EXPERIMENT NO-1:

AIM OF THE EXPERIMENT: Introduction to Cloud Computing.

Introduction To Cloud Computing:

• Cloud Computing is the delivery of computing services such as servers, storage,
databases, networking, software, analytics, intelligence, and more, over the
Cloud (Internet).
• Cloud Computing provides an alternative to the on-premises datacentre. With an
on-premises datacentre, we have to manage everything, such as purchasing and
installing hardware, virtualization, installing the operating system, and any other
required applications, setting up the network, configuring the firewall, and
setting up storage for data. After doing all the set-up, we become responsible for
maintaining it through its entire lifecycle.
• But if we choose Cloud Computing, a cloud vendor is responsible for the
hardware purchase and maintenance. They also provide a wide variety of
software and platform as a service. We can take any required services on rent.
The cloud computing services will be charged based on usage.

The Three Major Cloud Service Models:

Cloud computing services can be broken down into three models that stack on top of
one another:
1. Software as a Service (SaaS)
2. Platform as a Service (PaaS)
3. Infrastructure as a Service (IaaS)
⁃ Software services are offered under a platform
⁃ Platform service is offered under infrastructure as a service.
⁃ Infrastructure: that's the foundation on which services are built.

1. Software as a Service (SaaS):

 It provides a centrally hosted and managed software services to the end-users. It
delivers software over the internet, on-demand, and typically on a subscription
basis. E.g., Microsoft One Drive, Dropbox, WordPress, Office 365, and Amazon
Kindle. SaaS is used to minimize the operational cost to the maximum extent.

2. Platform as a Service (PaaS): 

This service provides an on-demand environment for developing, testing,
delivering, and managing software applications. The developer is responsible for
the application, and the PaaS vendor provides the ability to deploy and run it.
Using PaaS, the flexibility gets reduce, but the management of the environment
is taken care of by the cloud vendors.

1
 3. Infrastructure as a Service (IaaS): 
In IaaS, we can rent IT infrastructures like servers and virtual machines (VMs),
storage, networks, operating systems from a cloud service vendor. We can create
VM running Windows or Linux and install anything we want on it. Using IaaS,
we don’t need to care about the hardware or virtualization software, but other
than that, we do have to manage everything else. Using IaaS, we get maximum
flexibility, but still, we need to put more effort into maintenance.

Where Can I Access Cloud Computing?

There are many cloud computing services available to individual users, but the "big
three" are: 
• Amazon Web Services (AWS)
• Google Cloud Platform (GCP
• Microsoft Azure

The service you choose will depend on: 

• The scale of your business
• Your business structures
• How much of the work you want to outsource

Advantages of cloud computing:

⁃ Cost: It reduces the huge capital costs of buying hardware and software.
⁃ Speed: Resources can be accessed in minutes, typically within a few clicks.
⁃ Scalability: We can increase or decrease the requirement of resources according
to the business requirements.
⁃ Productivity: While using cloud computing, we put less operational effort. We
do not need to apply patching, as well as no need to maintain hardware and
software. So, in this way, the IT team can be more productive and focus on
achieving business goals.
⁃ Reliability: Backup and recovery of data are less expensive and very fast for
business continuity.
⁃ Security: Many cloud vendors offer a broad set of policies, technologies, and
controls that strengthen our data security.

Types of Cloud Computing:

1. Public Cloud: 
The cloud resources that are owned and operated by a third-party cloud service
provider are termed as public clouds. It delivers computing resources such as
servers, software, and storage over the internet

2. Private Cloud: 
The cloud computing resources that are exclusively used inside a single business
or organization are termed as a private cloud. A private cloud may physically be
located on the company’s on-site datacentre or hosted by a third-party service
provider.

2
3. Hybrid Cloud: 
It is the combination of public and private clouds, which is bounded together by
technology that allows data applications to be shared between them. Hybrid
cloud provides flexibility and more deployment options to the business.

