounts and this works either on individual
account or within account in an AWS organization keep in mind the types of
resources that you can share remember not every AWS service is available in
resource access manager finally recovered single sign-on or SSO the SSO service
help so centrally manage access to AWS account business applications exam you
might be presented with a scenario where it's asking about using existing
corporate identities to sign into AWS services or third-party applications so for
example things like G Suite Office 365 or Salesforce accounts this is where
single sign-on is most appropriate anything that asked about using existing
identities to log into other contexts this is single sign-on works it can also be
used to govern account level permissions you might also be asked about Samuel
security you search in markup language so if you see a question where it says
sam'l or saml 2.0 look for single sign-on or SSO in one of the answers so that's
it for this section of the course you've done really really well if you have any
questions please let me know if not then please move on to the next section of
the course thanks

This next section Route53

Big hey hello clock Bruce and welcome to this section of the
course so this lectures call Dennis 101 and we're going to be looking at Amazon's
DNS service which is colder Route 53 throughout the rest of this section of the
course the first of all you might be wondering where did they get the name Route
53 from well if you know a little bit about u.s. history the very first into
state was Route 66 was the very first road that went from one side of the country
to the other and with DNS DNS is actually on the port 53 so that's where Route 53
gets its name and that is actually a popular interview question at AWS if you are
going to try and get a job at a w s s a Solutions architect or is it technical
account manager that's where Route 53 comes from its Route 53 will probably come
up for five times in your exam I'm the exam questions are random so it really
depends you know which questions you get out but it is definitely a heavily
tested topic and to be honest if you want to work as a Solutions architect in
real life going to need to understand DNS back to front now in this love we are
going to go out of free tier cuz we're going to set up three ec2 instances this
subsection of the Colts could cost you money if you follow along or you can just
watch me do it myself so let's start with DNS what is DNS and I want you to think
of a fun book on that's the easiest way to remember what DNS is I know we don't
really have phone books anymore but you know if hopefully you can still remember
them oh maybe I'm just getting old so if you use the internet you've used ns10s
is used to convert human-friendly domain name such as a cloud Guru into an ipv4
IPv6 address such as Heights PD pay 82. 124. 53. One so I pay addresses a used by
computers to identify each other on a network and IP addresses come in two
different forms ipv4 and IPv6 and this one 82. 124. 53. 1 is an ipv4 it's a way
of looking up a domain name and getting an IP address just like you when you used
to look into the Yellow Pages look up someone's name and you get that telephone
number so let's talk about ipv4 vs. IPv6 and ipv4 addresses have been running out
and they've been running out the ages that's why we invented IPv6 to ipv4 is a
32-bit field which has over four billion different addresses and essentially it
has a finite number of addresses and it's worked really well in the early days of
the internet because we just didn't have that many devices online nowadays
everyone's mobile phone everyone's computer it runs fridge and Celexa they all
have any unique independent IP addresses and we just run out of space and help
you visualize this I want you to imagine that each ipv4 address is a single grain
of sand if you would it take all the ipv4 addresses and add them up together they
would be enough to fill a dump truck so that's how many ipv4 addresses there are
we created IPv6 to solve this problem of running out of ipv4 addresses and IPv6
has an address space of 128 bits and in theory this is basically 340 undecillion
the dresses if you then turn this analogy on its head and you take a single grain
of sand for 340 undecillion addresses it's enough to fill up the sun that's how
many IPv6 addresses that there are no big problem is a little bias Paisa just not
switching over to IPv6 so we're in this sort of weird weld right now where were
using both ipv4 and IPv6 but I'm sure that is going to change in the next decade
or so so now that you know what ipv4 is vs. IPv6 going to talk about top-level
domains and we look at common domain name such as google.com or BBC Dakota KOA
Cloud. You notice a string of characters separated by adults or periods and the
last word in a domain name represent the top level domain the second word in a
domain name is known as a second level domain name and this is optional during if
depends on the domain name so it got dark home that is the top level domain. Edu
is a top-level domain. Gov is a top-level domain in the UK we have a lot of. Co.
