Virtual AWSome Day Training Sept 2017

1© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Technical Essentials
Welcome to AWSome day

Introductions and Logistics
Ø The purpose of the webinar
Ø About the presenter
Ø Navigating the webinar system
Ø How we will handle the questions
Ø The schedule

Agenda
MODULE ONE (60 minutes):
Ø AWS and Cloud Computing
Ø Foundational Services
Ø Platform Servicers
Break
MODULE TWO (60 minutes):
Ø Virtual Private Cloud (VPC)
Ø Elastic Compute (EC2)
Ø AWS Console Demo
Break
MODULE THREE (60 minutes):
Ø Relational Database Service (RDS) and DynamoDB
Ø Simple Storage Service (S3)
Ø Identity And Access Management (IAM)
Ø Closing remarks on the future of cloud computing (Lambda)

Navigating the webinar

Introduction to
Amazon Web Services (AWS)
and Cloud Computing

Amazon History
1994: Jeff Bezos
Incorporated the
Company
1995:
Amazon.com
Launched
Online
Bookstore
2005:
Amazon
Publishing
Launched
2006:
Amazon
Web
Services
(AWS)
Launched
2007:
Kindle
Launched
2011:
Amazon
Fresh
Launched
2012: Amazon
Game Studios
Launched
2013:
Amazon
Art
Launched
2014:
Amazon
Prime
Now
Launched
2015:
Amazon
Home
Services &
Amazon
Echo
Launched

What is cloud computing?
Cloud computing is on-demand delivery of IT resources and
applications via the Internet with pay-as-you-go pricing.

Measured Service
Pay for services as you go.
Electrical services
analogy

Amazon Web Services (AWS)
ComputeMessaging
Mobile
App Services
Database
Networking
Development and
Management Tools
Payments
VPC
On-Demand Workforce
Analytics Content Delivery
Storage
Enable businesses and developers to
use web services to build scalable,
sophisticated applications.

AWS Core Infrastructure and Services
AWS Technical Essentials 3.8 ILT
Security
Network
Security
Network
Security Groups NACLs Access Mgmt
VPCVPC
EC2 “Classic”
“Public
”
ELB
On-Demand
Provision
Traditional Infrastructure Amazon Web Services
Servers
AMI Amazon EC2 InstancesOn-Premises Servers
Security
Security Groups NACLs AWS IAMFirewalls ACLs Administrators
Networking
VPCELBRouter Network Pipeline Switch
Storage
and
Database
RDBMSDAS SAN NAS Amazon
EBS
Amazon
EFS
Amazon
S3
Amazon
RDS

Six Advantages & Benefits of AWS Cloud Computing
Trade capital expense
for variable expense.
Benefit from massive
economies of scale.
Stop guessing
capacity.
Go global in minutes.
Increase speed and
agility.
Stop spending money on
running and maintaining
data centers.

AWS Direct
Connect
AWS Elastic Beanstalk
AWS GovCloud
Amazon CloudTrail
Amazon S3
Amazon WorkSpaces
Amazon Kinesis
Amazon
AppStream
Amazon SNS
AWS IAM
Amazon Route 53
Amazon SWF
Amazon Redshift
Amazon Dynamo DB
Amazon CloudSearch
AWS Data
Pipeline
Trusted Advisor
AWS KMS
Amazon Config
Amazon RDS
for Aurora
Amazon WorkDocs
AWS
Directory
Service
AWS CodeCommit
AWS CodePipeline
AWS Service Catalog
Amazon CloudWatch Logs
Amazon EFS
Amazon API
Gateway
Amazon Machine
Learning
AWS Device Farm
AWS Web App Firewall
Amazon Elasticsearch Service
Amazon QuickSight
AWS Import/Export Snowball
RDS for MariaDB
Amazon Inspector
AWS IoT
Amazon EC2 Container
Registry
Amazon
ElastiCache
AWS
CloudFormation
Amazon
Mobile
Analytics
AWS Mobile Hub
AWS Storage Gateway
AWS OpsWorks
AWS Elastic Transcoder
Amazon SES
Amazon EC2
Container Service
Amazon Cognito
AWS CodeDeploy
Glacier* As of 1 February 2016
Amazon WorkMail
AWS Lambda
1,950Services and Features

