Professional Documents
Culture Documents
Cloud Computing
On demand delivery of computer power, database storage , applications and other IT services.
Benefits :-
- Pay as you use
- Highly scalable
- Simple access
- High Elasticity
Types of Cloud
● Private Cloud - Only for a particular organization. Not for the public. Highly sensitive data.
High security. Ex - rackspace
● Public Cloud - Owned and operated by a third party. Ex Azure GCP AWS
● Hybrid Cloud - Comprising of both public and private
Cloud Charecteristics
- On demand self-service
- Elastically scalable
- Multitenancy & Resource pooling
- Broad network access
Availability Zones - One or more data centers isolated from each other to prevent from disasters
Interconnected via High - Bandwidth & Low latency.
Simply create an aws account -> Link credit card and you are ready.
Shared Responsibility
Customer -> Responsibility for security in the cloud(configuring firewalls & all)
AWS -> Responsibility of Cloud
Services
IAM
Identity Access Management.
Root account create by default, shouldn’t be used or shared
Users - people within org
Groups - collection of users
Users can belong to single or multiple groups or neither of them.
Go to dashboard and you can customize the sign-in Url for IAM users. Ex
-https://chitu-test.signin.aws.amazon.com/console
IAM policy structure
Version
Id
Statement
Sid
Effect
Principal
Action
Resource
Condition
You can attach existing policies and also create your own policy.
IAM Password Policies
Set length, letters (upper and lower case)
Change passwords
Password expiry( Time bound 90days)
MFA - password you know + security device you own = successful login
U2F Security key -> Security physical device -> Yubikey by Yubico(3rd party)
Plugin and ensure successful login
AWS CLI
Enables you interact with AWS services via command line interface.
Direct acces to public API’s of AWS services
You can develop script to manage your resources.
AWS SDK
Software Development Kit that contains a set of libraries which allows you access and manage
AWS services programmatically, Embed within your app. Supports multiple programming
languages. Ex - Java script, python, php,)
Mobile SDK’s (Android, iOS)
Iot Devices(Arduino, Embedded C)
Set up AWS CLI on windows → Download from AWS MSI installer 2.0 latest
You can create access keys for management console users
Never use root user for CLI. Go to Users → Security Credentials → Generate Access key.
You can download the CSV
AWS Cloudshell
Web browser based CLI via which you can interact with AWS without installing cli config in your
local machine.It provides command line access to AWS resources and tools.
Some aws service wants to perform actions on your behalf for that we need roles for services.
Iam credential report(account level) - shows the list of all accounts of your users along with their
credentials status
Iam access driver(user level) - shows the service permissions granted to a user when those
services were last accessed.
Best Practices
Do not use root account except for AWS console setup
Use MFA
Use strong password policy
DO not share creds to friend. Create a separate user account for then
Create and use roles
ALways generate access key for AWS CLI
Use reports
AWS Billing
Amazon EC2
It is basically elastic cloud compute. Serves as a virtual PC with configuration of your choice.
It is Infrastructure As a Service
Capabilities :-
Renting VM’s EC2
Store data is virtual drives EBS(Elastic Bean Stalk)
Distributing load using ELB(Elastic Load Balancing)
Scaling services using ASG(Auto Scaling Group)
Instances :-
This launches a web server in our EC2 instance and write a file to it
4 Add Storage
As per the storage you want, free tier eligible upto 30 gb free(EBS)
5. Add Tags
6. Configure Security Group
Add Rules as per you needs, HTTP in may case to allow browsing websites from my EC2
instance from anywhere.
You can use different types of instance foe different optimisation purposes.
Naming Convention
m5.2xlarge
m: instance class
5: Generation of instance
2xlarge: size of instance
Compute optimized
Ex C5
Memory Optimized
Storage Optimized
Introduction to Security Groups
If Security groups attached to instances are same they can communicate with each other.
SSH Overview
CLI utility that can connect windows on mac or linux or on windows above windows 10 with you
instance
Below 10 you can use putty→ Allows you to use SSH protocol
EC2 instance connect uses web browser to connect to your EC2 instance only works with
amazon nx2
You need to provide the key file while remotely accessing your instance.
If key is not protected do chmod <key> 0400
ssh -i <key> ec2-user@<public IP>
SSH Troubleshooting
If connection refused → Restart your instance if it doesn't work create a new one
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
● You are using the wrong security key or not using a security key. Please
look at your EC2 instance configuration to make sure you have assigned
the correct key to it.
● You are using the wrong user. Make sure you have started an Amazon
Linux 2 EC2 instance, and make sure you're using the user ec2-user.
