Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

AWS Certified Solutions Architect Professional Course S1-S5

Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Chargement dans…3
×

Consultez-les par la suite

1 sur 150 Publicité

AWS Certified Solutions Architect Professional Course S1-S5

This deck contains the slides from section 1 to section 5 in our AWS Certified Solutions Architect video course. It covers:

Section 1 Intro (no slides)
Section 2 AWS Accounts and Organizations
Section 3 Identity Management and Permissions
Section 4- AWS Directory Services and Federation
Section 5 - Advanced Amazon VPC

Full course can be found here: https://digitalcloud.training/courses/aws-certified-solutions-architect-professional-video-course/

This deck contains the slides from section 1 to section 5 in our AWS Certified Solutions Architect video course. It covers:

Section 1 Intro (no slides)
Section 2 AWS Accounts and Organizations
Section 3 Identity Management and Permissions
Section 4- AWS Directory Services and Federation
Section 5 - Advanced Amazon VPC

Full course can be found here: https://digitalcloud.training/courses/aws-certified-solutions-architect-professional-video-course/

Publicité
Publicité

Plus De Contenu Connexe

Diaporamas pour vous (20)

Similaire à AWS Certified Solutions Architect Professional Course S1-S5 (20)

Publicité

Plus récents (20)

AWS Certified Solutions Architect Professional Course S1-S5

  1. 1. © Digital Cloud Training | https://digitalcloud.training SECTION 1 Introduction
  2. 2. © Digital Cloud Training | https://digitalcloud.training SECTION 2 AWS Accounts and Organizations
  3. 3. © Digital Cloud Training | https://digitalcloud.training Create Management AWS Account
  4. 4. © Digital Cloud Training | https://digitalcloud.training What you need… Credit card for setting up the account and paying any bills Unique email address for this account AWS account name – mine will be DCT-MANAGEMENT Check if you can use an alias with an existing email address (e.g dynamic aliases in Gmail / O365) john+dctmanagement@example.com john+dctprod@example.com john@example.com Phone to receive an SMS verification code
  5. 5. © Digital Cloud Training | https://digitalcloud.training Configure Account and Setup Billing Alarms
  6. 6. © Digital Cloud Training | https://digitalcloud.training Install Tools (AWS CLI and VS Code)
  7. 7. © Digital Cloud Training | https://digitalcloud.training AWS Organizations
  8. 8. © Digital Cloud Training | https://digitalcloud.training AWS Organizations AWS Organization Management Account Receive a consolidated bill Test Development Production You can group accounts into Organizational Units (OUs) Service Control Policies (SCPs) can control tagging and the available API actions Create accounts programmatically using the Organizations API Enable CloudTrail in management account and apply to members Enable AWS SSO using on-prem directory
  9. 9. © Digital Cloud Training | https://digitalcloud.training Account Configuration
  10. 10. © Digital Cloud Training | https://digitalcloud.training Account Configuration AWS Organization Management Account Production Use the AWS Management Console to create an Organization AWS Organizations Production (OU) Create a Service Control Policy (SCP) and attach to OU OrganizationAccountAccessRole Role has full permissions in the account Role can be assumed by any user with the sts:AssumeRole permissions
  11. 11. © Digital Cloud Training | https://digitalcloud.training Create AWS Organization and Add Account
  12. 12. © Digital Cloud Training | https://digitalcloud.training Service Control Policies (SCPs)
  13. 13. © Digital Cloud Training | https://digitalcloud.training Service Control Policies AWS Organization Management Account Root Test Dev Prod Dev users can only launch T2.micro instances Prod users cannot launch any instance other than t2.micro (denied above) Users in the management account are not restricted Tag policy applied to enforce tag standardization SCPs control the maximum available permissions NOTE: SCPs do not grant ANY permissions, they control the AVAILABLE permissions
  14. 14. © Digital Cloud Training | https://digitalcloud.training SCP Strategies and Inheritance
  15. 15. © Digital Cloud Training | https://digitalcloud.training SCP Strategies and Inheritance A B C D E SCP attached to or inherited from parent SCP permissions attached to child OU or account Permissions that the child can actually use
  16. 16. © Digital Cloud Training | https://digitalcloud.training SCP Strategies and Inheritance Deny List Strategy Allow List Strategy • The FullAWSAccess SCP is attached to every OU and account • Explicitly allows all permissions to flow down from the root • Can explicitly override with a deny in an SCP • This is the default setup • The FullAWSAccess SCP is removed from every OU and account • To allow a permission, SCPs with allow statements must be added to the account and every OU above it including root • Every SCP in the hierarchy must explicitly allow the APIs you want to use Note: An explicit allow overrides an implicit deny Note: An explicit deny overrides any kind of allow
  17. 17. © Digital Cloud Training | https://digitalcloud.training Create Development Account
  18. 18. © Digital Cloud Training | https://digitalcloud.training Test SCP Inheritance
  19. 19. © Digital Cloud Training | https://digitalcloud.training Service Control Policies Management Account Dev Prod Root OU1 OU2
  20. 20. © Digital Cloud Training | https://digitalcloud.training Service Control Policies Management Account Root Production Development Prod users can only launch t2.micro instances Dev users cannot launch any instance other than t2.micro (denied above) Users in the management account are not restricted OU1 OU2
  21. 21. © Digital Cloud Training | https://digitalcloud.training SECTION 3 Identity Management and Permissions
  22. 22. © Digital Cloud Training | https://digitalcloud.training How IAM Works
  23. 23. © Digital Cloud Training | https://digitalcloud.training How IAM Works AWS Account Console CLI API AWS IAM IAM Principals must be authenticated to send requests (with a few exceptions) Role User Federated User Application A principal is a person or application that can make a request for an action or operation on an AWS resource Request context: • Actions / operations • Resources • Principal • Environment data • Resource data Identity- based policy Resource- based policy AWS determines whether to authorize the request (allow/deny) S3 EC2 IAM RunInstances GetBucket CreateUser Actions are authorized on AWS resources
  24. 24. © Digital Cloud Training | https://digitalcloud.training Overview of Users, Groups, Roles and Policies
