Professional Documents
Culture Documents
Cloud Final Lab Record - R
Cloud Final Lab Record - R
1
3. Infrastructure as a Service (IaaS):
In IaaS, we can rent IT infrastructures like servers and virtual machines (VMs),
storage, networks, operating systems from a cloud service vendor. We can create
VM running Windows or Linux and install anything we want on it. Using IaaS,
we don’t need to care about the hardware or virtualization software, but other
than that, we do have to manage everything else. Using IaaS, we get maximum
flexibility, but still, we need to put more effort into maintenance.
2. Private Cloud:
The cloud computing resources that are exclusively used inside a single business
or organization are termed as a private cloud. A private cloud may physically be
located on the company’s on-site datacentre or hosted by a third-party service
provider.
2
3. Hybrid Cloud:
It is the combination of public and private clouds, which is bounded together by
technology that allows data applications to be shared between them. Hybrid
cloud provides flexibility and more deployment options to the business.
3
EXPERIMENT NO-2:
AIM OF THE EXPERIMENT: Introduction to AWS
Introduction to AWS:
Amazon Web Services (AWS), a subsidiary of Amazon.com, has invested billions of
dollars in IT resources distributed across the globe. These resources are shared among
all the AWS account holders across the globe. This account themselves are entirely
isolated from each other. AWS provides on-demand IT resources to its account holders
on a pay-as-you-go pricing model with no upfront cost. Amazon Web services offers
flexibility because you can only pay for services you use or you need.
Security of cloud is the responsibility of AWS but Security in the cloud is Customer’s
Responsibility. The Performance efficiency in the cloud has four main areas: -
• Selection
• Review
• Monitoring
• Trade-off
4
Accessing IAM:
You can work with AWS Identity and Access Management in any of the following
ways:
• AWS Management Console: The console is a browser-based interface to
manage IAM and AWS resources.
• AWS Command Line Tools: You can use the AWS command line tools to issue
commands at your system's command line to perform IAM and AWS tasks.
Using the command line can be faster and more convenient than the console. The
command line tools are also useful if you want to build scripts that perform AWS
tasks.
• AWS SDKs: AWS provides SDKs (software development kits) that consist of
libraries and sample code for various programming languages and platforms
(Java, Python, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient
way to create programmatic access to IAM and AWS. For example, the SDKs
take care of tasks such as cryptographically signing requests, managing errors,
and retrying requests automatically.
• IAM Query API: You can access IAM and AWS programmatically by using
the IAM Query API, which lets you issue HTTPS requests directly to the service.
5
EXPERIMENT NO-3:
AIM OF THE EXPERIMENT: Installation of AWS
AWS:
Amazon Web Services (AWS) is the world's most comprehensive and broadly adopted
cloud, offering over 200 fully featured services from data canters globally.
6
Step 3: Enter your account information, and then choose Verify email address. This
will send verification code to your specified email address.
7
Step 6: Choose Business or Personal.
8
Step 11: Enter your country or region code from the list, and then enter a phone
number where you can be reached in the next few minutes.
Step 12: Enter the code displayed in the CAPTCHA, and then submit.
Step 13: When the automated system contacts you, enter the PIN you receive and then
submit.
Step 14: Select one of the available AWS Support plans. For a description of the
available Support plans and their benefits, see Compare AWS Support plans.
Step 15: Choose Complete sign up. A confirmation page appears that indicates that your
account is being activated.
9
Step 16: Here billing information page appear.
Step 17: Check your email and spam folder for an email message that confirms your
account was activated. Activation usually takes a few minutes but can sometimes take
up to 24 hours. After you receive the activation message, you have full access to all
AWS services.
Conclusion:
Finally, the AWS account is successfully created.
10
EXPERIMENT NO-4:
AIM OF THE EXPERIMENT: IAM USER Identity and assessments.
IAM Users:
• An AWS Identity and Access Management (IAM) user is an entity that you
create in AWS. The IAM user represents the human user or workload who uses
the IAM user to interact with AWS. A user in AWS consists of a name and
credentials.
• IAM is a preventive security control.
• A preventive security control is one intended to thwart unwanted or unauthorised
activity
• An IAM user with administrator permissions is not the same thing as the AWS
account root user.
How AWS identifies an IAM user:
When you create an IAM user, IAM creates these ways to identify that user:
⁃ A "friendly name" for the IAM user, which is the name that you specified when you
created the IAM user, such as Richard or Anaya. These are the names you see in the
AWS Management Console.
⁃ An Amazon Resource Name (ARN) for the IAM user. You use the ARN when you
need to uniquely identify the IAM user across all of AWS. For example, you could
use an ARN to specify the IAM user as a Principal in an IAM policy for an Amazon S3
bucket.
⁃ A unique identifier for the IAM user. This ID is returned only when you use the API,
Tools for Windows PowerShell, or AWS CLI to create the IAM user; you do not see
this ID in the console.
11
You have the following options to administer passwords, access keys, and multi-factor
authentication (MFA) devices:
• Manage passwords for your IAM users. Create and change the passwords that
permit access to the AWS Management Console. Set a password policy to enforce a
minimum password complexity. Allow users to change their own passwords.
• Manage access keys for your IAM users. Create and update access keys for
programmatic access to the resources in your account.
• Enable multi-factor authentication (MFA) for the IAM user. As a best practice,
we recommend that you require multi-factor authentication for all IAM users in your
account. With MFA, users must provide two forms of identification: First, they
provide the credentials that are part of their user identity (a password or access key).
