AWS S3 Subresources

January 29, 2023 ~ Last updated on : June 8, 2023 ~ jayendrapatil ~ 9 Comments

AWS S3 Subresources

S3 Subresources provides support to store, and manage the bucket configuration information.
S3 subresources only exist in the context of a specific bucket or object
S3 subresources are associated with buckets and objects.
S3 Subresources are subordinates to objects; i.e. they do not exist on their own, they are always associated with some other entity, such as an object or a bucket.
S3 supports various options to configure a bucket for e.g., the bucket can be configured for website hosting, configuration added to manage the lifecycle of objects in the bucket, and to log all access to the bucket.

S3 Object Lifecycle

Refer blog post @ S3 Object Lifecycle Management

Static Website Hosting

S3 can be used for Static Website hosting with Client-side scripts.
S3 does not support server-side scripting.
S3, in conjunction with Route 53, supports hosting a website at the root domain which can point to the S3 website endpoint
S3 website endpoints do not support HTTPS or access points
For S3 website hosting the content should be made publicly readable which can be provided using a bucket policy or an ACL on an object.
Users can configure the index, and error document as well as configure the conditional routing of an object name
Bucket policy applies only to objects owned by the bucket owner. If the bucket contains objects not owned by the bucket owner, then public READ permission on those objects should be granted using the object ACL.
Requester Pays buckets or DevPay buckets do not allow access through the website endpoint. Any request to such a bucket will receive a 403 -Access Denied response

S3 Versioning

Refer blog post @ S3 Object Versioning

Policy & Access Control List (ACL)

Refer blog post @ S3 Permissions

CORS (Cross Origin Resource Sharing)

All browsers implement the Same-Origin policy, for security reasons, where the web page from a domain can only request resources from the same domain.
CORS allows client web applications loaded in one domain access to the restricted resources to be requested from another domain.
With CORS support, S3 allows cross-origin access to S3 resources
CORS configuration rules identify the origins allowed to access the bucket, the operations (HTTP methods) that would be supported for each origin, and other operation-specific information.

S3 Access Logs

S3 Access Logs enable tracking access requests to an S3 bucket.
S3 Access logs are disabled by default.
Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, etc.
Access log information can be useful in security and access audits and also help learn about the customer base and understand the S3 bill.
S3 periodically collects access log records, consolidates the records in log files, and then uploads log files to a target bucket as log objects.
Logging can be enabled on multiple source buckets with the same target bucket which will have access logs for all those source buckets, but each log object will report access log records for a specific source bucket.
Source and target buckets should be in the same region.
Source and target buckets should be different to avoid an infinite loop of logs issue.
Target bucket can be encrypted using SSS-S3 default encryption. However, Default encryption with AWS KMS keys (SSE-KMS) is not supported.
S3 Object Lock cannot be enabled on the target bucket.
S3 uses a special log delivery account to write server access logs.
- AWS recommends updating the bucket policy on the target bucket to grant access to the logging service principal (logging.s3.amazonaws.com) for access log delivery.
- Access for access log delivery can also be granted to the S3 log delivery group through the bucket ACL. Granting access to the S3 log delivery group using your bucket ACL is not recommended.
Access log records are delivered on a best-effort basis. The completeness and timeliness of server logging is not guaranteed i.e. log record for a particular request might be delivered long after the request was actually processed, or it might not be delivered at all.
S3 Access Logs can be analyzed using data analysis tools or Athena.

Tagging

S3 provides the tagging subresource to store and manage tags on a bucket
Cost allocation tags can be added to the bucket to categorize and track AWS costs.
AWS can generate a cost allocation report with usage and costs aggregated by the tags applied to the buckets.

Location

AWS region needs to be specified during bucket creation and it cannot be changed.
S3 stores this information in the location subresource and provides an API for retrieving this information

Event Notifications

S3 notification feature enables notifications to be triggered when certain events happen in the bucket.
Notifications are enabled at the Bucket level
Notifications can be configured to be filtered by the prefix and suffix of the key name of objects. However, filtering rules cannot be defined with overlapping prefixes, overlapping suffixes, or prefix and suffix overlapping
S3 can publish the following events
- New Object created events
  - Can be enabled for PUT, POST, or COPY operations
  - You will not receive event notifications from failed operations
- Object Removal events
  - Can public delete events for object deletion, version object deletion or insertion of delete marker
  - You will not receive event notifications from automatic deletes from lifecycle policies or from failed operations.
- Restore object events
  - restoration of objects archived to the S3 Glacier storage classes
- Reduced Redundancy Storage (RRS) object lost events
  - Can be used to reproduce/recreate the Object
- Replication events
  - for replication configurations that have S3 replication metrics or S3 Replication Time Control (S3 RTC) enabled
S3 can publish events to the following destination
- SNS topic
- SQS queue
- AWS Lambda
For S3 to be able to publish events to the destination, the S3 principal should be granted the necessary permissions
S3 event notifications are designed to be delivered at least once. Typically, event notifications are delivered in seconds but can sometimes take a minute or longer.

Cross-Region Replication & Same-Region Replication

S3 Replication enables automatic, asynchronous copying of objects across S3 buckets in the same or different AWS regions.
S3 Cross-Region Replication – CRR is used to copy objects across S3 buckets in different AWS Regions.
S3 Same-Region Replication – SRR is used to copy objects across S3 buckets in the same AWS Regions.
S3 Replication helps to
- Replicate objects while retaining metadata
- Replicate objects into different storage classes
- Maintain object copies under different ownership
- Keep objects stored over multiple AWS Regions
- Replicate objects within 15 minutes
S3 can replicate all or a subset of objects with specific key name prefixes
S3 encrypts all data in transit across AWS regions using SSL
Object replicas in the destination bucket are exact replicas of the objects in the source bucket with the same key names and the same metadata.
Objects may be replicated to a single destination bucket or multiple destination buckets.
Cross-Region Replication can be useful for the following scenarios:-
- Compliance requirement to have data backed up across regions
- Minimize latency to allow users across geography to access objects
- Operational reasons compute clusters in two different regions that analyze the same set of objects
Same-Region Replication can be useful for the following scenarios:-
- Aggregate logs into a single bucket
- Configure live replication between production and test accounts
- Abide by data sovereignty laws to store multiple copies
Replication Requirements
- source and destination buckets must be versioning-enabled
- for CRR, the source and destination buckets must be in different AWS regions.
- S3 must have permission to replicate objects from that source bucket to the destination bucket on your behalf.
- If the source bucket owner also owns the object, the bucket owner has full permission to replicate the object. If not, the source bucket owner must have permission for the S3 actions s3:GetObjectVersion and s3:GetObjectVersionACL to read the object and object ACL
- Setting up cross-region replication in a cross-account scenario (where the source and destination buckets are owned by different AWS accounts), the source bucket owner must have permission to replicate objects in the destination bucket.
- if the source bucket has S3 Object Lock enabled, the destination buckets must also have S3 Object Lock enabled.
- destination buckets cannot be configured as Requester Pays buckets
Replicated & Not Replicated
- Only new objects created after you add a replication configuration are replicated. S3 does NOT retroactively replicate objects that existed before you added replication configuration.
- Objects encrypted using customer provided keys (SSE-C), objects encrypted at rest under an S3 managed key (SSE-S3) or a KMS key stored in AWS Key Management Service (SSE-KMS).
- S3 replicates only objects in the source bucket for which the bucket owner has permission to read objects and read ACLs
- Any object ACL updates are replicated, although there can be some delay before S3 can bring the two in sync. This applies only to objects created after you add a replication configuration to the bucket.
- S3 does NOT replicate objects in the source bucket for which the bucket owner does not have permission.
- Updates to bucket-level S3 subresources are NOT replicated, allowing different bucket configurations on the source and destination buckets
- Only customer actions are replicated & actions performed by lifecycle configuration are NOT replicated
- Replication chaining is NOT allowed, Objects in the source bucket that are replicas, created by another replication, are NOT replicated.
- S3 does NOT replicate the delete marker by default. However, you can add delete marker replication to non-tag-based rules to override it.
- S3 does NOT replicate deletion by object version ID. This protects data from malicious deletions.

S3 Inventory

S3 Inventory helps manage the storage and can be used to audit and report on the replication and encryption status of the objects for business, compliance, and regulatory needs.
S3 inventory provides a scheduled alternative to the S3 synchronous List API operation.
S3 inventory provides CSV, ORC, or Apache Parquet output files that list the objects and their corresponding metadata on a daily or weekly basis for an S3 bucket or a shared prefix.

Requester Pays

By default, buckets are owned by the AWS account that created it (the bucket owner) and the AWS account pays for storage costs, downloads, and data transfer charges associated with the bucket.
Using Requester Pays subresource:-
- Bucket owner specifies that the requester requesting the download will be charged for the download
- However, the bucket owner still pays the storage costs
Enabling Requester Pays on a bucket
- disables anonymous access to that bucket
- does not support BitTorrent
- does not support SOAP requests
- cannot be enabled for end-user logging bucket

Torrent

Default distribution mechanism for S3 data is via client/server download
Bucket owner bears the cost of Storage as well as the request and transfer charges which can increase linearly for a popular object
S3 also supports the BitTorrent protocol
- BitTorrent is an open-source Internet distribution protocol
- BitTorrent addresses this problem by recruiting the very clients that are downloading the object as distributors themselves
- S3 bandwidth rates are inexpensive, but BitTorrent allows developers to further save on bandwidth costs for a popular piece of data by letting users download from Amazon and other users simultaneously
Benefit for a publisher is that for large, popular files the amount of data actually supplied by S3 can be substantially lower than what it would have been serving the same clients via client/server download
Any object in S3 that is publicly available and can be read anonymously can be downloaded via BitTorrent
Torrent file can be retrieved for any publicly available object by simply adding a “?torrent” query string parameter at the end of the REST GET request for the object
Generating the .torrent for an object takes time proportional to the size of that object, so its recommended to make a first torrent request yourself to generate the file so that subsequent requests are faster
Torrent is enabled only for objects that are less than 5 GB in size.
Torrent subresource can only be retrieved, and cannot be created, updated, or deleted

Object ACL

Refer blog post @ S3 Permissions

AWS Certification Exam Practice Questions

An organization’s security policy requires multiple copies of all critical data to be replicated across at least a primary and backup data center. The organization has decided to store some critical data on Amazon S3. Which option should you implement to ensure this requirement is met?
1. Use the S3 copy API to replicate data between two S3 buckets in different regions
2. You do not need to implement anything since S3 data is automatically replicated between regions
3. Use the S3 copy API to replicate data between two S3 buckets in different facilities within an AWS Region
4. You do not need to implement anything since S3 data is automatically replicated between multiple facilities within an AWS Region
A customer wants to track access to their Amazon Simple Storage Service (S3) buckets and also use this information for their internal security and access audits. Which of the following will meet the Customer requirement?
1. Enable AWS CloudTrail to audit all Amazon S3 bucket access.
2. Enable server access logging for all required Amazon S3 buckets
3. Enable the Requester Pays option to track access via AWS Billing
4. Enable Amazon S3 event notifications for Put and Post.
A user is enabling a static website hosting on an S3 bucket. Which of the below mentioned parameters cannot be configured by the user?
1. Error document
2. Conditional error on object name
3. Index document
4. Conditional redirection on object name
Company ABCD is running their corporate website on Amazon S3 accessed from http//www.companyabcd.com. Their marketing team has published new web fonts to a separate S3 bucket accessed by the S3 endpoint: https://s3-us-west1.amazonaws.com/abcdfonts. While testing the new web fonts, Company ABCD recognized the web fonts are being blocked by the browser. What should Company ABCD do to prevent the web fonts from being blocked by the browser?
1. Enable versioning on the abcdfonts bucket for each web font
2. Create a policy on the abcdfonts bucket to enable access to everyone
3. Add the Content-MD5 header to the request for webfonts in the abcdfonts bucket from the website
4. Configure the abcdfonts bucket to allow cross-origin requests by creating a CORS configuration
Company ABCD is currently hosting their corporate site in an Amazon S3 bucket with Static Website Hosting enabled. Currently, when visitors go to http://www.companyabcd.com the index.html page is returned. Company C now would like a new page welcome.html to be returned when a visitor enters http://www.companyabcd.com in the browser. Which of the following steps will allow Company ABCD to meet this requirement? Choose 2 answers.
1. Upload an html page named welcome.html to their S3 bucket
2. Create a welcome subfolder in their S3 bucket
3. Set the Index Document property to welcome.html
4. Move the index.html page to a welcome subfolder
5. Set the Error Document property to welcome.html