  25. 25. © Digital Cloud Training | https://digitalcloud.training Users, Groups, Roles and Policies AWS Account User Group Role Policy The user gains the permissions applied to the group through the policy IAM Group User Policies define the permissions for the identities or resources they are associated with Roles are used for delegation and are assumed Identity-based policies can be applied to users, groups, and roles
  26. 26. © Digital Cloud Training | https://digitalcloud.training IAM Users AWS IAM Account Root User The root user has full permissions. It’s a best practice to avoid using the root user account + enable MFA Ethan Andrea Eric Up to 5000 individual user accounts can be created. Users have no permissions by default. Friendly name: Andrea Amazon Resource Name: arn:aws:iam::625148252389 :user/Andrea Authentication via username/password for console or access keys for API/CLI Email used for signup
  27. 27. © Digital Cloud Training | https://digitalcloud.training IAM Groups Admin Group Development Group Operations Group Ethan Andrea Eric Sunil Lee Groups are collections of users. Users can be members of up to 10 groups The main reason to use groups is to apply permissions to users using policies The user gains the permissions applied to the group through the policy
  28. 28. © Digital Cloud Training | https://digitalcloud.training IAM Roles S3 Bucket AWS Account AWS Account IAM Users sts:AssumeRole IAM Users IAM Role Roles are assumed by users, applications, and services Once assumed, the identity “becomes” the role and gain the roles’ permissions Short-term access is granted to the S3 bucket An IAM role is an IAM identity that that has specific permissions
  29. 29. © Digital Cloud Training | https://digitalcloud.training IAM Policies AdministratorAccess Bucket Policy Policies are documents that define permissions and are written in JSON All permissions are implicitly denied by default User Group Role Identity-based policies can be applied to users, groups, and roles S3 Bucket Resource-based policies apply to resources such as S3 buckets or DynamoDB tables
  30. 30. © Digital Cloud Training | https://digitalcloud.training IAM Authentication Methods
  31. 31. © Digital Cloud Training | https://digitalcloud.training IAM Authentication Methods AWS Management Console CLI API AWS IAM Username: John Password: Eo28720*! MFA Token: (optional) John Access key ID: AKIAXP4J2EKUQIQJTJLV Secret access key: wiMjGpewNMRHFi9ud0pJwh7NBX4F6i John is authenticated and can perform operations in the console Access keys are used for programmatic access AWS IAM AWS API
  32. 32. © Digital Cloud Training | https://digitalcloud.training IAM Authentication Methods AWS IAM X.509 certificate authentication to some services. E.g. Amazon EC2 SOAP and CLI interfaces Signing Certificate Amazon EC2 AWS IAM SSH Key / HTTPS Git Credentials AWS IAM Keyspaces Credentials AWS CodeCommit Authentication to AWS CodeCommit Amazon Keyspaces
  33. 33. © Digital Cloud Training | https://digitalcloud.training Create User, Group, and Configure CLI
  34. 34. © Digital Cloud Training | https://digitalcloud.training AWS Security Token Service (STS)
  35. 35. © Digital Cloud Training | https://digitalcloud.training AWS Security Token Service (STS) AWS STS IAM Role EC2 Instance Instance Profile Application Trust Policy Permissions Policy S3 Bucket EC2 attempts to assume role (sts:AssumeRole API call) Temporary security credentials are returned AWS STS Credentials include: • AccessKeyId • Expiration • SecretAccessKey • SessionToken Temporary credentials are used with identity federation, delegation, cross-account access, and IAM roles Trust policies control who can assume the role
  36. 36. © Digital Cloud Training | https://digitalcloud.training Multi-Factor Authentication (MFA)
  37. 37. © Digital Cloud Training | https://digitalcloud.training Multi-Factor Authentication Something you know: EJPx!*21p9% Password Something you have: Something you are:
  38. 38. © Digital Cloud Training | https://digitalcloud.training Multi-Factor Authentication Something you know: EJPx!*21p9% Password Something you have: IAM User Virtual MFA Physical MFA e.g. Google Authenticator on your smart phone
  39. 39. © Digital Cloud Training | https://digitalcloud.training Secure the AWS Account
  40. 40. © Digital Cloud Training | https://digitalcloud.training Identity-Based Policies and Resource-Based Policies
  41. 41. © Digital Cloud Training | https://digitalcloud.training Identity-Based IAM Policies Managed policy. Either AWS managed or customer managed AWS managed are created and managed by AWS; customer managed are created and managed by you User Group Role Inline policies have a 1-1 relationship with the user, group, or role Inline policy Managed policies are standalone policies that can be attached to multiple users, groups, or roles Identity-based policies are JSON permissions policy documents that control what actions an identity can perform, on which resources, and under what conditions
  42. 42. © Digital Cloud Training | https://digitalcloud.training Resource-Based Policies Resource-based policies are JSON policy documents that you attach to a resource such as an Amazon S3 bucket S3 Bucket Paul s3:PutObject Resource-based policies grant the specified principal (Paul) permission to perform specific actions on the resource
  43. 43. © Digital Cloud Training | https://digitalcloud.training Resource-Based Policies IAM Role Trust Policy Permissions Policy A trust policy is also an example of a resource- based policy Whereas a permissions policy is an identity-based policy
  44. 44. © Digital Cloud Training | https://digitalcloud.training Access Control Methods - RBAC & ABAC
  45. 45. © Digital Cloud Training | https://digitalcloud.training Role-Based Access Control (RBAC) Admin Group Development Group Operations Group Ethan Andrea Eric Sunil Lee Users are assigned permissions through policies attached to groups Groups are organized by job function Best practice is to grant the minimum permissions required to perform the job
  46. 46. © Digital Cloud Training | https://digitalcloud.training Role-Based Access Control (RBAC) Job function policies: • Administrator • Billing • Database administrator • Data scientist • Developer power user • Network administrator • Security auditor • Support user • System administrator • View-only user Billing Admins Joanne AWS managed policies for job functions are designed to closely align to common job functions in the IT industry The Billing managed policy is attached to the group
  47. 47. © Digital Cloud Training | https://digitalcloud.training Attribute-Based Access Control (ABAC) Amazon RDS Amazon RDS Dave DBAdmins Tag Key Tag Value Department DBAdmins Tag Key Tag Value Environment Production Tag Key Tag Value Environment Development Tags are a way of assigning metadata to resources using key/value pairs rds:StopDBInstance rds:RebootDBInstance Permissions are granted to resources when the tag matches a certain value