3
EXPERIMENT NO-2:
AIM OF THE EXPERIMENT: Introduction to AWS

Introduction to AWS:
Amazon Web Services (AWS), a subsidiary of Amazon.com, has invested billions of
dollars in IT resources distributed across the globe. These resources are shared among
all the AWS account holders across the globe. This account themselves are entirely
isolated from each other. AWS provides on-demand IT resources to its account holders
on a pay-as-you-go pricing model with no upfront cost.  Amazon Web services offers
flexibility because you can only pay for services you use or you need. 
Security of cloud is the responsibility of AWS but Security in the cloud is Customer’s
Responsibility. The Performance efficiency in the cloud has four main areas: -
• Selection
• Review
• Monitoring
• Trade-off

Advantages of Amazon Web Services:

⁃ AWS allows you to easily scale your resources up or down as your needs
change, helping you to save money and ensure that your application always has
the resources it needs.
⁃ AWS provides a highly reliable and secure infrastructure, with multiple data
centres and a commitment to 99.99% availability for many of its services.

Disadvantages of Amazon Web Services:

⁃ AWS can be complex, with a wide range of services and features that may be
difficult to understand and use, especially for new users.
⁃ AWS can be expensive, especially if you have a high-traffic application or
need to run multiple services. Additionally, the cost of services can increase
over time, so you need to regularly monitor your spending.

AWS Global Infrastructure:

The AWS global infrastructure is massive and is divided into geographical regions.
The geographical regions are then divided into separate availability zones. While
selecting the geographical regions for AWS, three factors come into play
• Optimizing Latency
• Reducing cost
• Government regulations (Some services are not available for some regions)
Each region is divided into at least two availability zones that are physically isolated
from each other, which provides business continuity for the infrastructure as in a
distributed system. If one zone fails to function, the infrastructure in other availability
zones remains operational. The largest region North Virginia (US-East), has six
availability zones. These availability zones are connected by high-speed fiber-optic
networking.

4
Accessing IAM:
You can work with AWS Identity and Access Management in any of the following
ways:
• AWS Management Console: The console is a browser-based interface to
manage IAM and AWS resources.
• AWS Command Line Tools: You can use the AWS command line tools to issue
commands at your system's command line to perform IAM and AWS tasks.
Using the command line can be faster and more convenient than the console. The
command line tools are also useful if you want to build scripts that perform AWS
tasks.
• AWS SDKs: AWS provides SDKs (software development kits) that consist of
libraries and sample code for various programming languages and platforms
(Java, Python, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient
way to create programmatic access to IAM and AWS. For example, the SDKs
take care of tasks such as cryptographically signing requests, managing errors,
and retrying requests automatically.
• IAM Query API: You can access IAM and AWS programmatically by using
the IAM Query API, which lets you issue HTTPS requests directly to the service.

5
EXPERIMENT NO-3:
AIM OF THE EXPERIMENT: Installation of AWS

AWS:
Amazon Web Services (AWS) is the world's most comprehensive and broadly adopted
cloud, offering over 200 fully featured services from data canters globally.

Steps For Creating An Account In AWS:

Step 1: Open the Amazon Web Services home page .

Step 2: Choose Create an AWS account.

6
Step 3: Enter your account information, and then choose Verify email address. This
will send verification code to your specified email address.

Step 4: Enter your verification code, and then choose Verify.

Step 5: Enter a strong password for your root user, confirm it, and then
choose Continue.
⁃ AWS requires that your password meet the following conditions:
a. It must have a minimum of 8 characters and a maximum of 128 characters.
b. It must include a minimum of three of the following mix of character types:
uppercase, lowercase, numbers, and ! @ # $ % ^ & * () <> [] {} | _+-=
symbols.
c. It must not be identical to your AWS account name or email address.

7
Step 6: Choose Business or Personal.

Step 7: Enter your company or personal information.

Step 8: Read and accept the AWS Customer Agreement
Step 9: Choose Continue. At this point, you'll receive an email message to confirm
that your AWS account is ready to use. You can sign in to your new account by using
the email address and password you provided during sign up. However, you can't use
any AWS services until you finish activating your account.
Step 10: Enter the information about your payment method, and then choose Verify
and Continue.

8
Step 11: Enter your country or region code from the list, and then enter a phone
number where you can be reached in the next few minutes.

Step 12: Enter the code displayed in the CAPTCHA, and then submit.
Step 13: When the automated system contacts you, enter the PIN you receive and then
submit.
Step 14: Select one of the available AWS Support plans. For a description of the
available Support plans and their benefits, see Compare AWS Support plans.
Step 15: Choose Complete sign up. A confirmation page appears that indicates that your
account is being activated.