AWS EC2 Amazon Machine Image – AMI

January 25, 2023 ~ Last updated on : February 6, 2023 ~ jayendrapatil ~ 6 Comments

Amazon Machine Image – AMI

An Amazon Machine Image – AMI provides the information required to launch an instance, which is a virtual server in the cloud.
An AMI is basically a template and can be used to launch as many instances as needed
Within a VPC, instances can be launched from as many different AMIs
An AMI includes the following:
- One or more EBS snapshots, or, for instance-store-backed AMIs, a template for the root volume of the instance for e.g, an operating system, an application server, and applications
- Launch permissions that control which AWS accounts can use the AMI to launch instances for e.g. AWS account ids whom the AMI is shared
- A block device mapping that specifies the volumes to attach to the instance when it’s launched
Amazon Machine Images can be either
- AWS managed, provided, and published AMIs
- Third-party or Community provided public custom AMIs
- Private AMIs created by other AWS accounts and shared with you
- Private and Custom AMIs created by you

AMI Types

Region & Availability Zone
- are regional but can be copied over to other regions
Operating system
- are available in a variety of OS flavors for e.g. Linux, windows, etc.
Architecture (32-bit or 64-bit)
Launch Permissions
- Launch permissions define who has access to the AMI
  - Public – Accessible to all AWS accounts
  - Explicit – Shared with specific AWS accounts
  - Private/Implicit – Owned and available for AMI creator account only
Root device storage
- can have EBS or Instance store as the root device storage
- EBS backed
  - EBS volumes are independent of the EC2 instance lifecycle and can persist independently
  - EBS backed instances can be stopped without losing the volumes
  - EBS instance can also be persisted without losing the volumes on instance termination if the Delete On Termination flag is disabled
  - EBS backed instances boot up much faster than the Instance store backed instances as only the parts required to boot the instance needs to be retrieved from the snapshot before the instance is made available
  - AMI creation is much easier for AMIs backed by EBS. The CreateImage API action creates the EBS-backed AMI and registers it
- Instance Store backed
  - Instance store is ephemeral storage and is dependent on the lifecycle of the Instance
  - Instance store is deleted if the instance is terminated or if the EBS backed instance, with attached instance store volumes, is stopped
  - Instance store volumes cannot be stopped
  - Instance store volumes have their AMI in S3 and have higher boot times compared to EBS backed instances, as all the parts have to be retrieved from S3 before the instance is made available
  - To create Linux AMIs backed by the instance store, you must create an AMI from your instance on the instance itself using the Amazon EC2 AMI tools.

More detailed @ EBS vs Instance Store

Linux Virtualization Types

Linux Amazon Machine Images use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM).
Main difference between PV and HVM AMIs is the way in which they boot and whether they can take advantage of special hardware extensions (CPU, network, and storage) for better performance.
For the best performance, AWS recommends the use of current generation instance types and HVM AMIs when launching instances.
HVM AMIs
- HVM AMIs are presented with a fully virtualized set of hardware and boot by executing the master boot record of the root block device of the image.
- HVM virtualization type provides the ability to run an operating system directly on top of a virtual machine without any modification as if it were run on bare-metal hardware.
- EC2 host system emulates some or all of the underlying hardware that is presented to the guest.
- HVM guests, unlike PV guests, can take advantage of hardware extensions that provide fast access to the underlying hardware on the host system.
- HVM AMIs are required to take advantage of enhanced networking and GPU processing. In order to pass through instructions to specialized network and GPU devices, the OS needs to be able to have access to the native hardware platform; HVM virtualization provides this access.
- All current generation instance types support HVM AMIs.The CC2, CR1, HI1, and HS1 previous generation instance types support HVM AMIs.
PV AMIs
- PV AMIs boot with a special boot loader called PV-GRUB, which starts the boot cycle and then chain loads the kernel specified in the menu.lst file on your image.
- Paravirtual guests can run on host hardware that does not have explicit support for virtualization, but they cannot take advantage of special hardware extensions such as enhanced networking or GPU processing
- C3 and M3 current generation instance types support PV AMIs. The C1, HI1, HS1, M1, M2, and T1 previous generation instance types support PV AMIs.

Shared AMIs

Shared AMI is an AMI that can be created and shared with others for use
A Shared AMI with all the components needed can be used to get started and then add custom components as and when needed
Shared AMI can be risky as Amazon does not perform detailed checks and vouch for the integrity and security of these AMIs
Before using a Shared AMI, check for any pre-installed credentials that would allow unwanted access to the instance by a third party and no pre-configured remote logging that could transmit sensitive data to a third party
Amazon allows you to share an image, by defining launch permissions, to all (making it public) or only to specific AWS accounts
Launch permissions work at the AWS account level only, and can’t be used to restrict specific users within an AWS account.
Sharing an image does not affect the ownership of the AMI
Only AMIs with unencrypted volumes or encrypted with a customer-managed key can be shared.
AMIs are a regional resource. Therefore, sharing an image makes it available in that Region. To make an image available in a different Region, copy the AMI to the Region and then share it.
Make AMI Public
- AMIs with encrypted volumes cannot be made public.
- AMI with product codes or snapshots of an encrypted volume can’t be made public; they can be shared only with specific AWS accounts.
Guidelines for Shared Linux AMIs
- Update the AMI Tools at Boot-Time
  - Update the AMI tools or any software during startup.
  - Take into account the software updates do not break any software and consider the WAN traffic as the downloads will be charged to the AMI user
- Disable Password-Based Remote Logins for Root
  - Fixed root passwords can be a security risk and need to be disabled
- Disable Local Root Access
  - disable direct root logins
- Remove SSH Host Key Pairs
  - Remove the existing SSH host key pairs located in /etc/ssh, which forces SSH to generate new unique SSH key pairs when someone launches an instance using your AMI, improving security and reducing the likelihood of “man-in-the-middle” attacks
- Install Public Key Credentials
  - EC2 allows users to specify a public-private key pair name when launching an instance.
  - A valid key pair name needs to be provided when launching an instance, the public key, the portion of the key pair that EC2 maintains on the server, is made available to the instance through an HTTP query against the instance metadata and appended to the authorized keys
  - Users can launch instances of the AMI with a key pair and log in without requiring a root password
- Disabling sshd DNS Checks (Optional)
  - Disabling sshd DNS checks slightly weaken the sshd security. However, if DNS resolution fails, SSH logins still work. If you do not disable sshd checks, DNS resolution failures prevent all logins.
- Identify Yourself
  - AMI is only represented by an account ID without any further information, so it is better to provide more information to help describe the AMI
- Protect Yourself
  - Don’t store any sensitive data or software on the AMI
  - Exclude & Skip any directories holding sensitive data or secret information and delete the shell history before creating an AMI

AMI lifecycle

- Create and register an AMI
- launch new instances. (You can also launch instances from an AMI if the AMI owner grants you launch permissions)
- Copy an AMI to the same region or to different regions.
- Deregister the AMI, when finished launching an instance from an AMI

AMI Creation

EBS-Backed Linux AMI

Screen Shot 2016-04-12 at 7.39.18 AM.png

EBS-Backed Linux AMI can be created from the instance directly or from the EBS snapshot
EBS-backed Linux AMI creation process:-
1. Select an AMI #1 similar to what you want to have your new AMI #2
2. Launch an Instance from AMI #1 and configure it accordingly
3. Stop the instance to ensure data integrity
4. Create AMI #2 OR create an EBS snapshot and then create an AMI #2 from the snapshot
5. Amazon automatically register the EBS-backed AMI
6. AMI #2 can be now used to launch new instances
By default, EC2 shuts down the instance, takes snapshots of any attached volumes, creates and registers the AMI, and then reboots the instance.
No Reboot option
- No Reboot option prevents the instance from shut down & reboot
- AMI will be crash consistent as all the volumes are snapshotted at the same time
- However, AMI is not application consistent as all the operating system buffers are not flushed to disk before the snapshots are created and file system integrity can’t be guaranteed
EC2 creates snapshots of the instance’s root volume and any other EBS volumes attached to the instance. If any volumes attached to the instance are encrypted, the new AMI only launches successfully on instances that support Amazon EBS encryption
For any additional instance-store volumes or EBS volumes, the block device mapping for the new AMI contains information for these volumes and the block device mappings for instances that you launch from the new AMI automatically contain information for these volumes.
While data on EBS volumes persist, the Instance-store volumes specified in the block device mapping for the new instance are new and don’t contain any data from the instance store volumes of the instance you used to create the AMI.
It’s more efficient to create an EBS-backed AMI with EBS snapshots already taken as the snapshot created during AMI creation is just an incremental one
You are charged for the storage of both the image and the snapshots

Instance Store-Backed Linux AMI

Screen Shot 2016-04-12 at 7.39.28 AM.png

Instance Store-Backed Linux AMI creation process
1. Select an AMI #1 similar to what you want to have your new AMI #2
2. Launch an Instance from AMI #1 and configure the instance accordingly
3. Bundle the Instance. It takes several minutes for the bundling process to complete.
4. After the process completes, you have a bundle, which consists of an image manifest (image.manifest.xml) and files (image.part.xx) that contain a template for the root volume.
5. Upload the bundle to the S3 bucket
6. Register the Instance Store-backed AMI.
7. Launching an instance using the new AMI #2, the root volume for the instance is created using the bundle that you uploaded to S3.
Charges are incurred for the storage space used by the bundle in S3 until deleted
For additional instance store volumes, not root volumes, the block device mapping for the new AMI contains information for these volumes and the block device mappings for instances that you launch from the new AMI automatically contain information for these volumes.

Deregistering AMI

Charges are incurred on the AMI created and they can be deregistered, if not needed.
Deregistering an AMI does not delete the EBS snapshots or the bundles in the S3 buckets and have to be removed separately
Once deregistered, new instances cannot be launched from the AMI. However, it does not impact already created instances from the AMI
Clean up EBS-Backed AMI

Screen Shot 2016-04-12 at 8.11.28 AM.png

- Deregister the EBS-Backed AMI
- Delete the EBS Snapshot, as deregistering the AMI doesn’t impact the snapshot
Clean up Instance Store-backed AMI

Screen Shot 2016-04-12 at 8.11.21 AM.png

- Deregister the EBS-Backed AMI
- Delete the bundle from the S3 bucket, as deregistering the AMI doesn’t affect the bundles stored in the S3 bucket

AMIs with Encrypted Snapshots

AMIs, with EBS backed snapshots, can be attached with both an encrypted root and data volume
AMIs copy image can be used to create AMIs with encrypted snapshots from AMIs with unencrypted snapshots. By default, copy image preserves the encryption status of the snapshots
Snapshots can be encrypted with either default AWS Key Management Service customer master key (CMK), or with a custom key that you specify

AMI Copying

EBS-backed AMIs and instance store-backed AMIs can be copied.
Copying an AMI
- An identical target AMI is created, but with its own unique identifier
- For EBS backed AMI, identical but distinct root and data snapshots are created
- Encryption status of the snapshots are preserved
- However, Launch permissions, user-defined tags, or S3 bucket permissions are not copied from the source AMI to the new AMI. After the copy operation is complete, different launch permissions, user-defined tags, and S3 bucket permissions to the new AMI
Source AMI can be deregistered without any impact to the Target AMI
AMIs owned or shared with proper permissions can be copied
AMIs are created specific to a region and can be copied within or across regions which can help to aid in the consistent global deployment and build highly scalable and available applications
AMI copy image can be used to encrypt an AMI from an unencrypted AMI
AMIs with encrypted snapshots can be copied and also encryption status changed during the copy process.
AWS Marketplace AMI cannot be copied, regardless of whether obtained directly or shared. Instead, launch an EC2 instance using the AWS Marketplace AMI and then create an AMI from the instance.

Amazon Linux 2 and Amazon Linux AMI

Amazon Linux 2 and Linux AMI is a supported and maintained Linux image provided by AWS with the following features

A stable, secure, and high-performance execution environment for applications running on EC2.
- does not allow remote root SSH by default.
- Password authentication is disabled to prevent brute-force password attacks.
- Instances launched using Amazon Linux AMI must be provided with a key pair at launch to enable SSH logins
- Inbound security group must allow SSH access
- By default, the only account that can log in remotely using SSH is ec2-user ; this account also has sudo privileges.
- are configured to download and install security updates at launch time.
Provided at no additional charge to Amazon EC2 users.
Repository access to multiple versions of MySQL, PostgreSQL, Python, Ruby, Tomcat, and many more common packages.
Updated on a regular basis to include the latest components, and these updates are also made available in the yum repositories for installation on running instances.
Includes pre-installed packages to enable easy integration with AWS services, such as the AWS CLI, Amazon EC2 API, and AMI tools, the Boto library for Python, and the Elastic Load Balancing tools.