  48. 48. © Digital Cloud Training | https://digitalcloud.training Permissions Boundaries
  49. 49. © Digital Cloud Training | https://digitalcloud.training Permissions Boundaries Joanne Developers The permissions boundary sets the maximum permissions that the entity can have Permissions Boundary IAM Amazon S3 S3:ListBuckets iam:CreateUser The operation fails because the permissions boundary does not allow it Permissions boundaries are attached to users and roles Policy allows full control of S3, CloudWatch, EC2, and IAM
  50. 50. © Digital Cloud Training | https://digitalcloud.training Privilege Escalation Lindsay IAMFullAccess IAM iam:CreateUser Lindsay applies the AdministratorAccess policy to the X-User account X-User AdministratorAccess Lindsay is assigned permissions to AWS IAM only and cannot launch AWS resources Lindsay is now able to login with the X-User account and gain full privileges to the AWS account AWS Batch Lindsay mines bitcoins
  51. 51. © Digital Cloud Training | https://digitalcloud.training Preventing Privilege Escalation Lindsay IAMFullAccess IAM iam:CreateUser Lindsay applies the AdministratorAccess policy to the X-User account X-User AdministratorAccess Lindsay is assigned permissions to AWS IAM only and cannot launch AWS resources The permissions boundary ensures that users created by Lindsay have the same or fewer permissions Permissions Boundary Lindsay does not have more privileges when logging in as X-User and cannot launch AWS resources
  52. 52. © Digital Cloud Training | https://digitalcloud.training IAM Policy Evaluation Logic
  53. 53. © Digital Cloud Training | https://digitalcloud.training Evaluation Logic
  54. 54. © Digital Cloud Training | https://digitalcloud.training Steps for Authorizing Requests to AWS Console CLI API AWS IAM 1. Authentication – AWS authenticates the principal that makes the request Request context: • Actions – the actions or operations the principal wants to perform • Resources – The AWS resource object upon which actions are performed • Principal – The user, role, federated user, or application that sent the request • Environment data – Information about the IP address, user agent, SSL status, or time of day • Resource data – Data related to the resource that is being requested Identity-based policy Resource- based policy s3:GetObject User S3 Bucket 2. Processing the request context 3. Evaluating policies within the account 3. Evaluating all policies within the account 4. Determining whether a request is allowed or denied
  55. 55. © Digital Cloud Training | https://digitalcloud.training Types of Policy • Identity-based policies – attached to users, groups, or roles • Resource-based policies – attached to a resource; define permissions for a principal accessing the resource • IAM permissions boundaries – set the maximum permissions an identity-based policy can grant an IAM entity • AWS Organizations service control policies (SCP) – specify the maximum permissions for an organization or OU • Session policies – used with AssumeRole* API actions
  56. 56. © Digital Cloud Training | https://digitalcloud.training Evaluating Policies within an AWS Account Identity-based policy Resource-based policy Effective permissions Identity-based policy Permisions boundary Effective permissions Identity-based policy Organizations SCP Effective permissions
  57. 57. © Digital Cloud Training | https://digitalcloud.training Determination Rules 1. By default, all requests are implicitly denied (though the root user has full access) 2. An explicit allow in an identity-based or resource-based policy overrides this default 3. If a permissions boundary, Organizations SCP, or session policy is present, it might override the allow with an implicit deny 4. An explicit deny in any policy overrides any allows
  58. 58. © Digital Cloud Training | https://digitalcloud.training Evaluation Logic
  59. 59. © Digital Cloud Training | https://digitalcloud.training IAM Policy Structure
  60. 60. © Digital Cloud Training | https://digitalcloud.training IAM Policy Structure An IAM policy is a JSON document that consists of one or more statements The Effect element can be Allow or Deny The Action element is the specific API action for which you are granting or denying permission The Resource element specifies the resource that's affected by the action The Condition element is optional and can be used to control when your policy is in effect
  61. 61. © Digital Cloud Training | https://digitalcloud.training IAM Policy Example 1 The AdministratorAccess policy uses wildcards (*) to allow all actions on all resources
  62. 62. © Digital Cloud Training | https://digitalcloud.training IAM Policy Example 2 The effect is to deny the API action if the IP address is not in the specified range The specific API action is defined
  63. 63. © Digital Cloud Training | https://digitalcloud.training IAM Policy Example 3 You can tell this is a resource- based policy as it has a principal element defined The policy grants read and write access to an EFS file systems to all IAM principals ("AWS ": "*") Additionally, the policy condition element requires that SSL/TLS encryption is used
  64. 64. © Digital Cloud Training | https://digitalcloud.training IAM Policy Example 4 A variable is used for the s3:prefix that is replaced with the user’s friendly name The actions are allowed only within the user’s folder within the bucket
  65. 65. © Digital Cloud Training | https://digitalcloud.training Using Role-Based Access Control (RBAC)
  66. 66. © Digital Cloud Training | https://digitalcloud.training Role-Based Access Control (RBAC) Job function policies: • Administrator • Billing • Database administrator • Data scientist • Developer power user • Network administrator • Security auditor • Support user • System administrator • View-only user Billing Admins Joanne AWS managed policies for job functions are designed to closely align to common job functions in the IT industry The Billing managed policy is attached to the group
  67. 67. © Digital Cloud Training | https://digitalcloud.training Using Attribute-Based Access Control (ABAC)
  68. 68. © Digital Cloud Training | https://digitalcloud.training Attribute-Based Access Control (ABAC) Amazon RDS Amazon RDS Dave DBAdmins Tag Key Tag Value Department DBAdmins Tag Key Tag Value Environment Production Tag Key Tag Value Environment Development Tags are a way of assigning metadata to resources using key/value pairs rds:StopDBInstance rds:RebootDBInstance Permissions are granted to resources when the tag matches a certain value
