Multi Factor Authentication - MFA:
- Users have access to account and can possibly change configurations or delete resources in AWS account
- Want to protect Root Accounts and IAM users
- MFA = password know + security device own
- Alice > Password + MFA => Successful login
- Main benefit of MFA:
if a password is stolen or hacked, the account is not compromised
- Virtual MFA device: Google Authenticator (phone only), Authy (multi-device), Duo
Support for multiple tokens on a single device.
- Universal 2nd Factor (U2F) Security Key: YubiKey by Yubico (3rd party)
Support for multiple root and IAM users using a single security key
- Hardware Key Fob MFA Device:
Provided by Gemalto (3rd party)
- Hardware Key Fob MFA Device for AWS GovCloud (US):
Provided by SurePassID (3rd party)
- To access AWS, have three options:
- AWS Management Console (protected by password + MFA)
- Command Line Interface (CLI): protected by access keys
- Software Developer Kit (SDK) - for code: protected by access keys
- Access Keys are generated through the AWS Console
- Users manage their own access keys
- Access Keys are secret, just like a password. Don't share them
- Access Key ID ~= username
- Secret Access Key ~= password
- Access key ID: AKIAREOC3O54I7ZEOWVC
- Secret Access Key: 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
- Remember: don't share access keys
- Some AWS service will need to perform actions on behalf
- To do so, will assign permissions to AWS services with IAM Roles
- Common roles:
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation
- IAM Credentials Report (account-level)
- a report that lists all account's users and the status of their various credentials
- IAM Access Advisor (user-level)
- Access advisor shows the service permissions granted to a user and when those services were last accessed.
- Can use this information to revise policies.
- Don't use the root account except for AWS account setup
- One physical user = One AWS user
- Assign users to groups and assign permissions to groups
- Create a strong password policy
- Use and enforce the use of Multi Factor Authentication (MFA)
- Create and use Roles for giving permissions to AWS services
- Use Access Keys for Programmatic Access (CLI / SDK)
- Audit permissions of account with the IAM Credentials Report
- Never share IAM users & Access Keys
- Users: Map กับผู้ใช้จริง, มีรหัสผ่านสำหรับ AWS Console
- Groups: มีแต่ผู้ใช้เท่านั้น
- Policies: JSON document ที่ระบุการอนุญาตสำหรับผู้ใช้หรือกลุ่ม
- Roles: สำหรับ Instance EC2 หรือบริการ AWS
- Security: MFA + นโยบายรหัสผ่าน
- Access Keys: เข้าถึง AWS โดยใช้ CLI หรือ SDK
- Audit: รายงาน IAM Credential และ IAM Access Advisor
- An IAM entity that defines a set of permissions for making AWS service requests, that will be used by AWS services is a proper definition of IAM Roles.
- IAM Credentials Report is an IAM Security Tool. It lists all account's users and the status of their various credentials.
The other IAM Security Tool is an IAM Access Advisor. It shows the service permissions granted to a user and when those services were last accessed.
- A company has a mobile game that reads most of its metadata from an Amazon RDS DB instances. As the game increased in popularity, developer noticed slowdowns related to the game's metadata load times. Performance metrics indicate that simply scaling the database will not help. A solution architect must explore all options that include capabilities for snapshots, replication, and sub-millisecond response times. The solution architect should recommend Add an Amazon ElastiCache for Redis layer in front of the database to solve the issues.
- A company has implemented one of its micro-services on AWS Lambda that accesses an Amazon DynamoDB table named Books. A solution architect is design an IAM policy to be attached to the Lambda function's IAM role, giving it access to put, update, and delete items in the Books table. The IAM policy must prevent function from performing any other actions on the Books table or any other. IAM policy would fulfill these needs and provide the LEAST privileged access is:
- A solution architect is designing the cloud architecture for a company that needs to host hundreds of machine learning models for its users. During startup, the models need to load up to 10 GB of data from Amazon S3 into memory, but they do not need disk access. Most of the models are used sporadically, but the users expect all of them to be highly available and accessible with low latency. Deploy models as Amazon Elastic Container Service (Amazon ECS) services behind an Application Load Balancer for each model solution meets the requirements and is MOST cost-effective.
- A company host a popular web application. The web application connects to a database running in a private VPC subnet. The web servers must be accessible only to customers on an SSL connection (Open an HTTPS port on the security group for web server and set the source to 0.0.0.0/0). The Amazon RDS for MySQL database services be accessible only from the web servers (Open the MySQL port on the database security group and attach it to the MySQL instance. Set the source to web server security group). This is a solution which a solution architect should design to meet the requirements without impacting applications.
- A company has a website deployed on AWS. The database backend is hosted on Amazon RDS for MySQL with a primary instance and five read replicas to support scaling needs. The read replicas should lag no more than 1 second behind the primary instance to support the user experience. As traffic on the website continues to increase, the replicas are falling further behind during periods of peak load, resulting in complaints from users when searches yield inconsistent results. A solution architect needs to reduce the replication lag as much as possible, with minimal changes to the application code or operational requirements. Migrate the database to Amazon Aurora MySQL. Replace the MySQL read replicas with Aurora Replicas and enable Aurora Auto Scaling solution meets these requirements.