EC2 Image Builder

EC2 Image Builder is a fully managed AWS service that makes it easier to automate the creation, management, and deployment of customized, secure, and up-to-date server images that are pre-installed and pre-configured with software and settings to meet specific IT standards
EC2 Image Builder simplifies the building, testing, and deployment of Virtual Machine and container images for use on AWS or on-premises.
Image Builder significantly reduces the effort of keeping images up-to-date and secure by providing a simple graphical interface, built-in automation, and AWS-provided security settings.
Image Builder removes any manual steps for updating an image and you do not have to build your own automation pipeline.
Image Builder provides a one-stop-shop to build, secure, and test up-to-date Virtual Machine and container images using common workflows.
Image Builder allows image validation for functionality, compatibility, and security compliance with AWS-provided tests and your own tests before using them in production.
Image Builder is offered at no cost, other than the cost of the underlying AWS resources used to create, store, and share the images.

AWS Certification Exam Practice Questions

A user has launched an EC2 instance from an instance store backed AMI. The infrastructure team wants to create an AMI from the running instance. Which of the below mentioned credentials is not required while creating the AMI?
1. AWS account ID
2. 509 certificate and private key
3. AWS login ID to login to the console
4. Access key and secret access key
A user has launched an EC2 Windows instance from an instance store backed AMI. The user wants to convert the AMI to an EBS backed AMI. How can the user convert it?
1. Attach an EBS volume to the instance and unbundle all the AMI bundled data inside the EBS
2. A Windows based instance store backed AMI cannot be converted to an EBS backed AMI
3. It is not possible to convert an instance store backed AMI to an EBS backed AMI
4. Attach an EBS volume and use the copy command to copy all the ephemeral content to the EBS Volume
A user has launched two EBS backed EC2 instances in the US-East-1a region. The user wants to change the zone of one of the instances. How can the user change it?
1. Stop one of the instances and change the availability zone
2. The zone can only be modified using the AWS CLI
3. From the AWS EC2 console, select the Actions – > Change zones and specify new zone
4. Create an AMI of the running instance and launch the instance in a separate AZ
A user has launched a large EBS backed EC2 instance in the US-East-1a region. The user wants to achieve Disaster Recovery (DR) for that instance by creating another small instance in Europe. How can the user achieve DR?
1. Copy the running instance using the “Instance Copy” command to the EU region
2. Create an AMI of the instance and copy the AMI to the EU region. Then launch the instance from the EU AMI
3. Copy the instance from the US East region to the EU region
4. Use the “Launch more like this” option to copy the instance from one region to another
A user has launched an EC2 instance store backed instance in the US-East-1a zone. The user created AMI #1 and copied it to the Europe region. After that, the user made a few updates to the application running in the US-East-1a zone. The user makes an AMI#2 after the changes. If the user launches a new instance in Europe from the AMI #1 copy, which of the below mentioned statements is true?
1. The new instance will have the changes made after the AMI copy as AWS just copies the reference of the original AMI during the copying. Thus, the copied AMI will have all the updated data
2. The new instance will have the changes made after the AMI copy since AWS keeps updating the AMI
3. It is not possible to copy the instance store backed AMI from one region to another
4. The new instance in the EU region will not have the changes made after the AMI copy
George has shared an EC2 AMI created in the US East region from his AWS account with Stefano. George copies the same AMI to the US West region. Can Stefano access the copied AMI of George’s account from the US West region?
1. No, copy AMI does not copy the permission
2. It is not possible to share the AMI with a specific account
3. Yes, since copy AMI copies all private account sharing permissions
4. Yes, since copy AMI copies all the permissions attached with the AMI
EC2 instances are launched from Amazon Machine images (AMIS). A given public AMI can:
1. be used to launch EC2 Instances in any AWS region.
2. only be used to launch EC2 instances in the same country as the AMI is stored.
3. only be used to launch EC2 instances in the same AWS region as the AMI is stored. (An AMI is tied to the region where its files are located within Amazon S3)
4. only be used to launch EC2 instances in the same AWS availability zone as the AMI is stored.

References

Amazon EC2 User Guide – AMIs

Amazon CloudWatch Agent

January 8, 2023 ~ Last updated on : January 9, 2023 ~ jayendrapatil ~ 1 Comment

Amazon CloudWatch Agent

CloudWatch Agent helps collect metrics and logs from EC2 instances and on-premises servers and push them to CloudWatch.
CloudWatch agent helps to
- Collect internal system-level metrics from EC2 instances across operating systems. The metrics can include in-guest metrics, in addition to the metrics for EC2 instances.
- Collect system-level metrics from on-premises servers. These can include servers in a hybrid environment as well as servers not managed by AWS.
- Retrieve custom metrics from the applications or services using the StatsD and collectd protocols. StatsD is supported on both Linux servers and servers running Windows Server. collectd is supported only on Linux servers.
- Collect logs from EC2 instances and on-premises servers, running either Linux or Windows Server.
- Collect metrics for individual processes using the procstat plugins stored in the procstat namespace.
Default namespace for metrics collected by the agent is CWAgent, although a different namespace can be configured.
Logs collected by the unified agent are processed and stored in CloudWatch Logs.
Agent can be installed, on Amazon Linux 2 and on all supported operating systems, manually or using AWS Systems Manager
CloudWatch agent needs to write metrics to CloudWatch, and an IAM role for EC2 instances or an IAM user for the on-premises server should be assigned.

CloudWatch Agent

AWS Certification Exam Practice Questions

A company has a set of servers sitting in AWS and a set of them sitting in their On-premise locations. They want to monitor the system-level metrics for both sets of servers and have a unified dashboard for monitoring. As a system administrator, which of the following can help in this regard?
1. Install the CloudWatch agent on both sets of servers
2. Migrate the on-premise servers to AWS to ensure they can be monitored
3. Setup the metrics dashboard in CloudWatch
4. Setup the metrics dashboard in AWS Inspector
5. Setup the metrics dashboard in AWS Config
A Developer has a legacy application that is hosted on-premises. Other applications hosted on AWS depend on the on-premises application for proper functioning. In case of any application errors, the Developer wants to be able to use Amazon CloudWatch to monitor and troubleshoot all applications from one place. How can the Developer accomplish this?
1. Install an AWS SDK on the on-premises server to automatically send logs to CloudWatch.
2. Download the CloudWatch agent to the on-premises server. Configure the agent to use IAM user credentials with permissions for CloudWatch.
3. Upload log files from the on-premises server to Amazon S3 and have CloudWatch read the files.
4. Upload log files from the on-premises server to an Amazon EC2 instance and have the instance forward the logs to CloudWatch.

References

AWS_CloudWatch_Agent

AWS Macie

January 7, 2023 ~ jayendrapatil

AWS Macie

Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks.
provides an inventory of the S3 buckets and automatically evaluates and monitors the buckets for security and access control.
automates the discovery, classification, and reporting of sensitive data.
generates a finding for you to review and remediate as necessary if it detects a potential issue with the security or privacy of the data, such as a bucket that becomes publicly accessible.
provides multi-account support using AWS Organizations to enable Macie across all of the accounts.
is a regional service and must be enabled on a region-by-region basis and helps view findings across all the accounts within each Region.
supports VPC Interface Endpoints to access Macie privately from a VPC without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Macie Multiple Accounts

Macie provides multi-account support using AWS Organizations to enable Macie across all of the accounts.
An organization consists of a designated administrator account and one or more associated member accounts.
Accounts can be associated in two ways,
- by integrating AWS Organizations (Recommended) or
- by sending and accepting membership invitations
The designated administrator can assess and monitor the overall security posture of the organization’s S3 data estate, and discover sensitive data in the organization’s S3 buckets.
The administrator can also perform various account management and administration tasks at scale, such as monitoring estimated usage costs and assessing account quotas.

AWS Certification Exam Practice Questions

Which AWS service makes it easy to automate the process of discovering, classifying, and protecting data stored in AWS?
1. AWS Shield
2. AWS WAF
3. AWS GuardDuty
4. AWS Macie

References

Amazon_Macie

AWS CloudTrail

January 2, 2023 ~ Last updated on : January 5, 2023 ~ jayendrapatil ~ 9 Comments

AWS CloudTrail

AWS CloudTrail helps you enable governance, compliance, operational, and risk auditing of the AWS account.
CloudTrail helps to get a history of AWS API calls and related events for the AWS account.
CloudTrail records actions taken by a user, role, or AWS service.
CloudTrail tracking includes calls made by using the AWS Management Console, AWS SDKs, Command-line tools (CLI), APIs, and higher-level AWS services (such as AWS CloudFormation)
CloudTrail helps to identify which users and accounts called AWS, the source IP address the calls were made from, and when the calls occurred.
CloudTrail is enabled on your AWS account when you create it.
CloudTrail is per AWS account and per region for all the supported services.
CloudTrail AWS API call history enables security analysis, resource change tracking, and compliance auditing.
CloudTrail event history provides a viewable, searchable, and downloadable record of the past 90 days of CloudTrail events.
CloudTrail logs can be encrypted by using default S3 SSE-S3 or KMS.
CloudTrail log file integrity validation can be used to check whether a log file was modified, deleted, or unchanged after CloudTrail delivered it.
CloudTrail integrates with AWS Organizations and provides an organization trail that enables the delivery of events in the management account, delegated administrator account, and all member accounts in an organization to the same S3 bucket, CloudWatch Logs, and CloudWatch Events.
CloudTrail Insights can be enabled on a trail to help identify and respond to unusual activity.
CloudTrail Lake helps run fine-grained SQL-based queries on events.

CloudTrail Works

AWS CloudTrail captures AWS API calls and related events made by or on behalf of an AWS account and delivers log files to a specified S3 bucket.
S3 lifecycle rules can be applied to archive or delete log files automatically.
Log files contain API calls from all of the account’s CloudTrail-supported services.
Log files from all the regions can be delivered to a single S3 bucket and are encrypted, by default, using S3 server-side encryption (SSE). Encryption can be configured with AWS KMS.
CloudTrail publishes new log files multiple times an hour, usually about every 5 mins, and typically delivers log files within 15 mins of an API call.
CloudTrail can be configured, optionally, to deliver events to a log group to be monitored by CloudWatch Logs.
SNS notifications can be configured to be sent each time a log file is delivered to your bucket.
A Trail is a configuration that enables logging of the AWS API activity and delivery of events to an specified S3 bucket.
Trail can be created with CloudTrail console, AWS CLI, or CloudTrail API.
Events in a trail can also be delivered and analyzed with CloudWatch Logs and EventBridge.
A Trail can be applied to all regions or a single region
- A trail that applies to all regions
  - When a trail is created that applies to all regions, CloudTrail creates the same trail in each region, records the log files in each region, and delivers the log files to the specified single S3 bucket (and optionally to the CloudWatch Logs log group).
  - Default setting when a trail is created using the CloudTrail console.
  - A single SNS topic for notifications and CloudWatch Logs log group for events would suffice for all regions.
  - Advantages
    - configuration settings for the trail apply consistently across all regions.
    - manage trail configuration for all regions from one location.
    - immediately receive events from a new region
    - receive log files from all regions in a single S3 bucket and optionally in a CloudWatch Logs log group.
    - create trails in regions not used often to monitor for unusual activity.
- A trail that applies to one region
  - An S3 bucket can be specified that receives events only from that region and it can be in any region that you specify.
  - Additional individual trails are created that apply to specific regions, those trails can deliver event logs to a single S3 bucket.
Turning on a trail means creating a trail and start logging.
CloudTrail supports five trails per region. A trail that applies to all regions counts as one trail in every region
As a best practice, a trail can be created that applies to all regions in the AWS partition e.g. AWS for all standard AWS regions or aws-cn for china
IAM can control which AWS users can create, configure, or delete trails, start and stop logging, and access the buckets containing log information.
Log file integrity validation can be enabled to verify that log files have
remained unchanged since CloudTrail delivered them.
CloudTrail Lake helps run fine-grained SQL-based queries on the events.