Uk so don't UK is a top-level domain name and then the dark hole is known as the
second level domain name so that the difference between a second level domain
name and a top-level domain name similarly in Australia with that. Come that I
you I'm so top-level is. A u and then the dark home is the second level domain
name so these turn my name's a controlled by the internet assigned numbers
Authority or Ina and this isn't a database which essentially is a database of oil
available top-level domains and you can go and do this it's just by visiting i a
n a. Org DB and I'll give you all the top level domains that are available now
because all the names in a given domain have to be unique the needs to be a way
of organizing this whole so that older male names on Chupa catered and this is
what domain registrars come in and a registrar is an authority that can assign
doing my name is directly under one or more top-level domains and these domains
are registered with internet which is the service of I can and I can basically
enforces the uniqueness of domain names across the internet and search domain
name must be registered in a central database known as a Whois database and
popular domain registrars include Amazon themselves as relatively recent that
Amazon have become a domain registered but it makes Allied so much easier when I
first started recording the closest we had to go and buy the domains from GoDaddy
and then transfer them over to Amazon godaddy.com is a very famous 1123 Regin UK
is also very famous etcetera so these are places where you can go and buy domain
names and when you bought a domain every DNS address begins with a start of
authority regular and sa2eso a record stores information about the name of the
soda that supplied the date of the desert who the administrator of the zone is so
this could be your system administrator on the current version of the date of and
then the default number of seconds for the time to live faolan results records
and what, to what at ATL is in a second we did kind of covered off in the cloud
of front light show nipple is the sounds a bit too technical for you don't worry
it's going to get simplus so we know what a start of authority record is its way
I'll DNS is going to start we now know I need to understand what an NS record is
in it and S Just Dance with name server records and they use my top level domain
service to direct traffic to the content DNS server the content DNS server
contain example to make this old make sense so it could I use a and they type in
to that browser hello Cloud Cruise 2019. Calm and if browser doesn't know the IP
address of for that died main browser does is it goes to the top level domain
server and essentially it's clearing it full the authoritative DNS records has
sang Hey I got this domain could Hillary klug Cruise 2019. I need to know the IP
address for it now the top level domain doesn't contain the IP addresses going to
contain something similar to this so it's going to have the dog cam that's why
the top level domain is going to have the top level domain and then it's
basically going to have the name server so it's going to give it a name server
record and it's going to point to NS. AWS DNS Stockholm and that's the names of a
record weedon Garden query DNS records and the NFC records are going to give us
the start of authority so it's going to give us the start of authority and inside
the sun Authority that's where we going to have all out DNS records and what
consists of different things so we go to a record in this is the most fundamental
type of DNS record the a in a record stands for address and the area code is used
by a computer to translate the name of the domain to an IP address so for example
www.icloud.com to http 123. 10.10.18 that's all in a record is it's just like the
phone example Define book example that we talked about earlier it's going to take
her name and give us an IP address know we have soda touchdowns ATL's before we
touched on them in cloudfront a t t o is basically the link that a DNS record is
cashed on either the resolving server or on the uses of local PC and it sequel to
the time to live in seconds to TTL to stands for time to live and delowe the time
to live the Foster there is changes to DNS and the lower time to live the Foster
changes to DNS records at 8 to propagate through the internet now with most
providers that the default time to live is 48 hours and that can be quite
frustrating because if you do make a DNS change that Dennis change can take 48
hours to propagate throughout the entire internet if someone has just visited
your website they going to cash that DNS address of my b&i ipv4 address and it
will be cash for the time to live and if that's 48 Hours it means if you go in
and change that IP address that could take 48 hours to take effect this is my
Twitter go ahead and follow me I don't have actually all that many followers
compared to how many students I've got but this is one of my favorite tweets are
tweeted this 6th of December and this is a haiku and it says it's not Dennis
there's no way it's Dennis it was DNS and if your system administrator I'm sure
you'll find that funny the reason this is funny is because of the time to live it
can just take 48 was to do a change and you're dripping your hair out you trying
to figure out what the hell is going on and it's a DNS issue it's a time to live
issue you have to wait those full two days before that change goes in and takes
affect the capital of Iraq was what's a cname will a c name stands for canonical
name and it can be used to resolve one domain name to another example you might
have a mobile website with a domain name m to iCloud. Girl and that's used for
when you use a browse to your domain name on the mobile devices you may also want
the name mobile. A cloud. Gary to resolve to the same address and instead of
having two separate IP addresses you just map one to the other and if you've been
looking at this Yellow Pages when you can see Batman in here and then it goes see
West Adams so it does not giving us a and ipv4 with some giving us a telephone
number actually it's just giving us another reference that we can go up and look
and then that will give us our ipv4 address that's AC name is an alias records a
used mattress records in your hosted Zion to elastic load balancer AWS cloudfront
distributions or S3 buckets that I can figure it as a website an alias records
are effectively just the same as a cname record that end it allows you to map
your DNS at to another Target name there is a crucial difference however I see
name, be used for naked domain name so you'll make it there my name is sometimes
called Luzerne hypex record bicycling is being tired to remind without a w w w in
front of the door without a mobile. Whatever. My name is etcetera etcetera so
that's all I'm naked domain name is Sault Ste name can't be used for naked domain
names you can't have a city named for a cloud has to either be in a record or an
alias and again we going to have a look at this in the labs we're going to go in
and set up a very first alias that we going to provision around the world really
complicated and get your hands dirty with it so don't worry if none of this is
making sense just yet it will have to wait finish the laps so on to my exam tips
and I appreciate we have not yet covered elastic load balancers in any detail I'm
the reason for that is what going to cover it in the high availability section of
the coolest elastic load balancer is a crucial to understand in order to pass
your certified Solutions architect associate exam you can have at least 10
questions on that I'm but really we need to understand DNS and we really need to
understand vpcs before we can look at elastic load balancers in any kind of
details we going to do those two things first that being said what you do need to
know going into your exam for Route 53 is that elastic load balancer has never
had a predefined ip4 address you always resolve to them using a DNS name so just
remember that you never going to get an ipv4 address for an elastic load balancer
we need to understand the difference between an alias record and they seen it so
just remember when we doing El recodo naked domain name and was trying to point
that towards an ec2 instance for example are we going to be using an alias record
when not going to be using a cname so if if you are in the exam you give it a
choice between an alias record and a C9 always choose an alias record and then
just remember some common DNS type so we go out start of authority record with go
to NS record then we got out a record MX records which they use the mail and then
a PTR record is essentially a it's the reverse of an a record so it's a way of
looking up a name against an IP address so now that we've had a crash course on
Dennis what we're going to go ahead and do is going to go in and register domain
name I'm going to start provisioning it's free little ec2 instances around the
world as little web service and then we're going to be ready to start on the
Route 53 section of the code if you got the time please join me in the Netflix
show thank you