On-Demand Self Services & Broad Network Access
User provisions computing resources as needed.
User interacts with cloud service provider through an online
control panel.
Clear solutions are available through a variety of network-
connected devices and over varying platforms.
Internetclient mobile client

AWS Global Infrastructure
Region & Number
of Availability Zones
New Region (coming soon)

High Availability Using Multi-AZ Deployments
Availability
Zone - A
Availability
Zone - B
Availability
Zone - C
Region

AWS Global Infrastructure – Edge Locations
• 70* edge locations
• Local points of presence that support AWS services like:
Amazon Route 53
Amazon CloudFront
AWS WAF
AWS Shield
*as of March 2017

Regions
Geographic locations
Consists of at least two Availability Zones(AZs)
Availability Zones
Clusters of data centers
Isolated from failures in other Availability Zones

At least 2 AZs per region.
Examples:
Ø US East (N. Virginia)
• us-east-1a
• us-east-1b
• us-east-1c
• us-east-1d
• us-east-1e
Ø Asia Pacific (Tokyo)
• ap-northeast-1a
• ap-northeast-1b
• ap-northeast-1c
Note: Conceptual drawing only. The number of Availability Zones (AZ) may vary.
US East (VA)
AZ - A AZ - B
AZ - C AZ - D
AZ - E
Asia Pacific
(Tokyo)
AZ - A AZ - B
AZ - C

Knowledge Check
Q: What is the AWS term for physically distinct groups of data centers
within a region?
True or False: There are more regions than Edge locations.
True or False: AWS owns and maintains the infrastructure required
for application services and you provision and use them as needed.
Q: How do AZs in the same region differ?
Availability Zone (AZ).
False.
True.
Each Availability Zone is isolated, but the Availability Zones in a region are
connected through low-latency links.

AWS Foundation Services
Compute
Amazon EC2
Network
Amazon CloudFront
Amazon Route 53
Amazon VPC
AWS Direct Connect
Elastic Load Balancing
Storage
Amazon EFS
Amazon Glacier
Amazon S3
AWS Snowball
AWS Storage Gateway
Security & Identity
Amazon Inspector
AWS Artifact
AWS Certificate Manager
AWS CloudHSM
AWS Directory Service
IAM
AWS KMS
AWS Organizations
AWS Shield
AWS WAF
Applications
Amazon WorkDocs
Amazon WorkMail
Amazon AppStream
Amazon WorkSpaces
Amazon EC2
Container Registry
Amazon EC2
Container Service
Amazon Lightsail
Amazon VPC
AWS Batch
AWS Elastic
Beanstalk
AWS Lambda
Elastic Load
Balancing

AWS Platform Services
Databases
Amazon
DynamoDB
Analytics
Amazon
Athena
Application
Services
Amazon API
Gateway
Management
Tools
Amazon RDS
Amazon
ElastiCache
Amazon Redshift
Amazon
Redshift
Amazon
CloudSearch
Amazon EMR
Amazon ES
Amazon
Kinesis
Amazon
QuickSight
Amazon
AppStream 2.0
Amazon
Elastic
Transcoder
Amazon SWF
AWS Step
Functions
Amazon
CloudWatch
AWS
CloudFormation
AWS
CloudTrail
AWS
Config
AWS Managed
Services
AWS
OpsWorks
AWS
Service Catalog
AWS Trusted
Advisor
Developer
Tools
AWS
CodeBuild
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
AWS X-Ray
Mobile
Services
Amazon API
Gateway
Amazon
Cognito
Amazon
Mobile Analytics
Amazon
Pinpoint
AWS
Device Farm
AWS
Mobile Hub
Internet
of Things
AWS IoT
AWS
Greengrass