CloudTrail with AWS Organizations

With AWS Organizations, an Organization trail can be created that will log all events for all AWS accounts in that organization.
Organization trails can apply to all AWS Regions or one Region.
Organization trails must be created in the management account, and when specified as applying to an organization, are automatically applied to all member accounts in the organization.
Member accounts will be able to see the organization trail, but cannot modify or delete it.
By default, member accounts will not have access to the log files for the organization trail in the S3 bucket.

CloudTrail Events

An event in CloudTrail is the record of activity in an AWS account.
CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
CloudTrail has the following event types
- Management Events
  - Management events provide information about management or control plane operations that are performed on resources.
  - Includes resource creation, modification, and deletion events.
  - By default, trails log all management events for the AWS account.
- Data Events
  - Data events provide information about the resource or data plane operations performed on or in a resource.
  - Includes data events like reading and writing of objects in S3 or items in DynamoDB.
  - By default, trails don’t log data events for the AWS account.
- CloudTrail Insights Event
  - CloudTrail Insights events capture unusual API call rate or error rate activity in the AWS account.
  - An Insights event is a record of unusual levels of write management API activity, or unusual levels of errors returned on management API activity.
  - By default, trails don’t log CloudTrail Insights events.
  - When enabled, CloudTrail detects unusual activity, and Insights events are logged to a different folder or prefix in the destination S3 bucket for the trail.
  - Insights events provide relevant information, such as the associated API, error code, incident time, and statistics, that help you understand and act on unusual activity.
  - Unlike other types of events captured in a CloudTrail trail, Insights events are logged only when CloudTrail detects changes in the account’s API usage or error rate logging that differ significantly from the account’s typical usage patterns.

Global Services Option

For most services, events are sent to the region where the action happened.
For global services such as IAM, AWS STS, and CloudFront, events are delivered to any trail that has the Include global services option enabled.
AWS OpsWorks and Route 53 actions are logged in the US East (N. Virginia) region.
To avoid receiving duplicate global service events, remember
- Global service events are always delivered to trails that have the Apply trail to all regions option enabled.
- Events are delivered from a single region to the bucket for the trail. This setting cannot be changed.
- If you have a single region trail, you should enable the Include global services option.
- If you have multiple single region trails, you should enable the Include global services option in only one of the trails.
About global service events
- have a trail with the Apply trail to all regions option enabled.
- have multiple single-region trails.
- do not need to enable the Include global services option for the single region trails. Global service events are delivered for the first trail.

CloudTrail Log File Integrity

Validated log files are invaluable in security and forensic investigations.
CloudTrail log file integrity validation can be used to check whether a log file was modified, deleted, or unchanged after CloudTrail delivered it.
The validation feature is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing which makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
When log file integrity validation is enabled
- CloudTrail creates a hash for every log file that it delivers.
- Every hour, CloudTrail also creates and delivers a digest file that references the log files for the last hour and contains a hash of each.
- CloudTrail signs each digest file using the private key of a public and private key pair.
- After delivery, the public key can be used to validate the digest file.
- CloudTrail uses different key pairs for each AWS region.
- Digest files are delivered to the same S3 bucket, but a separate folder, associated with the trail for the log files
- The separation of digest files and log files enables the enforcement of granular security policies and permits existing log processing solutions to continue to operate without modification.
- Each digest file also contains the digital signature of the previous digest file if one exists.
- Signature for the current digest file is in the metadata properties of the digest file S3 object.
- Log files and digest files can be stored in S3 or Glacier securely, durably and inexpensively for an indefinite period of time.
- To enhance the security of the digest files stored in S3, S3 MFA Delete can be enabled.

CloudTrail Enabled Use Cases

Track changes to AWS resources
- Can be used to track creation, modification or deletion of AWS resources
Compliance Aid
- easier to demonstrate compliance with internal policy and regulatory standards
Troubleshooting Operational Issues
- identify the recent changes or actions to troubleshoot any issues
Security Analysis
- use log files as inputs to log analysis tools to perform security analysis and to detect user behavior patterns

CloudTrail Processing Library (CPL)

CloudTrail Processing Library (CPL) helps build applications to take immediate action on events in CloudTrail log files
CPL helps to
- read messages delivered to SNS or SQS
- downloads and reads the log files from S3 continuously
- serializes the events into a POJO
- allows custom logic implementation for processing
- fault tolerant and supports multi-threading

AWS CloudTrail vs AWS Config

AWS Config reports on WHAT has changed, whereas CloudTrail reports on WHO made the change, WHEN, and from WHICH location.
AWS Config focuses on the configuration of the AWS resources and reports with detailed snapshots on HOW the resources have changed, whereas CloudTrail focuses on the events, or API calls, that drive those changes. It focuses on the user, application, and activity performed on the system.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.

You currently operate a web application in the AWS US-East region. The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2, IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend?
1. Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles, S3 bucket policies and Multi-Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. (Single New bucket with global services option for IAM and MFA delete for confidentiality)
2. Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs. (Missing Global Services for IAM)
3. Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected Use S3 ACLs and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. (Existing bucket prevents confidentiality)
4. Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs (3 buckets not needed, Missing Global services options)
Which of the following are true regarding AWS CloudTrail? Choose 3 answers
1. CloudTrail is enabled globally (it can be enabled for all regions and also per-region basis)
2. CloudTrail is enabled by default (was not enabled by default, however, it is enabled by default as per the latest AWS enhancements)
3. CloudTrail is enabled on a per-region basis (it can be enabled for all regions and also per-region basis)
4. CloudTrail is enabled on a per-service basis (once enabled it is applicable for all the supported services, service can’t be selected)
5. Logs can be delivered to a single Amazon S3 bucket for aggregation
6. CloudTrail is enabled for all available services within a region. (is enabled only for CloudTrail supported services)
7. Logs can only be processed and delivered to the region in which they are generated. (can be logged to bucket in any region)
An organization has configured the custom metric upload with CloudWatch. The organization has given permission to its employees to upload data using CLI as well SDK. How can the user track the calls made to CloudWatch?
1. The user can enable logging with CloudWatch which logs all the activities
2. Use CloudTrail to monitor the API calls
3. Create an IAM user and allow each user to log the data using the S3 bucket
4. Enable detailed monitoring with CloudWatch
A user is trying to understand the CloudWatch metrics for the AWS services. It is required that the user should first understand the namespace for the AWS services. Which of the below mentioned is not a valid namespace for the AWS services?
1. AWS/StorageGateway
2. AWS/CloudTrail (CloudWatch supported namespaces)
3. AWS/ElastiCache
4. AWS/SWF
Your CTO thinks your AWS account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks?
1. Use CloudTrail Log File Integrity Validation. (Refer link)
2. Use AWS Config SNS Subscriptions and process events in real time.
3. Use CloudTrail backed up to AWS S3 and Glacier.
4. Use AWS Config Timeline forensics.
Your CTO has asked you to make sure that you know what all users of your AWS account are doing to change resources at all times. She wants a report of who is doing what over time, reported to her once per week, for as broad a resource type group as possible. How should you do this?
1. Create a global AWS CloudTrail Trail. Configure a script to aggregate the log data delivered to S3 once per week and deliver this to the CTO.
2. Use CloudWatch Events Rules with an SNS topic subscribed to all AWS API calls. Subscribe the CTO to an email type delivery on this SNS Topic.
3. Use AWS IAM credential reports to deliver a CSV of all uses of IAM User Tokens over time to the CTO.
4. Use AWS Config with an SNS subscription on a Lambda, and insert these changes over time into a DynamoDB table. Generate reports based on the contents of this table.

References

AWS_CloudTrail_User_Guide

https://www.youtube.com/watch?v=oZ8HswQSbNQ

AWS IAM Best Practices

January 1, 2023 ~ Last updated on : January 2, 2023 ~ jayendrapatil ~ 10 Comments

AWS IAM Best Practices

AWS recommends the following AWS Identity and Access Management service – IAM Best Practices to secure AWS resources

Root Account – Don’t use & Lock away access keys

Do not use the AWS Root account which has full access to all the AWS resources and services including the Billing information.
Permissions associated with the AWS Root account cannot be restricted.
Do not generate the access keys, if not required
If already generated and not needed, delete the access keys.
If access keys are needed, rotate (change) the access key regularly
Never share the Root account credentials or access keys, instead create IAM users or Roles to grant granular access
Enable AWS multifactor authentication (MFA) on the AWS account

User – Create individual IAM users

Don’t use the AWS root account credentials to access AWS, and don’t share the credentials with anyone else.
Start by creating an IAM User with an Administrator role that has access to all resources as the Root except the account’s security credentials.
Create individual users for anyone who needs access to your AWS account and gives each user unique credentials and grant different permissions.

Groups – Use groups to assign permissions to IAM users

Instead of defining permissions for individual IAM users, create groups and define the relevant permissions for each group as per the job function, and then associate IAM users to those groups.
Users in an IAM group inherit the permissions assigned to the group and a User can belong to multiple groups
It is much easier to add new users, remove users and modify the permissions of a group of users.

Permission – Grant least privilege

IAM user, by default, is created with no permissions
Users should be granted LEAST PRIVILEGE as required to perform a task.
Starting with minimal permissions and adding to the permissions as required to perform the job function is far better than granting all access and trying to then tighten it down.

Passwords – Enforce strong password policy for users

Enforce users to create strong passwords and enforce them to rotate their passwords periodically.
Enable a strong password policy to define password requirements forcing users to create passwords with requirements like at least one capital letter, one number, and how frequently it should be rotated.

MFA – Enable MFA for privileged users

For extra security, Enable MultiFactor Authentication (MFA) for privileged IAM users, who are allowed access to sensitive resources or APIs.

Role – Use temporary credentials with IAM roles

Use roles for workloads instead of creating IAM user and hardcoding the credentials which can compromise the access and are also hard to rotate.
Roles have specific permissions and do not have a permanent set of credentials.
Roles provide a way to access AWS by relying on dynamically generated & automatically rotated temporary security credentials.
Roles associated with it but dynamically provide temporary credentials that are automatically rotated

Sharing – Delegate using roles

Allow users from same AWS account, another AWS account, or externally authenticated users (either through any corporate authentication service or through Google, Facebook etc) to use IAM roles to specify the permissions which can then be assumed by them
A role can be defined that specifies what permissions the IAM users in the other account are allowed, and from which AWS accounts the IAM users are allowed to assume the role

Rotation – Rotate credentials regularly

Change your own passwords and access keys regularly and enforce it through a strong password policy. So even if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources
Access keys allows creation of 2 active keys at the same time for an user. These can be used to rotate the keys.

Track & Review – Remove unnecessary credentials

Remove IAM user and credentials (that is, passwords and access keys) that are not needed.
Use the IAM Credential report that lists all IAM users in the account and the status of their various credentials, including passwords, access keys, and MFA devices and usage patterns to figure out what can be removed
Passwords and access keys that have not been used recently might be good candidates for removal.

Conditions – Use policy conditions for extra security

Define conditions under which IAM policies allow access to a resource.
Conditions would help provide finer access control to the AWS services and resources for e.g. access limited to a specific IP range or allowing only encrypted requests for uploads to S3 buckets etc.

Auditing – Monitor activity in the AWS account

Enable logging features provided through CloudTrail, S3, CloudFront in AWS to determine the actions users have taken in the account and the resources that were used.
Log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.

Use IAM Access Analyzer

IAM Access Analyzer analyzes the services and actions that the IAM roles use, and then generates a least-privilege policy that you can use.
Access Analyzer helps preview and analyze public and cross-account access for supported resource types by reviewing the generated findings.
IAM Access Analyzer helps to validate the policies created to ensure that they adhere to the IAM policy language (JSON) and IAM best practices.

Use Permissions Boundaries

Use IAM Permissions Boundaries to delegate permissions management within an account
IAM permissions boundaries help set the maximum permissions that you delegate and that an identity-based policy can grant to an IAM role.
A permissions boundary does not grant permissions on its own.