  69. 69. © Digital Cloud Training | https://digitalcloud.training Apply Permissions Boundary
  70. 70. © Digital Cloud Training | https://digitalcloud.training Permisions Boundary Hands-On Practice *** Use the PermissionsBoundary.json file from the course download *** The policy will enforce the following: • IAM principals can't alter the permissions boundary to allow their own permissions to access restricted services • IAM principals must attach the permissions boundary to any IAM principals they create • IAM admins can't create IAM principals with more privileges than they already have • The IAM principals created by IAM admins can't create IAM principals with more permissions than IAM admins
  71. 71. © Digital Cloud Training | https://digitalcloud.training Privilege Escalation Lindsay IAMFullAccess IAM iam:CreateUser Lindsay applies the AdministratorAccess policy to the X-User account X-User AdministratorAccess Lindsay is assigned permissions to AWS IAM only and cannot launch AWS resources Lindsay is now able to login with the X-User account and gain full privileges to the AWS account AWS Batch Lindsay mines bitcoins
  72. 72. © Digital Cloud Training | https://digitalcloud.training Use Cases for IAM Roles
  73. 73. © Digital Cloud Training | https://digitalcloud.training Use Case: Cross Account Access S3 Bucket Identity-based policy Account A Role Account B sts:AssumeRole User Permissions Policy Allows the user to assume the role in account A Allow role to access bucket Allows the user from account B to assume the role Trust Policy
  74. 74. © Digital Cloud Training | https://digitalcloud.training Use Case: Cross Account Access (3rd Party) S3 Bucket Identity-based policy Account A Role Account B sts:AssumeRole with external ID User Permissions Policy Allows the user to assume the role in account A using a shared ARN The trust policy condition requires the external ID Trust Policy Allow role to access bucket
  75. 75. © Digital Cloud Training | https://digitalcloud.training Use Case: Delegation to AWS Services AWS STS IAM Role EC2 Instance Instance Profile Application Trust Policy Permissions Policy EC2 attempts to assume role (sts:AssumeRole API call) Temporary security credentials are returned AWS STS Credentials include: • AccessKeyId • Expiration • SecretAccessKey • SessionToken Trust policies control who can assume the role
  76. 76. © Digital Cloud Training | https://digitalcloud.training Cross Account Access to Amazon S3
  77. 77. © Digital Cloud Training | https://digitalcloud.training Cross Account Access (3rd Party) Hands-On S3 Bucket Identity-based policy DCT-MANAGEMENT Role DCT-PRODUCTION sts:AssumeRole with external ID Jack Permissions Policy Trust Policy
  78. 78. © Digital Cloud Training | https://digitalcloud.training Amazon EC2 Instance Profile
  79. 79. © Digital Cloud Training | https://digitalcloud.training Attach Role to EC2 Instance S3ReadOnly Trust Policy Permissions Policy Permissions Policy s3:ListBuckets The user needs permissions to pass the role iam:PassRole The role is attached to the EC2 instance Jack
  80. 80. © Digital Cloud Training | https://digitalcloud.training AWS IAM Best Practices
  81. 81. © Digital Cloud Training | https://digitalcloud.training AWS IAM Best Practices • Lock away your AWS account root user access keys • Create individual IAM users • Use groups to assign permissions to IAM users • Grant least privilege • Get started using permissions with AWS managed policies • Use customer managed policies instead of inline policies • Use access levels to review IAM permissions • Configure a strong password policy for your users • Enable MFA
  82. 82. © Digital Cloud Training | https://digitalcloud.training AWS IAM Best Practices • Use roles for applications that run on Amazon EC2 instances • Use roles to delegate permissions • Do not share access keys • Rotate credentials regularly • Remove unnecessary credentials • Use policy conditions for extra security • Monitor activity in your AWS account
  83. 83. © Digital Cloud Training | https://digitalcloud.training SECTION 4 AWS Directory Services and Federation
  84. 84. © Digital Cloud Training | https://digitalcloud.training AWS Directory Services
  85. 85. © Digital Cloud Training | https://digitalcloud.training AWS Managed Microsoft AD Corporate Office / DC VPC Azure AD Microsoft AD ADSync ADFS Console Workspaces RDS Workdocs QuickSight Workmail HA pair of Windows Server 2012 Domain Controllers (DCs) Securely connect to Amazon EC2 Linux and Windows instances Some of the Apps and Services that support authentication and authorization using AWS Directory Services Synchronize users and federate identities with Azure/O365 VPN Managed implementation of Microsoft Active Directory running on Windows Server 2012 R2 Also Allows you to: • Apply group policy • Use single sign-on to apps and services • Enable MFA with RADIUS One or two- way trust relationship
  86. 86. © Digital Cloud Training | https://digitalcloud.training AD Connector AD Connector Active Directory Amazon EC2 AWS Management Console Amazon WorkSpaces Connection over VPN or Direct Connect Corporate Office / DC Self-managed Micorosoft AD VPN Provides federated sign-in to the AWS Management Console by mapping Active Directory identities to IAM Roles Sign-in to AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail by using your Active Directory credentials Seamlessly join Windows EC2 instances to an on- premise AD domain
  87. 87. © Digital Cloud Training | https://digitalcloud.training Create AWS Managed Microsoft AD
  88. 88. © Digital Cloud Training | https://digitalcloud.training AWS Managed Microsoft AD VPC AD DC AWS Management Console Windows Server AD DC Windows 10 EC2DomainJoin EC2 instance joins domain using permissions assigned to a role HA pair of Domain Controllers Windows server with admin tools Create user in Active Directory Create a workspace and assign user User can access Management console using delegation
  89. 89. © Digital Cloud Training | https://digitalcloud.training Identity Federation
  90. 90. © Digital Cloud Training | https://digitalcloud.training Identity Federation Services AWS Single Sign-On AWS Identity & Access Management • Central management for federated access • Attach multiple AWS accounts and business applications • Identities can be in AWS SSO • Works with many IdPs (e.g. Active Directory) • Permissions assigned based on group membership in IdP • Can use separate SAML 2.0 or OIDC IdPs for each account • Enables access control using federated user attributes • User attributes can be cost center, job role etc. • Federation support for web and mobile applications • Provides sign-in and sign-up • Supports sign-in with social IdPs such as Apple, Facebook, Google, and Amazon • Supports IdPs using SAML 2.0 Amazon Cognito