Your private network in AWS
VPC

EC2 Instance

172.31.0.128
172.31.0.129
172.31.1.24
172.31.1.27
54.4.5.6
54.2.3.4

Creating an Internet-connected VPC: steps
Choosing an
address range
Setting up subnets
in Availability Zones
Creating a route to
the Internet
Authorizing traffic
to/from the VPC

Choosing an IP address range

What is an Internet Protocol address?
An IP address is FOUR numbers (octets*)
separated by the period symbol.
192.168.90.0

Choosing an IP address range for your VPC
172.31.0.0/16
Recommended:
RFC1918 range

Subnets

VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c

Route to the Internet

Routing in your VPC
• Route tables contain rules for which
packets go where
• Your VPC has a default route table
• … but you can assign different route
tables to different subnets

Traffic destined for my VPC
stays in my VPC

Internet Gateway
Send packets here if you want
them to reach the Internet

Everything that isn’t destined for the VPC:
Send to the Internet

Network security in VPC:
Network ACLs / Security Groups

Network ACLs: Stateless firewalls
English translation: Allow all traffic in
Can be applied on a subnet basis

“MyWebServers” Security Group
“MyBackends” Security Group
Allow only “MyWebServers”
Security Groups follow application structure

Security Groups example: web servers
In English: Hosts in this group are reachable
from the Internet on port 80 (HTTP)

Security Groups example: backends
In English: Only instances in the MyWebServers
Security Group can reach instances in this
Security Group

Security Groups in VPC: additional notes
• Follow the Principle of Least Privilege
• VPC allows creation of egress as well as ingress
Security Group rules
• Many application architectures lend themselves to a 1:1
relationship between Security Groups (who can reach
me) and IAM roles (what I can do).

Connectivity options for VPCs

Beyond Internet connectivity
Restricting Internet access
Connecting to your
corporate network
Connecting to other
VPCs

Restricting Internet access:
Routing by subnet

Routing by subnet
VPC subnet
VPC subnet
Has route to Internet
Has no route to Internet

Outbound-only Internet access: NAT Gateway
VPC subnet VPC subnet
0.0.0.0/0
0.0.0.0/0
Public IP: 54.161.0.39
NAT Gateway

Inter-VPC connectivity:
VPC peering

Example VPC peering use:
shared services VPC
Common/core services
ØAuthentication/directory
ØMonitoring
ØLogging
ØRemote administration
ØScanning

Security Groups across peered VPCs
VPC Peering
172.31.0.0/16 10.55.0.0/16
Orange Security Group Blue Security Group
ALLOW

Establish a VPC peering: initiate request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request

Establish a VPC peering: accept request
172.31.0.0/16 10.55.0.0/16
Step 1
Step 2
Accept peering request

Establish a VPC peering: create route
172.31.0.0/16 10.55.0.0/16Step 1
Step 2
Accept peering request
Step 3
Create routes
In English: Traffic destined for the
peered VPC should go to the peering

Connecting to on-premises networks:
Virtual Private Network & Direct Connect

Extend an on-Premises network into your VPC
VPN
Direct Connect

AWS VPN basics
Customer
Gateway
Virtual
Gateway
Two IPSec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Your networking device

VPN and Amazon Direct Connect
• Both allow secure connections
between your network and your VPC
• VPN is a pair of IPSec tunnels over
the Internet
• DirectConnect is a dedicated line with
lower per-GB data transfer rates
• For highest availability: Use both

VPC and the rest of AWS

AWS services in your VPC

Example: Amazon RDS database in your VPC
Reachable via DNS Name: mydb-cluster-1
….us-west-2.rds.amazonaws.com

VPC Endpoints for S3

S3 and your VPC
S3 Bucket
Your applications
Your data

AWS VPC Endpoints for S3
S3 Bucket

AWS VPC Endpoints for S3
S3 Bucket
Route S3-bound
traffic to the VPCE

IAM Policy for VPC Endpoints
S3 Bucket
IAM Policy at VPC Endpoint:
Restrict actions of VPC in S3
IAM Policy at S3 Bucket:
Make accessible from
VPC Endpoint only