9
Step 16: Here billing information page appear.

Step 17: Check your email and spam folder for an email message that confirms your
account was activated. Activation usually takes a few minutes but can sometimes take
up to 24 hours. After you receive the activation message, you have full access to all
AWS services.

Conclusion:
Finally, the AWS account is successfully created.

10
EXPERIMENT NO-4:
AIM OF THE EXPERIMENT: IAM USER Identity and assessments.

IAM Users:
• An AWS Identity and Access Management (IAM) user is an entity that you
create in AWS. The IAM user represents the human user or workload who uses
the IAM user to interact with AWS. A user in AWS consists of a name and
credentials.
• IAM is a preventive security control.
• A preventive security control is one intended to thwart unwanted or unauthorised
activity
• An IAM user with administrator permissions is not the same thing as the AWS
account root user.
How AWS identifies an IAM user:
When you create an IAM user, IAM creates these ways to identify that user:
⁃ A "friendly name" for the IAM user, which is the name that you specified when you
created the IAM user, such as Richard or Anaya. These are the names you see in the
AWS Management Console.
⁃ An Amazon Resource Name (ARN) for the IAM user. You use the ARN when you
need to uniquely identify the IAM user across all of AWS. For example, you could
use an ARN to specify the IAM user as a Principal in an IAM policy for an Amazon S3
bucket.
⁃ A unique identifier for the IAM user. This ID is returned only when you use the API,
Tools for Windows PowerShell, or AWS CLI to create the IAM user; you do not see
this ID in the console.

IAM users and credentials:

You can access AWS in different ways depending on the IAM user credentials:
• Console password: A password that the IAM user can type to sign in to interactive
sessions such as the AWS Management Console. Disabling the password (console
access) for an IAM user prevents them from signing in to the AWS Management
Console using their sign-in credentials. It does not change their permissions or
prevent them from accessing the console using an assumed role.
• Access keys: Used to make programmatic calls to AWS. However, there are more
secure alternatives to consider before you create access keys for IAM users. For more
information, see Considerations and alternatives for long-term access keys in the AWS
General Reference. If the IAM user has active access keys, they continue to function
and allow access through the AWS CLI, Tools for Windows PowerShell, AWS API,
or the AWS Console Mobile Application.
• SSH keys for use with CodeCommit: An SSH public key in the OpenSSH format
that can be used to authenticate with CodeCommit.
• Server certificates: SSL/TLS certificates that you can use to authenticate with some
AWS services. We recommend that you use AWS Certificate Manager (ACM) to
provision, manage, and deploy your server certificates. Use IAM only when you must
support HTTPS connections in a region that is not supported by ACM.

11
You have the following options to administer passwords, access keys, and multi-factor
authentication (MFA) devices:
• Manage passwords for your IAM users. Create and change the passwords that
permit access to the AWS Management Console. Set a password policy to enforce a
minimum password complexity. Allow users to change their own passwords.
• Manage access keys for your IAM users. Create and update access keys for
programmatic access to the resources in your account.
• Enable multi-factor authentication (MFA) for the IAM user. As a best practice,
we recommend that you require multi-factor authentication for all IAM users in your
account. With MFA, users must provide two forms of identification: First, they
provide the credentials that are part of their user identity (a password or access key).
In addition, they provide a temporary numeric code that's generated on a hardware
device or by an application on a smartphone or tablet.
• Find unused passwords and access keys. Anyone who has a password or access
keys for your account or an IAM user in your account has access to your AWS
resources. The security best practice is to remove passwords and access keys when
users no longer need them.
• Download a credential report for your account. You can generate and download a
credential report that lists all IAM users in your account and the status of their various
credentials, including passwords, access keys, and MFA devices. For passwords and
access keys, the credential report shows how recently the password or access key has
been used.

IAM users and accounts:

Each IAM user is associated with one and only one AWS account. Because IAM users are
defined within your AWS account, they don't need to have a payment method on file with
AWS. Any AWS activity performed by IAM users in your account is billed to your account.
The number and size of IAM resources in an AWS account are limited. For more
information, see IAM and AWS STS quotas, name requirements, and character limits.

IAM GROUPS:
• IAM groups are a way to assign permissions to logical and functional units of your
organisation.
• IAM groups are a tool to help with operational efficiency.
⁃ Bulk permission managements (scalable)
⁃ Easy to change permissions as individual change teams(portable).