In addition, they provide a temporary numeric code that's generated on a hardware
device or by an application on a smartphone or tablet.
• Find unused passwords and access keys. Anyone who has a password or access
keys for your account or an IAM user in your account has access to your AWS
resources. The security best practice is to remove passwords and access keys when
users no longer need them.
• Download a credential report for your account. You can generate and download a
credential report that lists all IAM users in your account and the status of their various
credentials, including passwords, access keys, and MFA devices. For passwords and
access keys, the credential report shows how recently the password or access key has
been used.
IAM GROUPS:
• IAM groups are a way to assign permissions to logical and functional units of your
organisation.
• IAM groups are a tool to help with operational efficiency.
⁃ Bulk permission managements (scalable)
⁃ Easy to change permissions as individual change teams(portable).
12
EXPERIMENT NO-5:
AIM OF THE EXPERIMENT: Create Role of AWS
IAM Roles:
⁃ An IAM role is an IAM identity that you can create in your account that has
specific permissions.
⁃ An IAM role is similar to an IAM user, in that it is an AWS identity with
permission policies that determine what the identity can and cannot do in
AWS.
⁃ A role does not have standard long-term credentials such as a password or
access keys associated with it. Instead, when you assume a role, it provides you
with temporary security credentials for your role session.
Step 2: Click on ‘Roles’ on the left side. A list of existing roles will appear. Click on
the ‘Create role’ button. A role creation wizard will appear.
13
Step 3: Specify the entity to which the role will be assigned (like AWS Service/AWS
Account/Web Identity). Let us choose ‘AWS Service’ as ‘Trusted Entity’ and
‘Lambda’ as ‘use case’. Click on ‘Next’.
Step 4: Now, a policy needs to be created. It can be done manually or can be chosen
from a list of pre-existing policies. Let’s start with one of the pre-existing policies.
Here, we wish to access DynamoDB (via Lambda functions). Search for ‘DynamoDB’
and choose ‘AmazonDynamoDBFullAccess’ policy. Click on ‘Next’.
14
Step 5: Assign a name to the role and click on the ‘Create role’ button.
Step 6: The new role with the name ‘medium-demo-role’ will get created and will
appear in the Roles list.
Conclusion:
Finally, the IAM role is created.
15
EXPERIMENT NO-6:
AIM OF THE EXPERIMENT: Create a policy in AWS IAM.
IAM Policy:
IAM policies define permissions for an action regardless of the method that you use to
perform the operation. For example, if a policy allows the GetUser action, then a user
with that policy can get user information from the AWS Management Console, the
AWS CLI, or the AWS API.
Policy types:
The following policy types, listed in order from most frequently used to less
frequently used, are available for use in AWS. For more details, see the sections
below for each policy type.
16
6. Session policies – Pass advanced session policies when you use the AWS CLI
or AWS API to assume a role or a federated user. Session policies limit the
permissions that the role or user's identity-based policies grant to the session.
Session policies limit permissions for a created session, but do not grant
permissions. For more information, see Session Policies.
Steps to create policy:
Step 1: Click on ‘Policies’ on the right side of the IAM Dashboard. A list of pre-
existing and manually created policies will appear.
Step 2: Click on the ‘Create Policy’ button. Create Policy wizard will appear.
Step 4: Select the actions you want to permit in this policy (GetItem, Query, Scan,
UpdateItem, DeleteItem, etc).
17
Step 5: Select the AWS Resource we want to access by this policy. It can either be any
specific resource like tables of DynamoDB or could be all AWS resources. Here we’ll
go with the DynamoDB tables.
Step 6: (optional) Lastly you can specify conditions over the request origin. MFA
(Multi-factor Authentication) can be made a compulsion for this policy or a source IP
can be specified.
Step 7: Permissions for more services can be easily appended in the policy. Click on ‘Add
additional permissions’ and continue with the above steps to add permissions for other
services. After configuring permissions for all the required services. Click on ‘Next: Tags’.
18
Step 9: Give a name to this policy (‘medium-demo-policy’) and click on the ‘Create
Policy’ button.
Step 10: The newly created policy ‘medium-demo-policy’ will appear in the Policies
list.
Now, this policy can now be assigned to IAM roles and resources.
19
EXPERIMENT NO-7:
Aim Of The Experiment: Delegate access to the billing console.
20
Step 3: Test access to the billing console
To test billing access by signing in with both test users
1. Use your AWS account ID or account alias, your IAM user name, and your password
to sign in to the IAM console
2. Sign in with each user using the steps provided below so you can compare the
different user experiences.
Full access
1. Sign in to your AWS account as the user FinanceManager.
2. On the navigation bar, choose FinanceManager@<account alias or ID number> , and
then choose Billing Dashboard.
3. Browse through the pages and choose the various buttons to ensure that you have full
modify permissions.
Read-only access
1. Sign in to your AWS account as the user FinanceUser.
2. On the navigation bar, choose FinanceUser@<account alias or ID number>, and then
choose Billing Dashboard.
3. Browse through the pages. Notice that you can display costs, reports, and billing data
with no problems. However, if you choose an option to modify a value, you receive
an Access Denied message. For example, on the Preferences page, choose any of the
check boxes on the page, and then choose Save preferences. The console message
informs you that you need ModifyBilling permissions to make changes to that page.
21
22