  91. 91. © Digital Cloud Training | https://digitalcloud.training IAM Identity Federation
  92. 92. © Digital Cloud Training | https://digitalcloud.training Identity Federation Corporate Office / DC Identity store (LDAP) Identity provider (IdP) STS S3 Bucket 1 3 2 4 5 6 1. Client application attempts to authenticate using IdP 2. IdP authenticates the user 3. IdP sends client SAML assertion 4. App calls sts:AssumeRoleWithSAML 5. AWS return temporary security credentials 6. App uses credentials to access S3 bucket
  93. 93. © Digital Cloud Training | https://digitalcloud.training Identity Provider Implementation AWS IAM Active Directory (self-managed) Social Providers Web Identity Federation for mobile apps uses OpenID Connect (OIDC) AWS recommend to use Cognito for web identity federation in most cases SAML 2.0 compatible LDAP source (AD + ADFS) Authenticated and authorized users can access AWS services Identity provider is configured in AWS IAM - Either SAML or OIDC
  94. 94. © Digital Cloud Training | https://digitalcloud.training AWS Single Sign-on (SSO)
  95. 95. © Digital Cloud Training | https://digitalcloud.training AWS Single Sign-on (SSO) AWS Single Sign-On AWS Organizations AWS Account A AWS Account B AWS Account C AWS Account D Active Directory (self-managed) AWS Directory Service Azure AD Identity sources can be AWS SSO, Active Directory and standard providers using SAML 2.0 Built-in SSO integrations to business applications Corporate Office / DC Enables centralized permissions management Connect AWS accounts and Organizations Connect AWS accounts and Organizations
  96. 96. © Digital Cloud Training | https://digitalcloud.training Configure AWS SSO with AWS Managed AD
  97. 97. © Digital Cloud Training | https://digitalcloud.training AWS Managed Microsoft AD VPC AD DC AWS Management Console AD DC Windows 10 SSO uses AD as an identity source DCT-PRODUCTION DCT-MANAGEMENT Single Sign-On User logs into domain using Windows SSO authenticates user using federation Access levels are controlled using permission sets
  98. 98. © Digital Cloud Training | https://digitalcloud.training Cleanup the Hands-On Lab
  99. 99. © Digital Cloud Training | https://digitalcloud.training Amazon Cognito
  100. 100. © Digital Cloud Training | https://digitalcloud.training Cognito User Pools Cognito User Pool SAML OIDC Identity Providers Client / Mobile Token (JWT) AWS Lambda Token (JWT) A User Pool is a directory for managing sign-in and sign-up for mobile applications Users can also sign in using social IdPs Cognito acts as an Identity Broker between the IdP and AWS API Gateway used for application API Lambda authorizer accepts JWT
  101. 101. © Digital Cloud Training | https://digitalcloud.training Cognito Identity Pool Cognito Identity Pool SAML OIDC Identity Providers AWS Lambda STS IAM Role Amazon DynamoDB Identity pools are used to obtain temporary, limited-privilege credentials for AWS services Cognito User Pool Identity pools use AWS STS to obtain the credentials Identities can come from a Cognito user pool Identities can come from social IdPs An IAM role is assumed providing access to the AWS services
  102. 102. © Digital Cloud Training | https://digitalcloud.training User Pools + Identity Pools Token (JWT) Cognito User Pool Region Cognito Identity Pool Other AWS Services Amazon DynamoDB Authenticate and get tokens Exchange tokens for AWS credentials Access AWS services with credentials AWS Lambda SAML OIDC Identity Providers 1 2 3 Client / Mobile
  103. 103. © Digital Cloud Training | https://digitalcloud.training SECTION 5 Advanced VPC
  104. 104. © Digital Cloud Training | https://digitalcloud.training Defining VPC CIDR Blocks
  105. 105. © Digital Cloud Training | https://digitalcloud.training Defining VPC CIDR Blocks 192 . . . 168 0 0 255 . . . 255 255 0 Network /24 Subnet Mask 8 host bits = 256 addresses 255 . . . 255 0 0 16 host bits = 65536 addresses /16 Subnet Mask 255 . . . 255 0 12 host bits = 4096 addresses /20 Subnet Mask 0 First Address Last Address 192.168.0.1 192.168.0.254 First Address Last Address 192.168.0.1 192.168.255.254 First Address Last Address 192.168.0.1 192.168.15.254 Classless Interdomain Routing (CIDR) uses variable length subnets masks (VLSM)
  106. 106. © Digital Cloud Training | https://digitalcloud.training Rules and Guidelines • CIDR block size can be between /16 and /28 • The CIDR block must not overlap with any existing CIDR block that's associated with the VPC • You cannot increase or decrease the size of an existing CIDR block • The first four and last IP address are not available for use • AWS recommend you use CIDR blocks from the RFC 1918 ranges: RFC 1918 Range Example CIDR Block 10.0.0.0 - 10.255.255.255 (10/8 prefix) Your VPC must be /16 or smaller, for example, 10.0.0.0/16 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) Your VPC must be /16 or smaller, for example, 172.31.0.0/16 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) Your VPC can be smaller, for example 192.168.0.0/20
  107. 107. © Digital Cloud Training | https://digitalcloud.training Create a Custom VPC with Subnets
  108. 108. © Digital Cloud Training | https://digitalcloud.training Create a Custom VPC Region VPC Availability Zone Public subnet Private subnet Availability Zone Public subnet Private subnet Availability Zone Public subnet Private subnet 10.0.48.0/20 10.0.64.0/20 10.0.80.0/20 10.0.0.0/20 10.0.16.0/20 10.0.32.0/20 CIDR 10.0.0.0/16
  109. 109. © Digital Cloud Training | https://digitalcloud.training VPC Routing Deep Dive
  110. 110. © Digital Cloud Training | https://digitalcloud.training VPC Routing Deep Dive Region VPC Public subnet Internet gateway Private subnet Public subnet Private subnet Public subnet Private subnet Destination Target 10.0.0.0/16 Local 0.0.0.0/0 igw-id Main Route Table 10.0.48.0/20 10.0.64.0/20 10.0.80.0/20 10.0.0.0/20 10.0.16.0/20 10.0.32.0/20 Main Route table CIDR 10.0.0.0/16 Main route table is implicitly associated with subnets that haven’t been explicitly associated with a route table
  111. 111. © Digital Cloud Training | https://digitalcloud.training VPC Routing Deep Dive Region VPC Public subnet Internet gateway Private subnet Public subnet Private subnet Public subnet Private subnet Destination Target 10.0.0.0/16 Local 0.0.0.0/0 igw-id Main Route Table 10.0.48.0/20 10.0.64.0/20 10.0.80.0/20 10.0.0.0/20 10.0.16.0/20 10.0.32.0/20 Main Route table CIDR 10.0.0.0/16 Private Route table Destination Target 10.0.0.0/16 Local Private Route Table
