AWS-SA

General

techstudyslack.com
ramdotj@gmail.com

https://talk.cantrill.io
rammohanj
akshaj11ct

General Prod Dev

https://rmj- https://rmj- https://rmj-
awsg.signin.aws.amazon.com/ awsp.signin.aws.amazon.c awsd.signin.aws.amazon.c
console om/console om/console

ramdotj+awsg@gm ramdotj+awsp@gm ramdotj+awsd@gm

171484106513
420663037063 241368529668
RMJ-AWSG
Gan*12aws RMJ-AWSP RMJ-AWSD

iamadmin
Gan*12aws

aC kEY AKIASP3J7Z4IUUITD7TV

HoPgGISDSXYOKFkkLLl55gZB7Un
QPk3tIjdsK4TM

ramdotj+awsd@gm
241368529668

RMJ-AWSD
Gan*12aws

CLI commands

aws configure –profile iamadmin-general

aws s3 ls –profile iamadmin-general

YAML JSON
--- {
doe: "a deer, a female deer"  "doe": "a deer, a female deer",
ray: "a drop of golden sun"  "ray": "a drop of golden sun",
pi: 3.14159  "pi": 3.14159,
xmas: true  "xmas": true,
french-hens: 3  "french-hens": 3,
calling-birds:  "calling-birds": [
  - huey     "huey",
  - dewey     "dewey",
  - louie     "louie",
  - fred     "fred"
xmas-fifth-day:  ],
  calling-birds: four  "xmas-fifth-day": {
  french-hens: 3  "calling-birds": "four",
  golden-rings: 5  "french-hens": 3,
  partridges:  "golden-rings": 5,
    count: 1  "partridges": {
    location: "a pear tree"    "count": 1,
  turtle-doves: two    "location": "a pear tree"
 },
foo: { thing1: huey, thing2: louie, thing3: dewey }  "turtle-doves": "two"
 }
names: [ "one", "two", "three", "four" ] }

Used for Policy documents

foo: bar
Value =
    pleh: help
    stuff: string,object,number,array,true,false,null
      foo: bar
      bar: foo

import yaml

if __name__ == '__main__':

   stream = open("foo.yaml", 'r')

   dictionary = yaml.load(stream)
   for key, value in dictionary.items():
       print (key + " : " + str(value))
 Used for cloud formation templates

Networking

Static NAT – 1 Private IP  1 fixed Public IP

Dynamic NAT – 1 Private IP  1 Public IP from a Pool
PAT – Many private  1 Public. Private IP/ Private Port  converted to Public IP/Public Port
Private IP address ranges

 10.0.0.0 to 10.255.255.255  (Class A private IP addresses)

 172.16.0.0 to 172.31.255.255 (Class B private IP addresses)
 192.168.0.0 to 192.168.255.255 (Class C private IP addresses)

Yahoo.com  Resolver  Root Server  TLD Server  Name server

VPC:
- Is within 1 account and 1 region
- 1 Default VPC per region and custom VPC’s
- Private and Isolated by Default
- Every VPC is assigned a range of IP Addressses called VPC CIDR. Default VPC gets one
CIDR range (172.31.0.0/16). Custom VPC can have many CIDR ranges
- Default VPC will have 1 subnet in every AZ. Can be deleted and recreated.
- /20 subnet is created for Default VPC
- Default VPC will have public IP v4 addresses
-
EC2:
IAAS – Consumer manages the O/S and upwards
Private service – Runs in the private subnet by default
Instance fails if EZ Fails
Storage
- Local
 - EBS (Network Storage)

States
- Running
- Stopped
- Terminated(Non-reversible action)

CONM – Charged for CPU, OS, Networking, and Memory

Stopped Instance – Will still generate storage charges

Remote Desktop Protocol – Port 3389

Linux – SSH – Port 22

Private Key format

.pem – Mac/Linux/Modern Windows
.ppk – Older version of windows

Connect to EC2
- EC2 Instance connect
- SSH Client (Use .pem File)
- Session Manager

When you terminate EC2 Instance, security groups do not get deleted. You need to delete them
manually

S3
- Public Service, Global – Region Based
- Object Storage system Not File or block
- Region resilient Data is Replicated across AZ’s in that region
- Unlimited storage
- Object 0 – 5 TB
- Bucket Name must be globally unique and can hold unlimited no. of Objects
- Flat structure. /old/a.jpg is presented as a folder. /old is prefix
- Bucket names 3-63 chars. all lowercase or number. No _
- Bucket limit soft – 100 Hard - 1000
Cloud Formation Basics
Resources – without this nothing will happen
If you have Description and AwsTemplateformatversion, Description must follow the
AWSTemplateFormatVersion (Not a Mandatory Field).