12
EXPERIMENT NO-5:
AIM OF THE EXPERIMENT: Create Role of AWS
IAM Roles:
⁃ An IAM role is an IAM identity that you can create in your account that has
specific permissions.
⁃ An IAM role is similar to an IAM user, in that it is an AWS identity with
permission policies that determine what the identity can and cannot do in
AWS.
⁃ A role does not have standard long-term credentials such as a password or
access keys associated with it. Instead, when you assume a role, it provides you
with temporary security credentials for your role session.

Steps to create user and role:

Step 1: Search for ‘IAM’ in services and click ‘IAM’ in search results. AWS IAM
dashboard will open.

Step 2: Click on ‘Roles’ on the left side. A list of existing roles will appear. Click on
the ‘Create role’ button. A role creation wizard will appear.

13
 Step 3: Specify the entity to which the role will be assigned (like AWS Service/AWS
Account/Web Identity). Let us choose ‘AWS Service’ as ‘Trusted Entity’ and
‘Lambda’ as ‘use case’. Click on ‘Next’.

Step 4: Now, a policy needs to be created. It can be done manually or can be chosen
from a list of pre-existing policies. Let’s start with one of the pre-existing policies.
Here, we wish to access DynamoDB (via Lambda functions). Search for ‘DynamoDB’
and choose ‘AmazonDynamoDBFullAccess’ policy. Click on ‘Next’.

14
Step 5: Assign a name to the role and click on the ‘Create role’ button.

Step 6: The new role with the name ‘medium-demo-role’ will get created and will
appear in the Roles list.

Conclusion:
Finally, the IAM role is created.

15
EXPERIMENT NO-6:
AIM OF THE EXPERIMENT: Create a policy in AWS IAM.
IAM Policy:
IAM policies define permissions for an action regardless of the method that you use to
perform the operation. For example, if a policy allows the GetUser action, then a user
with that policy can get user information from the AWS Management Console, the
AWS CLI, or the AWS API.
Policy types:
The following policy types, listed in order from most frequently used to less
frequently used, are available for use in AWS. For more details, see the sections
below for each policy type.

1. Identity-based policies – Attach managed and inline policies to IAM identities

(users, groups to which users belong, or roles). Identity-based policies grant
permissions to an identity.
2. Resource-based policies – Attach inline policies to resources. The most
common examples of resource-based policies are Amazon S3 bucket policies
and IAM role trust policies. Resource-based policies grant permissions to the
principal that is specified in the policy. Principals can be in the same account as
the resource or in other accounts.
3. Permissions boundaries – Use a managed policy as the permissions boundary
for an IAM entity (user or role). That policy defines the maximum permissions
that the identity-based policies can grant to an entity, but does not grant
permissions. Permissions boundaries do not define the maximum permissions
that a resource-based policy can grant to an entity.
4. Organizations SCPs – Use an AWS Organizations service control policy
(SCP) to define the maximum permissions for account members of an
organization or organizational unit (OU). SCPs limit permissions that identity-
based policies or resource-based policies grant to entities (users or roles) within
the account, but do not grant permissions.
5. Access control lists (ACLs) – Use ACLs to control which principals in other
accounts can access the resource to which the ACL is attached. ACLs are
similar to resource-based policies, although they are the only policy type that
does not use the JSON policy document structure. ACLs are cross-account
permissions policies that grant permissions to the specified principal. ACLs
cannot grant permissions to entities within the same account.

16
 6. Session policies – Pass advanced session policies when you use the AWS CLI
or AWS API to assume a role or a federated user. Session policies limit the
permissions that the role or user's identity-based policies grant to the session.
Session policies limit permissions for a created session, but do not grant
permissions. For more information, see Session Policies.
Steps to create policy:
Step 1: Click on ‘Policies’ on the right side of the IAM Dashboard. A list of pre-
existing and manually created policies will appear.
Step 2: Click on the ‘Create Policy’ button. Create Policy wizard will appear.

Step 3: Select a service. Here, we will search and choose DynamoDB.

Step 4: Select the actions you want to permit in this policy (GetItem, Query, Scan,
UpdateItem, DeleteItem, etc).