  112. 112. © Digital Cloud Training | https://digitalcloud.training VPC Routing Deep Dive Region VPC Public subnet Internet gateway Private subnet Public subnet Private subnet Public subnet Private subnet Destination Target 10.0.0.0/16 Local 0.0.0.0/0 igw-id Main Route Table 10.0.48.0/20 10.0.64.0/20 10.0.80.0/20 10.0.0.0/20 10.0.16.0/20 10.0.32.0/20 Main Route table CIDR 10.0.0.0/16 Private Route table Destination Target 10.0.0.0/16 Local Private Route Table Subnets are explicitly associated the private route table Each subnet can only be associated with one route table
  113. 113. © Digital Cloud Training | https://digitalcloud.training VPC Routing Deep Dive Region VPC Public subnet Internet gateway Private subnet Public subnet Private subnet Public subnet Private subnet Destination Target 10.0.0.0/16 Local 0.0.0.0/0 igw-id Main Route Table CIDR 10.0.0.0/16 Destination Target 10.0.0.0/16 Local 0.0.0.0/0 nat-gw-id Private Route Table Destination Target 10.0.0.0/16 Local Longest prefix wins so traffic to 10.0.0.0/16 is routed locally, all other traffic goes out the IGW Outbound data is routed to the NAT Gateway
  114. 114. © Digital Cloud Training | https://digitalcloud.training VPC Routing Deep Dive VPC Private subnet Destination Target 10.0.0.0/16 Local 172.16.0.0/16 vpc-peer-1 172.16.0.0/16 vpc-peer-2 VPC Private subnet VPC Private subnet CIDR 10.0.0.0/16 CIDR 172.16.0.0/16 CIDR 172.16.0.0/16 172.16.0.15 Destination Target 10.0.0.0/16 Local 172.16.0.0/16 vpc-peer-1 172.16.0.15/32 vpc-peer-2 Longest prefix wins so all 172.16.0.0 traffic goes via peer 1 except traffic to 172.16.0.15 which goes via peer 2 172.16.0.30
  115. 115. © Digital Cloud Training | https://digitalcloud.training VPC Routing Deep Dive VPC Private subnet Destination Target 10.0.0.0/16 Local 172.16.0.0/16 vpc-peer-1 172.16.0.0/16 vgw-conn-1 VPC Private subnet CIDR 10.0.0.0/16 CIDR 172.16.0.0/16 Static routes are preferred over propagated routes DC CIDR 172.16.0.0/16 CGW VGW Routes learned and propagated by BGP to route table 172.16.0.20 172.16.0.20 Traffic to 172.16.0.20 gets routed to EC2 instance
  116. 116. © Digital Cloud Training | https://digitalcloud.training Security Applications Gateway Route Tables VPC Destination Target 10.0.0.0/16 Local 0.0.0.0/0 eni-id-sec SN 10.0.1.0/24 0.0.0.0/0 points to the ENI ID of the security appliance All outbound traffic forwarded to IGW Internet gateway Destination Target 10.0.0.0/16 Local 10.0.1.0/24 eni-id-sec Security Appliance Destination Target 10.0.0.0/16 Local 0.0.0.0/0 igw-id A Gateway route table is attached to an IGW or VGW SN 10.0.2.0/24
  117. 117. © Digital Cloud Training | https://digitalcloud.training IPv4 and IPv6 Routing Destination Target 10.0.0.0/16 Local 2001:db8:1234:1a00::/56 Local 172.31.0.0/16 pcx-11223344556677889 0.0.0.0/0 igw-12345678901234567 ::/0 eigw-aabbccddee1122334 IPv4 traffic within the VPC is routed locally IPv6 traffic within the VPC is routed locally IPv4 traffic for 172.31.0.0/16 network goes via a peering connection Traffic that doesn’t match a more specific route goes via the IGW IPv6 traffic that doesn’t match a more specific route goes via the EIGW
  118. 118. © Digital Cloud Training | https://digitalcloud.training Configure Routing
  119. 119. © Digital Cloud Training | https://digitalcloud.training Create a Custom VPC Region VPC Availability Zone Public subnet Internet gateway Private subnet Availability Zone Public subnet Private subnet Availability Zone Public subnet Private subnet Destination Target 10.0.0.0/16 Local 0.0.0.0/0 igw-id Main Route Table Destination Target 10.0.0.0/16 Local Private Route Table 10.0.48.0/20 10.0.64.0/20 10.0.80.0/20 10.0.0.0/20 10.0.16.0/20 10.0.32.0/20 Main Route table Private Route table CIDR 10.0.0.0/16
  120. 120. © Digital Cloud Training | https://digitalcloud.training Security Groups and Network ACLs
  121. 121. © Digital Cloud Training | https://digitalcloud.training Security Groups and Network ACLs VPC Availability Zone Public subnet Private subnet Security Group A Availability Zone Public subnet Private subnet Security Group A Network ACL Security Group B Security Group B Security Group A Router NACLs apply at the subnet level Security Groups can be applied to instances in any subnet Security Groups apply at the Instance level NACLs apply only to traffic entering / exiting the subnet Network ACL Network ACL Network ACL
  122. 122. © Digital Cloud Training | https://digitalcloud.training Stateful vs Stateless Firewalls Web Server (10.2.1.10) Dest Port: 80 A stateful firewall allows the return traffic automatically Firewall Src Port: 65188 Src Port: 80 Dest Port: 65188 PROTOCOL SOURCE IP DESTINATION IP SOURCE PORT DESTINATION PORT HTTP 10.1.1.1 10.2.1.10 65188 80 HTTP 10.2.1.10 10.1.1.1 80 65188 A stateless firewall checks for an allow rule for both connections Client (10.1.1.1)
  123. 123. © Digital Cloud Training | https://digitalcloud.training Security Group Rules Security groups support allow rules only A source can be an IP address or security group ID Separate rules are defined for outbound traffic
  124. 124. © Digital Cloud Training | https://digitalcloud.training Security Groups Best Practice Private subnet(s) Public subnet(s) Inbound: Protocol/Port HTTP/80 Source: 0.0.0.0/0 Outbound: Protocol/Port HTTPS:80 Destination: PublicEC2 Security group – PublicALB Security group – PublicEC2 Security group – PrivateALB Security group – PrivateEC2 Inbound: Protocol/Port HTTP/80 Source: PublicALB Outbound: Protocol/Port HTTPS/8080 Destination: PrivateALB Inbound: Protocol/Port HTTP/8080 Source: PublicEC2 Outbound: Protocol/Port HTTPS/8080 Destination: PrivateEC2 Inbound: Protocol/Port HTTP/8080 Source: PrivateALB Internet-facing ALB Web Front-End Application Layer Internal ALB
  125. 125. © Digital Cloud Training | https://digitalcloud.training Network ACLs Inbound Rules Outbound Rules NACLs have an explicit deny Rules are processed in order
  126. 126. © Digital Cloud Training | https://digitalcloud.training Setup Security Groups and NACLs
  127. 127. © Digital Cloud Training | https://digitalcloud.training NAT Gateways and NAT Instances
  128. 128. © Digital Cloud Training | https://digitalcloud.training Private subnet NAT Gateways Region VPC Availability Zone Public subnet Internet gateway EC2 Instance Destination Target 10.0.0.0/16 Local 0.0.0.0/0 igw-id Main Route Table Private Route Table NAT gateway Destination Target 10.0.0.0/16 Local 0.0.0.0/0 nat-gateway-id Private-IP Private-IP Elastic-IP The NAT gateway ID must be specified in the private subnet RT The NAT gateway is created in the public subnet
  129. 129. © Digital Cloud Training | https://digitalcloud.training Private subnet NAT Instances Region VPC Availability Zone Public subnet Internet gateway EC2 Instance Destination Target 10.0.0.0/16 Local 0.0.0.0/0 igw-id Main Route Table Private Route Table NAT Instance Destination Target 10.0.0.0/16 Local 0.0.0.0/0 nat-instance-id Private-IP Private-IP Elastic-IP The NAT instance ID must be specified in the private subnet RT Must disable source/destination checks Uses a special AMI with the string “amzn-ami- vpc-nat” in the name