AWS Certification Exam Practice Questions

Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
1. Create individual IAM users for everyone in your organization (May not be needed as can use Roles as well)
2. Configure MFA on the root account and for privileged IAM users
3. Assign IAM users and groups configured with policies granting least privilege access
4. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate (Must be assigned only if using console or through command line)
What are the recommended best practices for IAM? (Choose 3 answers)
1. Grant least privilege
2. User the AWS account(root) for regular user
3. Use Mutli-Factor Authentication (MFA)
4. Store access key/private key in git
5. Rotate credentials regularly
Which of the below mentioned options is not a best practice to securely manage the AWS access credentials?
1. Enable MFA for privileged users
2. Create individual IAM users
3. Keep rotating your secure access credentials at regular intervals
4. Create strong access key and secret access key and attach to the root account
Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account?
1. Use short but complex password on the root account and any administrators.
2. Use AWS IAM Geo-Lock and disallow anyone from logging in except for in your city.
3. Use MFA on all users and accounts, especially on the root account. (For increased security, it is recommend to configure MFA to help protect AWS resources)
4. Don’t write down or remember the root account password after creating the AWS account.
Fill the blanks: ____ helps us track AWS API calls and transitions, ____ helps to understand what resources we have now, and ____ allows auditing credentials and logins.
1. AWS Config, CloudTrail, IAM Credential Reports
2. CloudTrail, IAM Credential Reports, AWS Config
3. CloudTrail, AWS Config, IAM Credential Reports
4. AWS Config, IAM Credential Reports, CloudTrail

References

AWS IAM Roles vs Resource Based Policies

December 31, 2022 ~ Last updated on : January 2, 2023 ~ jayendrapatil ~ 5 Comments

AWS IAM Roles vs Resource-Based Policies

AWS allows granting cross-account access to AWS resources, which can be done using IAM Roles or Resource-Based Policies.

IAM Roles

Roles can be created to act as a proxy to allow users or services to access resources.
Roles support
- trust policy which helps determine who can access the resources and
- permission policy which helps to determine what they can access.
Users who assume a role temporarily give up their own permissions and instead take on the permissions of the role. The original user permissions are restored when the user exits or stops using the role.
Roles can be used to provide access to almost all the AWS resources.
Permissions provided to the User through the Role can be further restricted per user by passing an optional policy to the STS request. This policy cannot be used to elevate privileges beyond what the assumed role is allowed to access

Resource-based Policies

Resource-based policy allows you to attach a policy directly to the resource you want to share, instead of using a role as a proxy.
Resource-based policy specifies the Principal, in the form of a list of AWS account ID numbers, can access that resource and what they can access.
Using cross-account access with a resource-based policy, the User still works in the trusted account and does not have to give up their permissions in place of the role permissions.
Users can work on the resources from both accounts at the same time and this can be useful for scenarios e.g. copying objects from one bucket to the other bucket in a different AWS account.
Resources that you want to share are limited to resources that support resource-based policies
- S3 allows you to define Bucket policy to grant access to the bucket and the objects
- Simple Notification Service (SNS)
- Simple Queue Service (SQS)
- Glacier Vaults
- OpsWorks stacks
- Lambda functions
Resource-based policies need the trusted account to create users with permissions to be able to access the resources from the trusted account.
Only permissions equivalent to, or less than, the permissions granted to your account by the resource owning account can be delegated.

AWS Certification Exam Practice Questions

What are the two permission types used by AWS?
1. Resource-based and Product-based
2. Product-based and Service-based
3. Service-based
4. User-based and Resource-based
What’s the policy used for cross-account access? (Choose 2)
1. Trust policy
2. Permissions Policy
3. Key policy

References

AWS IAM Role

December 31, 2022 ~ Last updated on : July 21, 2023 ~ jayendrapatil ~ 34 Comments

AWS IAM Role

IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS.
IAM role is not intended to be uniquely associated with a particular user, group, or service and is intended to be assumable by anyone who needs it.
Role does not have any static credentials (password or access keys) associated with it and whoever assumes the role is provided with dynamic temporary credentials.
Role helps in access delegation to grant permissions to someone that allows access to resources that you control.
Roles can help to prevent accidental access to or modification of sensitive resources.
Modification of a Role can be done anytime and the changes are reflected across all the entities associated with the Role immediately.
IAM Role plays a very important role in the following scenarios
- Services like EC2 instances running an application that needs to access other AWS services.
- Cross-Account access – Allowing users from different AWS accounts to have access to AWS resources in a different account, instead of having to create users.
- Identity Providers & Federation
  - Company uses a Corporate Authentication mechanism and doesn’t want the User to authenticate twice or create duplicate users in AWS
  - Applications allowing login through external authentication mechanisms e.g. Amazon, Facebook, Google, etc
Role can be assumed by
- IAM user within the same AWS account
- IAM user from a different AWS account
- AWS services such as EC2, EMR to interact with other services
- An external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect (OIDC), or a custom-built identity broker.
Role involves defining two policies
- Trust policy
  - Trust policy defines – who can assume the role
  - Trust policy involves setting up a trust between the account that owns the resource (trusting account) and the account that owns the user that needs access to the resources (trusted account).
- Permissions policy
  - Permissions policy defines – what they can access
  - Permissions policy determines authorization, which grants the user of the role with the needed permissions to carry out the desired tasks on the resource
Federation is creating a trust relationship between an external Identity Provider (IdP) and AWS.
- Users can also sign in to an enterprise identity system that is compatible with SAML
- Users can sign in to a web identity provider, such as Login with Amazon, Facebook, Google, or any IdP that is compatible with OpenID connect (OIDC).
- When using OIDC and SAML 2.0 to configure a trust relationship between these external identity providers and AWS, the user is assigned to an IAM role and receives temporary credentials that enable the user to access AWS resources.
IAM Best Practice – Use roles for applications running on EC2 instances
IAM Best Practice – Delegate using roles instead of sharing credentials

AWS STS & Temporary Credentials

AWS Security Token Service – STS helps create and provide trusted users with temporary security credentials that control access to AWS resources
STS is a global service with a single endpoint https://sts.amazonaws.com
AWS STS API calls can be made either to a global endpoint or to one of the regional endpoints. Regional endpoint can help reduce latency and improve the performance of the API calls
Temporary Credentials are similar to long-term credentials except for
- are short-term and are regularly rotated.
- can be configured to last from a few minutes to several hours.
- do not have to be embedded or distributed.
- are not stored or attached to the User, but are generated dynamically and provided to the user as and when requested

AWS Service Roles

Some AWS services need to interact with other AWS services for e.g. EC2 interacting with S3, SQS, etc
Best practice is to assign these services with IAM roles instead of embedding or passing IAM user credentials directly into an instance, because distributing and rotating long-term credentials to multiple instances is challenging to manage and a potential security risk.
AWS automatically provides temporary security credentials for these services e.g. EC2 instance to use on behalf of its applications
Deleting a role or instance profile that is associated with a running EC2 instance will break any applications running on the instance

Complete Process Flow

Create an IAM role with services who would use it for e.g. EC2 as a trusted entity and define permission policies with the access the service needs
Associated a Role (actually an Instance profile) with the EC2 service when the instance is launched
Temporary security credentials are available on the instance and are automatically rotated before they expire so that a valid set is always available
Application can retrieve the temporary credentials either using the Instance metadata directly or through AWS SDK
Applications running on the EC2 instance can now use the permissions defined in the Role to access other AWS resources
Application, if caching the credentials, needs to make sure it uses the correct credentials before they expire

Instance Profile

An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
If a Role is created for EC2 instance or any other service that uses EC2 through AWS Management Console, AWS creates an Instance profile automatically with the same name as the Role. However, if the Role is created through CLI the instance profile needs to be created as well.
An instance profile can contain only one IAM role. However, a role can be included in multiple instance profiles.

Service-linked Roles

A service-linked role is a unique type of IAM role that is linked directly to an AWS service.
Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.

Cross-Account access Roles

IAM users can be granted permission to switch roles within the same AWS account or to roles defined in other AWS accounts that you own.
Roles can also be used to delegate permissions to IAM users from AWS accounts owned by Third parties
- You must explicitly grant the users permission to assume the role.
- Users must actively switch to the role using the AWS Management Console.
- Multi-factor authentication (MFA) protection can be enabled for the role so that only users who sign in with an MFA device can assume the role
However, only One set of permissions are applicable at a time. User who assumes a role temporarily gives up his or her own permissions and instead takes on the permissions of the role. When the user exits, or stops using the role, the original user permissions are restored.

Complete Process Flow

IAM Role - Cross Account Access

Trusting account creates an IAM Role with a
- Trust policy which defines the account (trusted account) as a principal who can access the resources and a
- Permissions policy to define what resources can the user in the trusted account access
Trusting account provides the Account ID and the Role name (or the ARN) to the trusted account
If the Trusting account is owned by Third Party it can optionally provide an External ID (recommended for additional security), required to uniquely identify the trusted account, which can be added to the trust policy as a condition
Trusted account creates an IAM user who has permission (Permission to call the AWS Security Token Service (AWS STS) AssumeRole API for the role) to assume the role/switch to the role.
IAM User in the Trusted account switches to the Role/assumes the role and passes the ARN of the role
Trusted account belonging to the Third party would also pass the External ID mapped to the Trusting account
AWS STS verifies the request for the role ARN, External ID if any and if it is from the trusted resource matching the roles’s trust policy and
AWS STS upon successful verification returns temporary credentials
Temporary credentials allow the user to access the resources of the Trusting account
When the user exits the role, the user’s permissions revert to the original permissions held before switching to the role

External ID and Confused Deputy Problem

External ID allows the user assuming the role to assert the circumstances in which they are operating.
External ID provides a way for the account owner to permit the role to be assumed only under specific circumstances and prevents an unauthorized customer from gaining access to your resources
Primary function of the external ID is to address and prevent the “confused deputy” problem.

Confused Deputy Problem

Example Corp’s AWS Account provides the services (access, analyze and process data and provide back reports) to multiple different AWS accounts.
Preferred mechanism is to have each AWS account customer define a Role that Example Corp’s AWS Account users can assume and act upon.
You provide Example Corp’s AWS Account access to your AWS account through Role and providing Role ARN.
Example Corp when working on your account assumes the IAM role and provides the ARN with the request.
As Example Corp is already trusted by your account it will receive the temporary security credentials and gain access to your resources.
If another AWS account is able to know or guess your ARN (Role with Account ID), it can provide the same to Example Corp.
Example Corp’s would use the ARN (belonging to your AWS account) to process the data but would provide the same data to the other AWS account.
This form of privilege escalation is known as the confused deputy problem

Address Confused Deputy Problem using External ID

Using External ID, Example Corp’s generates a unique External ID for each of its Customers which is known only to them and is kept secret.
Example Corp provides you with an External ID which needs to be added as a condition while defining the trust policy.
You provide Example Corp’s AWS Account access to your AWS account through Role and providing Role ARN.
Example Corp when working on your account uses the IAM role and provides the ARN along with the External ID and as it is already trusted would be able to gain access.
Other AWS accounts registered with Example Corp would have a Unique External ID assigned to them.
If the Other AWS account is able to know or guess your ARN (Role with Account ID), it can provide the same to Example Corp
Example Corp’s would request access to your Account using the ARN (belonging to your AWS account) but with the External ID belonging to Other AWS account as the request was made on its behalf.
As the External ID provided by Example Corp does not match the condition defined in the Role trust policy, the authentication would fail and hence denied access.