17
Step 5: Select the AWS Resource we want to access by this policy. It can either be any
specific resource like tables of DynamoDB or could be all AWS resources. Here we’ll
go with the DynamoDB tables.

Step 6: (optional) Lastly you can specify conditions over the request origin. MFA
(Multi-factor Authentication) can be made a compulsion for this policy or a source IP
can be specified.

Step 7: Permissions for more services can be easily appended in the policy. Click on ‘Add
additional permissions’ and continue with the above steps to add permissions for other
services. After configuring permissions for all the required services. Click on ‘Next: Tags’.

Step 8: (optional) Specify the tags for this policy.

18
Step 9: Give a name to this policy (‘medium-demo-policy’) and click on the ‘Create
Policy’ button.

Step 10: The newly created policy ‘medium-demo-policy’ will appear in the Policies
list.

Now, this policy can now be assigned to IAM roles and resources.

19
EXPERIMENT NO-7:
Aim Of The Experiment: Delegate access to the billing console.

Steps for billing console:

Step-1: Activate access to billing data on your AWS test account.
If you create a single AWS account, only the AWS account owner (AWS account root user) has access
to view and manage billing information. IAM users cannot access billing data until the account owner
activates IAM access and also attaches policies that provide billing actions to the user or role. To view
additional tasks that require you to sign in as the root user, see AWS Tasks that Require Account Root
User.
If you create a member account using AWS Organizations, this feature is enabled by default.
Step 2: Attach billing policies to your user groups.
When you attach a policy to a user group, all members of that user group receive the
complete set of access permissions that are associated with that policy. In this scenario, you
attach the billing policies to user groups containing only those users who require the billing
access.
Step 3: Test access to the billing console.
After you've completed the core tasks, you're ready to test the policy. Testing ensures that the policy
works the way you want it to.
Step 1: Activate access to billing data on your AWS test account
To activate IAM user and role access to the Billing and Cost Management console
1. Sign in to the AWS Management Console with your root user credentials
(specifically, the email address and password that you used to create your AWS
account).
2. On the navigation bar, choose your account name, and then choose Account.
3. Next to IAM User and Role Access to Billing Information, choose Edit.
4. Select the Activate IAM Access check box to activate access to the Billing and Cost
Management console pages.
5. Choose Update.
Step 2: Attach billing policies to your user groups
To attach billing policies to your user groups
1. In the navigation pane, choose Policies to display the full list of policies available to
your AWS account.
2. In the policy search box, enter Billing. The list displays only the AWS managed
policies that apply to billing functions.
3. To give full access to your billing administrator, select the Billing AWS managed –
job function policy.
4. Select the Actions drop-down arrow, and then choose Attach from the actions list.
5. On the Attach policy page, in the Filter search box, enter BillingFullAccessGroup.
6. In the list, select the user group and then select Attach policy. You are returned to
the Policies page.
7. In the policy search box, enter Billing. The list displays only the AWS managed
policies that apply to billing functions.
8. To give read-only access to users that are monitoring billing activity, select
the AWSBillingReadOnlyAccess AWS managed policy.
9. Select the Actions drop-down arrow, and then choose Attach from the actions list.
10. On the Attach policy page, in the Filter search box, enter BillingViewAccessGroup.
11. In the list, select the user group and then select Attach policy.
12. Sign out of the console, and then proceed to (step 3.)

20
Step 3: Test access to the billing console
To test billing access by signing in with both test users
1. Use your AWS account ID or account alias, your IAM user name, and your password
to sign in to the IAM console
2. Sign in with each user using the steps provided below so you can compare the
different user experiences.
Full access
1. Sign in to your AWS account as the user FinanceManager.
2. On the navigation bar, choose FinanceManager@<account alias or ID number> , and
then choose Billing Dashboard.
3. Browse through the pages and choose the various buttons to ensure that you have full
modify permissions.
Read-only access
1. Sign in to your AWS account as the user FinanceUser.
2. On the navigation bar, choose FinanceUser@<account alias or ID number>, and then
choose Billing Dashboard.
3. Browse through the pages. Notice that you can display costs, reports, and billing data
with no problems. However, if you choose an option to modify a value, you receive
an Access Denied message. For example, on the Preferences page, choose any of the
check boxes on the page, and then choose Save preferences. The console message
informs you that you need ModifyBilling permissions to make changes to that page.

21
22