  130. 130. © Digital Cloud Training | https://digitalcloud.training NAT Instance vs NAT Gateway NAT Instance NAT Gateway Managed by you (e.g. software updates) Managed by AWS Scale up (instance type) manually and use enhanced networking Elastic scalability up to 45 Gbps No high availability – scripted/auto-scaled HA possible using multiple NATs in multiple subnets Provides automatic high availability within an AZ and can be placed in multiple AZs Need to assign Security Group No Security Groups Can use as a bastion host Cannot access through SSH Use an Elastic IP address or a public IP address with a NAT instance Choose the Elastic IP address to associate with a NAT gateway at creation Can implement port forwarding through manual customisation Does not support port forwarding
  131. 131. © Digital Cloud Training | https://digitalcloud.training Using IPv6 in a VPC
  132. 132. © Digital Cloud Training | https://digitalcloud.training Using IPv6 in a VPC 192 . . . 168 0 1 11000000 10101000 Public IPv4 addresses are close to being exhausted and NAT must be used extensively IPv4 provides approximately 4.3 billon addresses 00000000 00000001 An IPv4 address is 32 bits long
  133. 133. © Digital Cloud Training | https://digitalcloud.training Using IPv6 in a VPC 2020 0001 5bc2 1c48 32c1 b12c a93b 9d32 : : : : : : : IPv6 provides 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses An IPv6 address is 128 bits long An IPv6 addresses use hexadecimal whereas IPv4 addresses use dotted decimal Network Part Node Part That’s enough to assign more than 100 IPv6 addresses to every atom on earth!!!
  134. 134. © Digital Cloud Training | https://digitalcloud.training Using IPv6 in a VPC VPC Public subnet Public subnet IPv4 CIDR 10.0.0.0/16 10.0.0.0/20 10.0.16.0/20 Destination Target 10.0.0.0/16 Local 2406:da1c:f7b:ae00::/56 Local 0.0.0.0/0 igw-id ::/0 igw-id Route Table IPv6 CIDR 2406:da1c:f7b:ae00::/56 2406:da1c:f7b:ae11::/64 2406:da1c:f7b:ae10::/64 A hexadecimal pair is assigned for each subnet – values from 00 – FF = 256 /64 subnets AWS assign a /56 IPv6 address range to your VPC Subnets receive a /64 address range allowing 18 million trillion addresses Route table has an entry to send all external IPv6 traffic to the IGW All IPv6 addresses are publicly routable (no NAT)
  135. 135. © Digital Cloud Training | https://digitalcloud.training Using IPv6 in a VPC VPC Public subnet Public subnet IPv4 CIDR 172.31.0.0/16 172.31.0.0/20 172.31.16.0/20 Destination Target 172.31.0.0/16 Local 0.0.0.0/0 igw-id ::/0 eo-igw-id Route Table IPv6 CIDR 2406:da1c:f7b:ae00::/56 2406:da1c:f7b:ae11::/64 2406:da1c:f7b:ae10::/64 All IPv6 addresses are publicly routable (no NAT) An Egress-only Internet Gateway allows IPv6 traffic outbound but not inbound
  136. 136. © Digital Cloud Training | https://digitalcloud.training Configure IPv6
  137. 137. © Digital Cloud Training | https://digitalcloud.training Additional Settings
  138. 138. © Digital Cloud Training | https://digitalcloud.training VPC Peering
  139. 139. © Digital Cloud Training | https://digitalcloud.training VPC Peering VPC A VPC B VPC C VPC D VPC Peering connections are NOT transitive – full mesh required 10.1.0.0/16 10.2.0.0/16 10.3.0.0/16 10.4.0.0/16 CIDR blocks cannot overlap VPC Peering enables routing using private IPv4 or IPv6 addresses VPCs can be in different accounts and Regions
  140. 140. © Digital Cloud Training | https://digitalcloud.training VPC Peering VPC Public subnet Route Table CIDR: 10.1.0.0/16 Region 1 Region 2 EC2 Instance CIDR: 10.0.0.0/16 VPC Public subnet EC2 Instance Security group (Region2-SG) Security group (Region1-SG) Destination Target 10.0.0.0/16 peering-id Protocol Port Source ICMP All 10.1.0.0/16 TCP 22 0.0.0.0/0 Protocol Port Source ICMP All 10.0.0.0/16 TCP 22 0.0.0.0/0 Destination Target 10.1.0.0/16 peering-id Route Table
  141. 141. © Digital Cloud Training | https://digitalcloud.training Setup VPC in Second Account
  142. 142. © Digital Cloud Training | https://digitalcloud.training Create VPC Peering Connection
  143. 143. © Digital Cloud Training | https://digitalcloud.training Create VPC Peering Connection VPC Public subnet Route Table CIDR: 10.1.0.0/16 Region 1 / Account 1 Region 2 / Account 2 EC2 Instance CIDR: 10.0.0.0/16 VPC Public subnet EC2 Instance Security group (Region2-SG) Security group (Region1-SG) Destination Target 10.0.0.0/16 peering-id Protocol Port Source ICMP All 10.1.0.0/16 TCP 22 0.0.0.0/0 Protocol Port Source ICMP All 10.0.0.0/16 TCP 22 0.0.0.0/0 Destination Target 10.1.0.0/16 peering-id Route Table
  144. 144. © Digital Cloud Training | https://digitalcloud.training VPC Endpoints
  145. 145. © Digital Cloud Training | https://digitalcloud.training VPC Interface Endpoints VPC Private subnet EC2 Instance AWS CloudFormation AWS CodeDeploy An ENI is created in the subnet Each interface endpoint can connect to one of many AWS services EC2 instance connects to public AWS service using a private IP Endpoint ENI AWS PrivateLink Or you can connect to an AWS PrivateLink powered service
  146. 146. © Digital Cloud Training | https://digitalcloud.training VPC Gateway Endpoints VPC Private subnet Destination Target pl-6ca54005 (com.amazonaws.ap-southeast-2.s3, 54.231.248.0/22, 54.231.252.0/24, 52.95.128.0/21) vpce-ID Route Table S3 Gateway Endpoint Amazon S3 EC2 Instance EC2 instance connects to S3 using a private IP A route table entry is required with the prefix list for S3 and the gateway ID Bucket policies can limit access to endpoint source IAM policies can be applied to endpoints
  147. 147. © Digital Cloud Training | https://digitalcloud.training VPC Endpoints Interface Endpoint Gateway Endpoint What Elastic Network Interface with a Private IP A gateway that is a target for a specific route How Uses DNS entries to redirect traffic Uses prefix lists in the route table to redirect traffic Which services API Gateway, CloudFormation, CloudWatch etc. Amazon S3, DynamoDB Security Security Groups VPC Endpoint Policies
  148. 148. © Digital Cloud Training | https://digitalcloud.training Service Provider Model VPC Private subnet Public subnet Web Server Consumer VPC VPC Private subnet Public subnet EC2 Instance Service Provider VPC Endpoint Network Load Balancer Endpoint Service
  149. 149. © Digital Cloud Training | https://digitalcloud.training Create VPC Endpoint
  150. 150. © Digital Cloud Training | https://digitalcloud.training VPC Gateway Endpoints VPC Private subnet Destination Target pl-6ca54005 (com.amazonaws.ap-southeast-2.s3, 54.231.248.0/22, 54.231.252.0/24, 52.95.128.0/21) vpce-ID Private Subnet Route Table S3 Gateway Endpoint Amazon S3 EC2 Instance Public subnet Internet gateway EC2 Instance