Identity Providers and Federation

Refer to My Blog Post about IAM Role – Identity Providers and Federation

AWS Certification Exam Practice Questions

A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure that AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?
1. Enable Multi-Factor Authentication for your AWS root account.
2. Assign an IAM role to the Amazon EC2 instance.
3. Store the AWS Access Key ID/Secret Access Key combination in software comments.
4. Assign an IAM user to the Amazon EC2 Instance.
A company is preparing to give AWS Management Console access to developers. Company policy mandates identity federation and role-based access control. Roles are currently assigned using groups in the corporate Active Directory. What combination of the following will give developers access to the AWS console? (Select 2) Choose 2 answers
1. AWS Directory Service AD Connector
2. AWS Directory Service Simple AD
3. AWS Identity and Access Management groups
4. AWS identity and Access Management roles
5. AWS identity and Access Management users
A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? Choose 2 answers
1. Use AWS Consolidated Billing and disable AWS root account access for the child accounts.
2. Enable IAM cross-account access for all corporate IT administrators in each child account. (Provides IT governance)
3. Create separate VPCs for each division within the corporate IT AWS account.
4. Use AWS Consolidated Billing to link the divisions’ accounts to a parent corporate account. (Will provide cost oversight)
5. Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account’s Amazon S3 ‘Log’ bucket.
Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. (Choose 2 answers)
1. Create an IAM Role that allows write access to the DynamoDB table
2. Add an IAM Role to a running EC2 instance. (With latest enhancement from AWS, IAM role can be assigned to a running EC2 instance)
3. Create an IAM User that allows write access to the DynamoDB table.
4. Add an IAM User to a running EC2 instance.
5. Launch an EC2 Instance with the IAM Role included in the launch configuration (This was the correct answer before, as AWS did not allow IAM role to be added to an existing instance)
You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal. [PROFESSIONAL]
1. Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
2. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
3. Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access
4. Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts
You have an application running on an EC2 Instance which will allow users to download flies from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely? [PROFESSIONAL]
1. Use the AWS account access Keys the application retrieves the credentials from the source code of the application.
2. Create a IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
3. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
4. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.
An administrator is using Amazon CloudFormation to deploy a three tier web application that consists of a web tier and application tier that will utilize Amazon DynamoDB for storage when creating the CloudFormation template which of the following would allow the application instance access to the DynamoDB tables without exposing API credentials? [PROFESSIONAL]
1. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and associate the Role to the application instances by referencing an instance profile.
2. Use the Parameter section in the Cloud Formation template to nave the user input Access and Secret Keys from an already created IAM user that has me permissions required to read and write from the required DynamoDB table.
3. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role in the instance profile property of the application instance.
4. Create an identity and Access Management user in the CloudFormation template that has permissions to read and write from the required DynamoDB table, use the GetAtt function to retrieve the Access and secret keys and pass them to the application instance through user-data.
An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise’s account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions? [PROFESSIONAL]
1. From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
2. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application create a new access and secret key for the user and provide these credentials to the SaaS provider.
3. Create an IAM role for cross-account access allows the SaaS provider’s account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
4. Create an IAM role for EC2 instances, assign it a policy mat allows only the actions required tor the SaaS application to work, provide the role ARM to the SaaS provider to use when launching their application instances.
A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?
1. The user should attach an IAM role with DynamoDB access to the EC2 instance
2. The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB
3. The user should create an IAM role, which has EC2 access so that it will allow deploying the application
4. The user should create an IAM user with DynamoDB and EC2 access. Attach the user with the application so that it does not use the root account credentials
A customer is in the process of deploying multiple applications to AWS that are owned and operated by different development teams. Each development team maintains the authorization of its users independently from other teams. The customer’s information security team would like to be able to delegate user authorization to the individual development teams but independently apply restrictions to the users permissions based on factors such as the users device and location. For example, the information security team would like to grant read-only permissions to a user who is defined by the development team as read/write whenever the user is authenticating from outside the corporate network. What steps can the information security team take to implement this capability? [PROFESSIONAL]
1. Operate an authentication service that generates AWS STS tokens with IAM policies from application-defined IAM roles. (no user separation, will just help generate temporary tokens)
2. Add additional IAM policies to the application IAM roles that deny user privileges based on information security policy. (Different policy with deny rules based on location, device and more restrictive wins)
3. Configure IAM policies that restrict modification of the application IAM roles only to the information security team. (Authorization should still be in developers control)
4. Enable federation with the internal LDAP directory and grant the application teams permissions to modify users.
You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch. Which method would be the best way to authenticate your CloudWatch PUT request?
1. Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to launch instances in that role
2. Create an IAM user with the PutMetricData permission and modify the Auto Scaling launch configuration to inject the users credentials into the instance User Data
3. Modify the appropriate Cloud Watch metric policies to allow the Put MetricData permission to instances from the Auto Scaling group
4. Create an IAM user with the PutMetricData permission and put the credentials in a private repository and have applications on the server pull the credentials as needed

References

AWS_IAM_Role

Amazon CloudWatch

December 31, 2022 ~ Last updated on : January 9, 2023 ~ jayendrapatil ~ 51 Comments

Amazon CloudWatch

CloudWatch monitors AWS resources and applications in real time.
CloudWatch can be used to collect and track metrics, which are the variables to be measured for resources and applications.
CloudWatch is basically a metrics repository where the metrics can be inserted and statistics retrieved based on those metrics.
In addition to monitoring the built-in metrics that come with AWS, custom metrics can also be monitored
CloudWatch provides system-wide visibility into resource utilization, application performance, and operational health.
By default, CloudWatch stores the log data indefinitely, and the retention can be changed for each log group at any time.
CloudWatch alarms can be configured
- to send notifications or
- to automatically make changes to the resources based on defined rules
CloudWatch dashboards are customizable home pages in the CloudWatch console used to monitor the resources in a single view, even those resources that are spread across different Regions.
CloudWatch Agent helps collect metrics and logs from EC2 instances and on-premises servers and push them to CloudWatch.

CloudWatch Architecture

CloudWatch collects various metrics from various resources
These metrics, as statistics, are available to the user through Console, CLI
CloudWatch allows the creation of alarms with defined rules
- to perform actions to auto-scaling or stop, start, or terminate instances
- to send notifications using SNS actions on your behalf

CloudWatch Concepts

Namespaces

CloudWatch namespaces are containers for metrics.
Metrics in different namespaces are isolated from each other, so that metrics from different applications are not mistakenly aggregated into the same statistics.
AWS namespaces all follow the convention AWS/<service>, for e.g. AWS/EC2 and AWS/ELB
Namespace names must be fewer than 256 characters in length.
There is no default namespace. Each data element put into CloudWatch must specify a namespace.

Metrics

Metric is the fundamental concept in CloudWatch.
Uniquely defined by a name, a namespace, and one or more dimensions.
Represents a time-ordered set of data points published to CloudWatch.
Each data point has a time stamp, and (optionally) a unit of measure.
Data points can be either custom metrics or metrics from other
services in AWS.
Statistics can be retrieved about those data points as an ordered set of time-series data that occur within a specified time window.
When the statistics are requested, the returned data stream is identified by namespace, metric name, dimension, and (optionally) the unit.
Metrics exist only in the region in which they are created.
CloudWatch stores the metric data for two weeks
Metrics cannot be deleted, but they automatically expire after 15 months, if no new data is published to them.
Metric retention is as follows
- Data points with a period of less than 60 seconds are available for 3 hours. These data points are high-resolution custom metrics.
- Data points with a 60 secs (1 min) period are available for 15 days
- Data points with a 300 secs (5 min) period are available for 63 days
- Data points with a 3600 secs (1 hour) period are available for 455 days (15 months)

Dimensions

A dimension is a name/value pair that uniquely identifies a metric.
Every metric has specific characteristics that describe it, and you can think of dimensions as categories for those characteristics.
Dimensions help design a structure for the statistics plan.
Dimensions are part of the unique identifier for a metric, whenever a unique name pair is added to one of the metrics, a new metric is created.
Dimensions can be used to filter result sets that CloudWatch query returns.
A metric can be assigned up to ten dimensions to a metric.

Time Stamps

Each metric data point must be marked with a time stamp to identify the data point on a time series.
Timestamp can be up to two weeks in the past and up to two hours into the future.
If no timestamp is provided, a time stamp based on the time the data element was received is created.
All times reflect the UTC time zone when statistics are retrieved

Resolution

Each metric is one of the following:
- Standard resolution, with data having a one-minute granularity
- High resolution, with data at a granularity of one second

Units

Units represent the statistic’s unit of measure e.g. count, bytes, %, etc

Statistics

Statistics are metric data aggregations over specified periods of time
Aggregations are made using the namespace, metric name, dimensions, and the data point unit of measure, within the specified time period

Periods

Period is the length of time associated with a specific statistic.
Each statistic represents an aggregation of the metrics data collected for a specified period of time.
Although periods are expressed in seconds, the minimum granularity for a period is one minute.

Aggregation

CloudWatch aggregates statistics according to the period length specified in calls to GetMetricStatistics.
Multiple data points can be published with the same or similar time stamps. CloudWatch aggregates them by period length when the statistics about those data points are requested.
Aggregated statistics are only available when using detailed monitoring.
Instances that use basic monitoring are not included in the aggregates
CloudWatch does not aggregate data across regions.

Alarms

Alarms can automatically initiate actions on behalf of the user, based on specified parameters.
Alarm watches a single metric over a specified time period, and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods.
Alarms invoke actions for sustained state changes only i.e. the state must have changed and been maintained for a specified number of periods.
Action can be a
- SNS notification
- Auto Scaling policies
- EC2 action – stop or terminate EC2 instances
After an alarm invokes an action due to a change in state, its subsequent behavior depends on the type of action associated with the alarm.
- For Auto Scaling policy notifications, the alarm continues to invoke the action for every period that the alarm remains in the new state.
- For SNS notifications, no additional actions are invoked.
An alarm has three possible states:
- OK—The metric is within the defined threshold
- ALARM—The metric is outside of the defined threshold
- INSUFFICIENT_DATA—Alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state
Alarms exist only in the region in which they are created.
Alarm actions must reside in the same region as the alarm
Alarm history is available for the last 14 days.
Alarm can be tested by setting it to any state using the SetAlarmState API (mon-set-alarm-state command). This temporary state change lasts only until the next alarm comparison occurs.
Alarms can be disabled and enabled using the DisableAlarmActions and EnableAlarmActions APIs (mon-disable-alarm-actions and mon-enable-alarm-actions commands).

Regions

CloudWatch does not aggregate data across regions. Therefore, metrics are completely separate between regions.

Custom Metrics

CloudWatch allows publishing custom metrics with put-metric-data CLI command (or its Query API equivalent PutMetricData)
CloudWatch creates a new metric if put-metric-data is called with a new metric name, else it associates the data with the specified existing metric
put-metric-data command can only publish one data point per call
CloudWatch stores data about a metric as a series of data points and each data point has an associated time stamp
Creating a new metric using the put-metric-data command, can take up to two minutes before statistics can be retrieved on the new metric using the get-metric-statistics command and can take up to fifteen minutes before the new metric appears in the list of metrics retrieved using the list-metrics command.
CloudWatch allows publishing
- Single data point
  - Data points can be published with time stamps as granular as one-thousandth of a second, CloudWatch aggregates the data to a minimum granularity of one minute
  - CloudWatch records the average (sum of all items divided by number of items) of the values received for every 1-minute period, as well as number of samples, maximum value, and minimum value for the same time period
  - CloudWatch uses one-minute boundaries when aggregating data points
- Aggregated set of data points called a statistics set
  - Data can also be aggregated before being published to CloudWatch
  - Aggregating data minimizes the number of calls reducing it to a single call per minute with the statistic set of data
  - Statistics include Sum, Average, Minimum, Maximum, SampleCount
If the application produces data that is more sporadic and have periods that have no associated data, either a the value zero (0) or no value at all can be published
However, it can be helpful to publish zero instead of no value
- to monitor the health of your application for e.g. alarm can be configured to notify if no metrics published every 5 minutes
- to track the total number of data points
- to have statistics such as minimum and average to include data points with the value 0.

CloudWatch Dashboards

CloudWatch dashboards are customizable home pages in the CloudWatch console used to monitor the resources in a single view, even those resources that are spread across different Regions.
Dashboards can be used to create customized views of the metrics and alarms for the AWS resources.
Dashboards can help to create
- A single view for selected metrics and alarms to help assess the health of the resources and applications across one or more Regions.
- An operational playbook that provides guidance for team members during operational events about how to respond to specific incidents.
- A common view of critical resource and application measurements that can be shared by team members for faster communication flow during operational events.
CloudWatch cross-account observability helps monitor and troubleshoot applications that span multiple accounts within a Region.
Cross-account observability includes monitoring and source accounts
- A monitoring account is a central AWS account that can view and interact with observability data generated from source accounts.
- A source account is an individual AWS account that generates observability data for the resources that reside in it.
- Source accounts share their observability data with the monitoring account which can include the following types of telemetry:
  - Metrics in CloudWatch
  - Log groups in CloudWatch Logs
  - Traces in AWS X-Ray

CloudWatch Agent

CloudWatch Agent helps collect metrics and logs from EC2 instances and on-premises servers and push them to CloudWatch.
Logs collected by the unified agent are processed and stored in CloudWatch Logs.

CloudWatch Logs

Refer blog post @ CloudWatch Logs

CloudWatch Supported Services

Refer blog post @ CloudWatch Supported Services

Accessing CloudWatch

CloudWatch can be accessed using
- AWS CloudWatch console
- CloudWatch CLI
- AWS CLI
- CloudWatch API
- AWS SDKs

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.