This is something you specify when doing ec2-user@<public-ip> (ex:
ec2-user@35.180.242.162) in your SSH command or your Putty
configuration.
Using ps and top command in my Linux EC2 instance, Tried out many more commands
Exit to logout
Accessing EC2 instances using EC2 instance Connect. It works with SSH make your SSH port22
is enabled in Security groups
Does Not work with every AMI
Never ever enter your access key and id in ec2 instance connect because other users will be
able to retrieve it and run the instance
A network drive that you can attach to your instances while they run.
Allows instances to persist data evenafter termination
At CCP level you can only attach one EBS for (for artchitect devops level), you can attach a EBS
to different instances but you can add multiple EBS to one instance.
Bound to specific availability zone
It is a network drive, it can connected to other instances quickly, there might be a bit of latency as
network is involved, you cannot connect to different availability zone for that you need snapshots,
you get billed for the capacity
Go to Instance → Click Instance → Select EBS storage → Create Volume (give the size and
other parameters) → Attach EBS to your instance,
Make a Back up Snapshot of your EBS volume and try to detach it while creating the snapshot.
Copy snapshots across AZ region
You can restore and attach the EBS snapshot in different Availability Zone
Creating a Demo Snapshot of EBS
Right click EBS storage → Create snapshot
Snapshot created
You can move snapshots and attach it in different AZ
AMI
Build Schedule
Add tags
EFS is in-sync
Allows Shared file system across all zones→ Same files across all zones
EFS IA - Infrequent access → Storage class for files that you don't access often
92 percent lower cost for storing data
It will automatically move your files to IA as per the last time you accesses as per life cycle policy
High Availability - running apps/system in two Availability zones by chance if one goes down.
Survive data loss and disaster
Load balancers are servers that forward incoming traffic to multiple EC2 instances downstream.
Why use?
● Spreading load
● Single point of access (DNS) to your app
● Seamlessly handle failures
● Daily Health Check of instances
● Provide SSL termination
● High Availability across all Zones
● Less expensive
Types of balancers :-
In a real life scenario the load of your websites can change drastically.
● This is where ASG comes into play by scaling in and out as per the needs.
● Replace unhealthy instances
● Automatically Register new Instances
● Cost Saving - Running at optimal capacity
Creating ASG
Even if an instance gets terminated, ASG automatically starts another instance as per
requirement specified
● Predictive Scaling - Use machine learning to predict future traffic based on past patterns,
Automatically provision large numbers of EC2 instances as per needs. Use when your
load has time based patterns
So these are some of the scaling strategies that need to be implemented as required.
Use cases - Backup and Recovery, Storage, Hybrid cloud strategy, data lake, App hosting,etc.
S3 Buckets
Step7 Click on your object to see stats → You can make your bucket public by using object
actions, you can also create folder and upload files there
S3 Security
If you have access to S3 via IAM policy or Bucket policy, you can access it
S3 Bucket Policies
Use S3 bucket policies, Grant public access, force objects to be encrypted, grant cross account
access
Handson
Step 1 → Open bucket
Step 2 → Go to permissions → Disable all public block access settings
Finally anyone can access the object using public URL as per the policy
S3 Websites
Step 2 Open bucket and go properties → Scroll down to static web hosting
Step 3 Edit static website hosting
http://myfirstbucketchintu.s3-website.ap-south-1.amazonaws.com/
S3 Bucket versioning
Any file not versioned prior to enabling version will have version null
Incase of versioning when you delete files it doesn’t get permanently deleted, A delete marker is
added beside it.
We use it for audit purposes → authorized and denied logins, data analysis tools, suspicious
patterns, etc. Helpful for RCA
S3 Replication
SRR(Same Region Replication)
CRR(Cross Region Replication)
Step 2 → Go the bucket you want to replicate → Click management Tab → Create Replication
rule
Step 3 → Upload a file in the main bucket after creating replication rule and see the same file
getting populated in the repli bucket.
S3 Storage Classes
Step 2 After adding scroll down to Properties there you will find the storage classes
Step 3 You can select the Storage class per your needs and upload the file
You can move object to different storage classes by applying Lifecyce rule
Step 1 Go the Bucket → Navigate to Management Tab
Step 2 Create Lifecycle Rule → Add Lifecycle rule actions as per choice
Step 3 Add Transitions → Create Rule
Highly secure portable Physical devices for data transfers at edge and migrate data to aws
Edge Location → Area that doesn’t have internet or far away from cloud(Truck on Road, Ship on
sea) produces data
It is very costly
Try out and fill other fields but don’t create
AWS bill is going to be very heavy.