Notes de l'éditeur

  • Three hundred and forty undecillion, two hundred and eighty-two decillion, three hundred and sixty-six nonillion, nine hundred and twenty octillion, nine hundred and thirty-eight septillion, four hundred and sixty-three sextillion, four hundred and sixty-three quintillion, three hundred and seventy-four quadrillion, six hundred and seven trillion, four hundred and thirty-one billion, seven hundred and sixty-eight million, two hundred and eleven thousand, four hundred and fifty-six.
  • Three hundred and forty undecillion, two hundred and eighty-two decillion, three hundred and sixty-six nonillion, nine hundred and twenty octillion, nine hundred and thirty-eight septillion, four hundred and sixty-three sextillion, four hundred and sixty-three quintillion, three hundred and seventy-four quadrillion, six hundred and seven trillion, four hundred and thirty-one billion, seven hundred and sixty-eight million, two hundred and eleven thousand, four hundred and fifty-six.
  • Three hundred and forty undecillion, two hundred and eighty-two decillion, three hundred and sixty-six nonillion, nine hundred and twenty octillion, nine hundred and thirty-eight septillion, four hundred and sixty-three sextillion, four hundred and sixty-three quintillion, three hundred and seventy-four quadrillion, six hundred and seven trillion, four hundred and thirty-one billion, seven hundred and sixty-eight million, two hundred and eleven thousand, four hundred and fifty-six.

×