A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS instance and send real-time alerts to their operations team. Which AWS services can accomplish this? Choose 2 answers
1. Amazon Simple Email Service (Cannot be integrated with CloudWatch directly)
2. Amazon CloudWatch
3. Amazon Simple Queue Service
4. Amazon Route 53
5. Amazon Simple Notification Service
A customer needs to capture all client connection information from their load balancer every five minutes. The company wants to use this data for analyzing traffic patterns and troubleshooting their applications. Which of the following options meets the customer requirements?
1. Enable AWS CloudTrail for the load balancer.
2. Enable access logs on the load balancer. (Refer link)
3. Install the Amazon CloudWatch Logs agent on the load balancer.
4. Enable Amazon CloudWatch metrics on the load balancer (does not provide Client connection information)
A user is running a batch process on EBS backed EC2 instances. The batch process starts a few instances to process Hadoop Map reduce jobs, which can run between 50 – 600 minutes or sometimes for more time. The user wants to configure that the instance gets terminated only when the process is completed. How can the user configure this with CloudWatch?
1. Setup the CloudWatch action to terminate the instance when the CPU utilization is less than 5%
2. Setup the CloudWatch with Auto Scaling to terminate all the instances
3. Setup a job which terminates all instances after 600 minutes
4. It is not possible to terminate instances automatically
A user has two EC2 instances running in two separate regions. The user is running an internal memory management tool, which captures the data and sends it to CloudWatch in US East, using a CLI with the same namespace and metric. Which of the below mentioned options is true with respect to the above statement?
1. The setup will not work as CloudWatch cannot receive data across regions
2. CloudWatch will receive and aggregate the data based on the namespace and metric
3. CloudWatch will give an error since the data will conflict due to two sources
4. CloudWatch will take the data of the server, which sends the data first
A user is sending the data to CloudWatch using the CloudWatch API. The user is sending data 90 minutes in the future. What will CloudWatch do in this case?
1. CloudWatch will accept the data
2. It is not possible to send data of the future
3. It is not possible to send the data manually to CloudWatch
4. The user cannot send data for more than 60 minutes in the future
A user is having data generated randomly based on a certain event. The user wants to upload that data to CloudWatch. It may happen that event may not have data generated for some period due to randomness. Which of the below mentioned options is a recommended option for this case?
1. For the period when there is no data, the user should not send the data at all
2. For the period when there is no data the user should send a blank value
3. For the period when there is no data the user should send the value as 0 (Refer User Guide)
4. The user must upload the data to CloudWatch as having no data for some period will cause an error at CloudWatch monitoring
A user has a weighing plant. The user measures the weight of some goods every 5 minutes and sends data to AWS CloudWatch for monitoring and tracking. Which of the below mentioned parameters is mandatory for the user to include in the request list?
1. Value
2. Namespace (refer put-metric request)
3. Metric Name
4. Timezone
A user has a refrigerator plant. The user is measuring the temperature of the plant every 15 minutes. If the user wants to send the data to CloudWatch to view the data visually, which of the below mentioned statements is true with respect to the information given above?
1. The user needs to use AWS CLI or API to upload the data
2. The user can use the AWS Import Export facility to import data to CloudWatch
3. The user will upload data from the AWS console
4. The user cannot upload data to CloudWatch since it is not an AWS service metric
A user has launched an EC2 instance. The user is planning to setup the CloudWatch alarm. Which of the below mentioned actions is not supported by the CloudWatch alarm?
1. Notify the Auto Scaling launch config to scale up
2. Send an SMS using SNS
3. Notify the Auto Scaling group to scale down
4. Stop the EC2 instance
A user has a refrigerator plant. The user is measuring the temperature of the plant every 15 minutes. If the user wants to send the data to CloudWatch to view the data visually, which of the below mentioned statements is true with respect to the information given above?
1. The user needs to use AWS CLI or API to upload the data
2. The user can use the AWS Import Export facility to import data to CloudWatch
3. The user will upload data from the AWS console
4. The user cannot upload data to CloudWatch since it is not an AWS service metric
A user is trying to aggregate all the CloudWatch metric data of the last 1 week. Which of the below mentioned statistics is not available for the user as a part of data aggregation?
1. Aggregate
2. Sum
3. Sample data
4. Average
A user has setup a CloudWatch alarm on an EC2 action when the CPU utilization is above 75%. The alarm sends a notification to SNS on the alarm state. If the user wants to simulate the alarm action how can he achieve this?
1. Run activities on the CPU such that its utilization reaches above 75%
2. From the AWS console change the state to ‘Alarm’
3. The user can set the alarm state to ‘Alarm’ using CLI
4. Run the SNS action manually
A user is publishing custom metrics to CloudWatch. Which of the below mentioned statements will help the user understand the functionality better?
1. The user can use the CloudWatch Import tool
2. The user should be able to see the data in the console after around 15 minutes
3. If the user is uploading the custom data, the user must supply the namespace, timezone, and metric name as part of the command
4. The user can view as well as upload data using the console, CLI and APIs
An application that you are managing has EC2 instances and DynamoDB tables deployed to several AWS Regions. In order to monitor the performance of the application globally, you would like to see two graphs 1) Avg CPU Utilization across all EC2 instances and 2) Number of Throttled Requests for all DynamoDB tables. How can you accomplish this? [PROFESSIONAL]
1. Tag your resources with the application name, and select the tag name as the dimension in the CloudWatch Management console to view the respective graphs (CloudWatch metrics are regional)
2. Use the CloudWatch CLI tools to pull the respective metrics from each regional endpoint. Aggregate the data offline & store it for graphing in CloudWatch.
3. Add SNMP traps to each instance and DynamoDB table. Leverage a central monitoring server to capture data from each instance and table. Put the aggregate data into CloudWatch for graphing (Can’t add SNMP traps to DynamoDB as it is a managed service)
4. Add a CloudWatch agent to each instance and attach one to each DynamoDB table. When configuring the agent set the appropriate application name & view the graphs in CloudWatch. (Can’t add agents to DynamoDB as it is a managed service)
You have set up Individual AWS accounts for each project. You have been asked to make sure your AWS Infrastructure costs do not exceed the budget set per project for each month. Which of the following approaches can help ensure that you do not exceed the budget each month? [PROFESSIONAL]
1. Consolidate your accounts so you have a single bill for all accounts and projects (Consolidation will not help limit per account)
2. Set up auto scaling with CloudWatch alarms using SNS to notify you when you are running too many Instances in a given account (many instances do not directly map to cost and would not give exact cost)
3. Set up CloudWatch billing alerts for all AWS resources used by each project, with a notification occurring when the amount for each resource tagged to a particular project matches the budget allocated to the project. (as each project already has a account, no need for resource tagging)
4. Set up CloudWatch billing alerts for all AWS resources used by each account, with email notifications when it hits 50%. 80% and 90% of its budgeted monthly spend
You meet once per month with your operations team to review the past month’s data. During the meeting, you realize that 3 weeks ago, your monitoring system which pings over HTTP from outside AWS recorded a large spike in latency on your 3-tier web service API. You use DynamoDB for the database layer, ELB, EBS, and EC2 for the business logic tier, and SQS, ELB, and EC2 for the presentation layer. Which of the following techniques will NOT help you figure out what happened?
1. Check your CloudTrail log history around the spike’s time for any API calls that caused slowness.
2. Review CloudWatch Metrics graphs to determine which component(s) slowed the system down. (Metrics data was available for 2 weeks before, however it has been extended now)
3. Review your ELB access logs in S3 to see if any ELBs in your system saw the latency.
4. Analyze your logs to detect bursts in traffic at that time.
You have a high security requirement for your AWS accounts. What is the most rapid and sophisticated setup you can use to react to AWS API calls to your account?
1. Subscription to AWS Config via an SNS Topic. Use a Lambda Function to perform in-flight analysis and reactivity to changes as they occur.
2. Global AWS CloudTrail setup delivering to S3 with an SNS subscription to the deliver notifications, pushing into a Lambda, which inserts records into an ELK stack for analysis.
3. Use a CloudWatch Rule ScheduleExpression to periodically analyze IAM credential logs. Push the deltas for events into an ELK stack and perform ad-hoc analysis there.
4. CloudWatch Events Rules, which trigger based on all AWS API calls, submitting all events to an AWS Kinesis Stream for arbitrary downstream analysis. (CloudWatch Events allow subscription to AWS API calls, and direction of these events into Kinesis Streams. This allows a unified, near real-time stream for all API calls, which can be analyzed with any tool(s). Refer link)
To monitor API calls against our AWS account by different users and entities, we can use ____ to create a history of calls in bulk for later review, and use ____ for reacting to AWS API calls in real-time.
1. AWS Config; AWS Inspector
2. AWS CloudTrail; AWS Config
3. AWS CloudTrail; CloudWatch Events (CloudTrail is a batch API call collection service, CloudWatch Events enables real-time monitoring of calls through the Rules object interface. Refer link)
4. AWS Config; AWS Lambda
You are hired as the new head of operations for a SaaS company. Your CTO has asked you to make debugging any part of your entire operation simpler and as fast as possible. She complains that she has no idea what is going on in the complex, service-oriented architecture, because the developers just log to disk, and it’s very hard to find errors in logs on so many services. How can you best meet this requirement and satisfy your CTO? [PROFESSIONAL]
1. Copy all log files into AWS S3 using a cron job on each instance. Use an S3 Notification Configuration on the <code>PutBucket</code> event and publish events to AWS Lambda. Use the Lambda to analyze logs as soon as they come in and flag issues. (is not fast in search and introduces delay)
2. Begin using CloudWatch Logs on every service. Stream all Log Groups into S3 objects. Use AWS EMR cluster jobs to perform adhoc MapReduce analysis and write new queries when needed. (is not fast in search and introduces delay)
3. Copy all log files into AWS S3 using a cron job on each instance. Use an S3 Notification Configuration on the <code>PutBucket</code> event and publish events to AWS Kinesis. Use Apache Spark on AWS EMR to perform at-scale stream processing queries on the log chunks and flag issues. (is not fast in search and introduces delay)
4. Begin using CloudWatch Logs on every service. Stream all Log Groups into an AWS Elasticsearch Service Domain running Kibana 4 and perform log analysis on a search cluster. (ELK – Elasticsearch, Kibana stack is designed specifically for real-time, ad-hoc log analysis and aggregation)
Your EC2-Based Multi-tier application includes a monitoring instance that periodically makes application -level read only requests of various application components and if any of those fail more than three times 30 seconds calls CloudWatch to fire an alarm, and the alarm notifies your operations team by email and SMS of a possible application health problem. However, you also need to watch the watcher -the monitoring instance itself – and be notified if it becomes unhealthy. Which of the following is a simple way to achieve that goal? [PROFESSIONAL]
1. Run another monitoring instance that pings the monitoring instance and fires a could watch alarm mat notifies your operations team should the primary monitoring instance become unhealthy.
2. Set a CloudWatch alarm based on EC2 system and instance status checks and have the alarm notify your operations team of any detected problem with the monitoring instance.
3. Set a CloudWatch alarm based on the CPU utilization of the monitoring instance and nave the alarm notify your operations team if C r the CPU usage exceeds 50% few more than one minute: then have your monitoring application go into a CPU-bound loop should it Detect any application problems.
4. Have the monitoring instances post messages to an SOS queue and then dequeue those messages on another instance should the queue cease to have new messages, the second instance should first terminate the original monitoring instance start another backup monitoring instance and assume (the role of the previous monitoring instance and beginning adding messages to the SQS queue.

AWS IAM – Identity Access Management

December 31, 2022 ~ Last updated on : January 2, 2023 ~ jayendrapatil ~ 36 Comments

AWS IAM – Identity Access Management

AWS IAM – Identity and Access Management is a web service that helps you securely control access to AWS resources for your users.
IAM is used to control
- Identity – who can use your AWS resources (authentication)
- Access – what resources they can use and in what ways (authorization)
IAM can also keep the account credentials private.
With IAM, multiple users can be created under the umbrella of the AWS account or temporary access can be enabled through identity federation with the corporate directory or third-party providers.
IAM also enables access to resources across AWS accounts.