CloudFormation uses templates and creates Stacks

CloudWatch
- Metrics  AWS Products, Apps, On-premises
- Logs  AWS Products, Apps, On-premises
- Events  AWS Events & Schedules

Namespace – AWS/EC2 AWS/S3

Datapoint  Timestamp + Value (98% CPU Utlization)
Dimension  Same Metric for different things (CPU utilization for different instances)

Metric  Alarm  SNS or Action

HA – Maximizing uptime Ex: Spare tire
FT – Operate through Failure. Ex: Hospital monitoring, Plane etc.,

Route 53:

Register Domains
Host zones – managed nameservers
Global service – single database

DNS records are essentially instructions created by and stored on DNS servers in what is
called a Zone File. 
IAM
Nothing can overrule Explicit Deny
EXPLICIT DENY  EXPLICIT ALLOW  DEFAULT DENY (IMPLICIT)

Max. 5000 IAM users per account

IAM user can be part of 10 groups
Groups nesting not allowed
300 Groups/ account but can be increased with a ticket

Groups cannot be referenced as a principal in Policy. For Ex: Bucket policy cannot use Group as
a principal.

IAM users – Inline Policy & Managed Policy

IAM Roles
- Trust Policy
- Permissions policy

S3
S3 is private by Default
- Can allow/deny other accounts to resources in your account
- Can allow/deny anonymous prinicpals
- S3 is a resource policy ie. Has a principal statement
- ACL – cannot have a single ACL that applies to multiple objects
- Block public access applies only to Anonymous principals
S3 Versioning:
Once Enabled cannot be Disabled
Once Enabled can be suspended and further enabled. Suspend will still keep the old versions
If ID is not specified during retrieval, current version is retrieved

When you delete , delete marker is added. If you undelete the delete marker, object will be
active again
When you assume a Role, temp. credentials are generated by STS (Secure Token Service)

Organization
- If you add an account by creating, you can switch roles easily
- If you add an account by invite, the invited account should have a role created and use
the inviting account as the trusted account

Cloudwatch Logs:
Public service – Usable from AWS or on-premises
A log stream is a sequence of log events that share the same source. Each
separate source of logs in CloudWatch Logs makes up a separate log stream. A log
group is a group of log streams that share the same retention, monitoring, and access
control settings.

CLOUD TRAIL:
- Logs API Calls/ Account Activities as a cloudtrail Event
- Default stores 90 days data in Event History (No Cost)
- Management Events, Data Events and Insight Events
Global services like IAM, STS, Cloudfront log to US-EAST-1
Create a trail on your own to store Data events as well and store the logs in S3 bucket stored as
compressed JSON files. It can also put the data in cloud watch logs.

CloudTrail:
Enabled by Default – 90 Days – No S3

CloudTrail is not REALTIME, 15 mins Delay

CLoudstream events also get logged into a logstream in a log group within cloudwatch logs

AWS Control Tower:

Easy setup of multi account environment
Orchestrates other services to provide this functionality
AWS Control Tower orchestrates the capabilities of several other AWS
services, including AWS Organizations, AWS Service Catalog, and AWS
IAM Identity Center (successor to AWS Single Sign-On), to build a
landing zone.
Log Archive Account - Stores AWS Cloudtrail and Config logs into a S3 bucket.
Audit Account - is a starting point for cross-account investigations. It provides the security- and
compliance teams with read-only permission into all accounts that are part of your Landing
Zone. 

 
AWS Control AWS Landing
Service or Feature
Tower Zone
New AWS Organization account ✅ yes ✅ yes
Existing AWS Organization account ❌ no ✅ yes
New AWS SSO environment ✅ yes ✅ yes
Existing AWS SSO environment ❌ no ✅ yes
New AWS Service Catalog
✅ yes ✅ yes
environment
Existing AWS Service Catalog
❌ no ✅ yes
environment
New or Existing Security Hub
✅ yes ❌ no
environment
Support for CI/CD ❌ no ✅ yes
Interactive APIs ❌ no ❌ no
CloudFormation template(s) ❌ no ✅ yes
Terrafom module(s) ❌ no ✅ yes

When the main file is deleted, delete marker is added and there will be no current version

Multipart Upload
- Min file size 100mb
- 10000 Max parts 5mb – 5 gb

S3 transfer acceleration
- Uses edge locations. Client  Nearest edge location using public internet  to S3 using
AWS network.
- Bucket Name cannot have periods and DNS compatible in naming

KMS
 - Regional and Public Service(Occupies AWS Public Zone)
- Capable of working with both symmetric and Asummetric keys
- KMS keys are logical – ID, Date, Policy,desc and state
- Backed by physical key material (Can be generated by KMS or imported)
- Keys never leave the KMS
- Uses HSM(Hardware security modules) FIPS 140-2 (L2) Level 2 standard to create keys
- Can be used upto data of 4 KB. KMS keys can be used to generate DEK’s(Data encryption
keys) > 4kb

Levels
0 – No encryption
1 - Server side encryption with server having keys
2 – Server side encryption with client having keys
3 – Client side encryption

DEK:
- Created by KMS and is linked to KMS keys that generated using GenerateDataKey option
- KMS doesn’t store the DEK’s
-