IAM Features

Shared access to your AWS account
- Grant other people permission to administer and use resources in your AWS account without having to share your password or access key.
Granular permissions
- Each user can be granted a different set of granular permissions as required to perform their job
Secure access to AWS resources for applications that run on EC2
- can help provide applications running on EC2 instance temporary credentials that they need in order to access other AWS resources
Identity federation
- allows users to access AWS resources, without requiring the user to have accounts with AWS, by providing temporary credentials for e.g. through corporate network or Google or Amazon authentication
Identity information for assurance
- CloudTrail can be used to receive log records that include information about those who made requests for resources in the account.
PCI DSS Compliance
- supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being Payment Card Industry Data Security Standard (PCI DSS) compliant
Integrated with many AWS services
- integrates with almost all the AWS services
Eventually Consistent
- is eventually consistent and achieves high availability by replicating data across multiple servers within Amazon’s data centers around the world.
- Changes made to IAM would be eventually consistent and hence would take some time to reflect
Free to use
- is offered at no additional charge and charges are applied only for use of other AWS products by your IAM users.
AWS Security Token Service
- provides STS which is an included feature of the AWS account offered at no additional charge.
- AWS charges only for the use of other AWS services accessed by the AWS STS temporary security credentials.

Identities

IAM identities determine who can access and help to provide authentication for people and processes in your AWS account

IAM Identities

Account Root User

Root Account Credentials are the email address and password with which you sign in to the AWS account.
Root Credentials has full unrestricted access to AWS account including the account security credentials which include sensitive information
IAM Best Practice – Do not use or share the Root account once the AWS account is created, instead create a separate user with admin privilege
An Administrator account can be created for all the activities which also have full access to the AWS account except for the accounts security credentials, billing information, and ability to change the password.

IAM Users

IAM user represents the person or service who uses the access to interact with AWS.
IAM Best Practice – Create Individual Users, do not share credentials.
User credentials can consist of the following
- Password to access AWS services through AWS Management Console
- Access Key/Secret Access Key to access AWS services through API, CLI, or SDK
A user starts with no permissions and is not authorized to perform any AWS actions on any AWS resources and should be granted permissions as per the job function requirement
IAM Best Practice – Grant Least Privilege
Each user is associated with one and only one AWS account.
A user cannot be renamed from the AWS management console and has to be done from CLI or SDK tools.
IAM handles the renaming of user w.r.t unique id, groups, and policies where the user was mentioned as a principal. However, you need to handle the renaming in the policies where the user was mentioned as a resource

IAM Groups

IAM group is a collection of IAM users
Groups can be used to specify permissions for a collection of users sharing the same job function making it easier to manage
IAM Best Practice – Use groups to assign permissions to IAM Users
A group is not truly an identity because it cannot be identified as a Principal in an access policy. It is only a way to attach policies to multiple users at one time
A group can have multiple users, while a user can belong to multiple groups (10 max)
Groups cannot be nested and can only have users within it
AWS does not provide any default group to hold all users in it and if one is required it should be created with all users assigned to it.
IAM handles the renaming of a group name or path w.r.t to policies attached to the group, unique ids, and users within the group. However, IAM does not update the policies where the group is mentioned as a resource and must be handled manually
Deletion of the groups requires you to detach users and managed policies and delete any inline policies before deleting the group. With the AWS management console, the deletion and detachment are taken care of.

IAM Roles

IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS.
IAM role is not intended to be uniquely associated with a particular user, group, or service and is intended to be assumable by anyone who needs it.
Role does not have any static credentials (password or access keys) associated with it and whoever assumes the role is provided with dynamic temporary credentials.
Role helps in access delegation to grant permissions to someone that allows access to resources that you control.
Roles can help to prevent accidental access to or modification of sensitive resources.
Modification of a Role can be done anytime and the changes are reflected across all the entities associated with the Role immediately.
IAM Role plays a very important role in the following scenarios
- Services like EC2 instances running an application that needs to access other AWS services.
- Cross-Account access – Allowing users from different AWS accounts to have access to AWS resources in a different account, instead of having to create users.
- Identity Providers & Federation
  - Company uses a Corporate Authentication mechanism and doesn’t want the User to authenticate twice or create duplicate users in AWS
  - Applications allowing login through external authentication mechanisms e.g. Amazon, Facebook, Google, etc
Role can be assumed by
- IAM user within the same AWS account
- IAM user from a different AWS account
- AWS services such as EC2, EMR to interact with other services
- An external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect (OIDC), or a custom-built identity broker.
Role involves defining two policies
- Trust policy
  - Trust policy defines – who can assume the role
  - Trust policy involves setting up a trust between the account that owns the resource (trusting account) and the account that owns the user that needs access to the resources (trusted account).
- Permissions policy
  - Permissions policy defines – what they can access
  - Permissions policy determines authorization, which grants the user of the role with the needed permissions to carry out the desired tasks on the resource
Federation is creating a trust relationship between an external Identity Provider (IdP) and AWS.
- Users can also sign in to an enterprise identity system that is compatible with SAML
- Users can sign in to a web identity provider, such as Login with Amazon, Facebook, Google, or any IdP that is compatible with OpenID connect (OIDC).
- When using OIDC and SAML 2.0 to configure a trust relationship between these external identity providers and AWS, the user is assigned to an IAM role and receives temporary credentials that enable the user to access AWS resources.
IAM Best Practice – Use roles for applications running on EC2 instances
IAM Best Practice – Delegate using roles instead of sharing credentials

Multi-Factor Authentication – MFA

For increased security and to help protect the AWS resources, Multi-Factor authentication can be configured
IAM Best Practice – Enable MFA on Root accounts and privilege users
Multi-Factor Authentication can be configured using
- Security token-based
  - AWS Root user or IAM user can be assigned a hardware/virtual MFA device
  - Device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm which needs to be provided during authentication
- SMS text message-based (Preview Mode)
  - IAM user can be configured with the phone number of the user’s SMS-compatible mobile device which would receive a 6 digit code from AWS
  - SMS-based MFA is available only for IAM users and does not work for AWS root account
MFA needs to be enabled on the Root user and IAM user separately as they are distinct entities.
Enabling MFA on Root does not enable it for all other users
MFA devices can be associated with only one AWS account or IAM user and vice versa.
If the MFA device stops working or is lost, you won’t be able to login into the AWS console and would need to reach out to AWS support to deactivate MFA.
MFA protection can be enabled for service API’s calls using "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} and is available only if the service supports temporary security credentials.

IAM Access Management

Refer Blog Post @ IAM Policy and Permissions

IAM Credential Report

IAM allows you to generate and download a credential report that lists all users in the account and the status of their various credentials, including passwords, access keys, and MFA devices.
Credential report can be used to assist in auditing and compliance efforts
Credential report can be used to audit the effects of credential lifecycle requirements, such as password and access key rotation.
IAM Best Practice – Perform Audits and Remove all unused users and credentials
Credential report is generated as often as once every four hours. If the existing report was generated in less than four hours, the same is available for download. If more than four hours, IAM generates and downloads a new report.

IAM Access Analyzer

IAM Access Analyzer helps
- identify resources in the organization and accounts that are shared with an external entity.
- validate IAM policies against policy grammar and best practices.
- generate IAM policies based on access activity in your CloudTrail logs.

AWS Certification Exam Practice Questions

Which service enables AWS customers to manage users and permissions in AWS?
1. AWS Access Control Service (ACS)
2. AWS Identity and Access Management (IAM)
3. AWS Identity Manager (AIM)
IAM provides several policy templates you can use to automatically assign permissions to the groups you create. The _____ policy template gives the Admins group permission to access all account resources, except your AWS account information
1. Read Only Access
2. Power User Access
3. AWS Cloud Formation Read Only Access
4. Administrator Access
Every user you create in the IAM system starts with _________.
1. Partial permissions
2. Full permissions
3. No permissions
Groups can’t _____.
1. be nested more than 3 levels
2. be nested at all
3. be nested more than 4 levels
4. be nested more than 2 levels
The _____ service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console.
1. Amazon RDS
2. AWS Integrity Management
3. AWS Identity and Access Management
4. Amazon EMR
An AWS customer is deploying an application that is composed of an AutoScaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x.509 certificate that contains the specific instanceid. In addition an x.509 certificates must be designed by the customer’s Key management service in order to be trusted for authentication. Which of the following configurations will support these requirements?
1. Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this role. Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
2. Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group. Have the launched instances generate a certificate signature request with the instance’s assigned instance-id to the Key management service for signature.
3. Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
4. Configure the launched instances to generate a new certificate upon first boot. Have the Key management service poll the AutoScaling group for associated instances and send new instances a certificate signature that contains the specific instance-id.
When assessing an organization AWS use of AWS API access credentials which of the following three credentials should be evaluated? Choose 3 answers
1. Key pairs
2. Console passwords
3. Access keys
4. Signing certificates
5. Security Group memberships (required for EC2 instance access)
An organization has created 50 IAM users. The organization wants that each user can change their password but cannot change their access keys. How can the organization achieve this?
1. The organization has to create a special password policy and attach it to each user
2. The root account owner has to use CLI which forces each IAM user to change their password on first login
3. By default each IAM user can modify their passwords
4. Root account owner can set the policy from the IAM console under the password policy screen
An organization has created 50 IAM users. The organization has introduced a new policy which will change the access of an IAM user. How can the organization implement this effectively so that there is no need to apply the policy at the individual user level?
1. Use the IAM groups and add users as per their role to different groups and apply policy to group
2. The user can create a policy and apply it to multiple users in a single go with the AWS CLI
3. Add each user to the IAM role as per their organization role to achieve effective policy setup
4. Use the IAM role and implement access at the role level
Your organization’s security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password. Which two of the following options would allow an organization to enforce this policy for AWS users? Choose 2 answers
1. Configure multi-factor authentication for privileged IAM users
2. Create IAM users for privileged accounts (can set password policy)
3. Implement identity federation between your organization’s Identity provider leveraging the IAM Security Token Service
4. Enable the IAM single-use password policy option for privileged users (no such option the password expiration can be set from 1 to 1095 days)
Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
1. Create individual IAM users for everyone in your organization
2. Configure MFA on the root account and for privileged IAM users
3. Assign IAM users and groups configured with policies granting least privilege access
4. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate
A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?
1. Create a new IAM role and associated policies within the new region
2. Assign the existing IAM role to the Amazon EC2 instances in the new region
3. Copy the IAM role and associated policies to the new region and attach it to the instances
4. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature
After creating a new IAM user which of the following must be done before they can successfully make API calls?
1. Add a password to the user.
2. Enable Multi-Factor Authentication for the user.
3. Assign a Password Policy to the user.
4. Create a set of Access Keys for the user
An organization is planning to create a user with IAM. They are trying to understand the limitations of IAM so that they can plan accordingly. Which of the below mentioned statements is not true with respect to the limitations of IAM?
1. One IAM user can be a part of a maximum of 5 groups (Refer link)
2. Organization can create 100 groups per AWS account
3. One AWS account can have a maximum of 5000 IAM users
4. One AWS account can have 250 roles
Within the IAM service a GROUP is regarded as a:
1. A collection of AWS accounts
2. It’s the group of EC2 machines that gain the permissions specified in the GROUP.
3. There’s no GROUP in IAM, but only USERS and RESOURCES.
4. A collection of users.
Is there a limit to the number of groups you can have?
1. Yes for all users except root
2. No
3. Yes unless special permission granted
4. Yes for all users
What is the default maximum number of MFA devices in use per AWS account (at the root account level)?
1. 1
2. 5
3. 15
4. 10
When you use the AWS Management Console to delete an IAM user, IAM also deletes any signing certificates and any access keys belonging to the user.
1. FALSE
2. This is configurable
3. TRUE
You are setting up a blog on AWS. In which of the following scenarios will you need AWS credentials? (Choose 3)
1. Sign in to the AWS management console to launch an Amazon EC2 instance
2. Sign in to the running instance to instance some software (needs ssh keys)
3. Launch an Amazon RDS instance
4. Log into your blog’s content management system to write a blog post (need to authenticate using blog authentication)
5. Post pictures to your blog on Amazon S3
An organization has 500 employees. The organization wants to set up AWS access for each department. Which of the below mentioned options is a possible solution?
1. Create IAM roles based on the permission and assign users to each role
2. Create IAM users and provide individual permission to each
3. Create IAM groups based on the permission and assign IAM users to the groups
4. It is not possible to manage more than 100 IAM users with AWS
An organization has hosted an application on the EC2 instances. There will be multiple users connecting to the instance for setup and configuration of application. The organization is planning to implement certain security best practices. Which of the below mentioned pointers will not help the organization achieve better security arrangement?
1. Apply the latest patch of OS and always keep it updated.
2. Allow only IAM users to connect with the EC2 instances with their own secret access key. (Refer link)
3. Disable the password-based login for all the users. All the users should use their own keys to connect with the instance securely.
4. Create a procedure to revoke the access rights of the individual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.