VPC Flow Logs:
VPC traffic metadata in Amazon
CloudWatch Logs

VPC Flow Logs
Visibility into effects of
Security Group rules
Troubleshooting
network connectivity
Ability to analyze
traffic

VPC Flow Logs: setup
VPC traffic metadata captured in
CloudWatch Logs

VPC Flow Logs data in CloudWatch Logs
Who’s this?
# dig +short -x 109.236.86.32
internetpolice.co.
REJECT
UDP Port 53 = DNS

VPC: your private network in AWS

Amazon Elastic Compute
Cloud (EC2)

Amazon Elastic Compute Cloud (EC2)
Resizable compute capacity
Complete control of your computing resources
Reduces the time required to obtain and boot
new server instances to minutesAmazon
EC2

Amazon EC2 Facts
Scale capacity as your computing requirements change
Pay only for capacity that you actually use
Choose Linux or Windows
Deploy across AWS Regions and Availability Zones for reliability

Launching an Amazon EC2 Instance via the Web
Console
1. Determine the AWS Region in which you want to launch the
Amazon EC2 instance.
2. Launch an Amazon EC2 instance from a pre-configured
Amazon Machine Image (AMI).
3. Choose an instance type based on CPU, memory, storage,
and network requirements.
4. Configure network, IP address, security groups, storage
volume, tags, and key pair.

AMI Details
An AMI includes the following:
A template for the root volume for the instance (for
example, an operating system, an application server,
and applications).
Launch permissions that control which AWS accounts
can use the AMI to launch instances.
A block device mapping that specifies the volumes to
attach to the instance when it's launched.

Instances and AMIs
Select an AMI based on:
Region
Operating system
Architecture (32-bit or 64-bit)
Launch permissions
Storage for the root device
AMI
Instances
Instance
Launch
instances of any
type
Host computer
Host computer

AWS Marketplace – IT Software Optimized for the
Cloud
AWS Marketplace:
Is an online store to discover,
purchase, and deploy IT software on top
of the AWS infrastructure.
Ø Catalog of 2300+ IT software solutions
• Including Paid, BYOL, Open Source, SaaS, &
free to try options
Ø Pre-configured to operate on AWS
• Software checked by AWS for security and
operability
Ø Deploys to AWS environment in minutes
Ø Flexible, usage-based billing models
Ø Software charges billed to AWS account
Includes AWS Test Drive.
https://aws.amazon.com/marketplace

Amazon EC2 Instances
OS, Applications,
& Configuration
AMI
Running or
Stopped VM
Instances
AZ
VPC
Region
EBS
S3
EBS
Snapshots
S3 Buckets
EBS EBS EBS EBS EBS
AZ
Instances Instances

Amazon EBS vs. Amazon EC2 Instance Store
Amazon EBS
Ø Data stored on an Amazon EBS volume can persist
independently of the life of the instance.
Ø Storage is persistent.
Amazon EC2 Instance Store
Ø Data stored on a local instance store persists only as long as the
instance is alive.
Ø Storage is ephemeral.

Choosing the Right Amazon EC2 Instance
EC2 instance types are optimized for different use cases and come
in multiple sizes. This allows you to optimally scale resources to
your workload requirements.
AWS uses Intel® Xeon® processors for EC2 instances, providing
customers with high performance and value.
Consider the following when choosing your instances: Core count,
memory size, storage size and type, network performance, and
CPU technologies.
Hurry Up and Go Idle - A larger compute instance can save you time
and money, therefore paying more per hour for a shorter amount of
time can be less expensive.

Get the Intel® Advantage
Intel’s latest 22nm Haswell microarchitecture on new C4 instances,
with custom Intel® Xeon® v3 processors, provides new features:
Haswell microarchitecture has better branch prediction; greater
efficiency at prefetching instructions and data; along with other
improvements that can boost existing applications’ performance
by 30% or more
P state and C state control provides the ability to individually tune
each cores performance and sleep states to improve application
performance
Intel® AVX2.0 instructions can double the floating-point performance
for compute-intensive workloads over Intel® AVX, and provide
additional instructions useful for compression and encryption

Intel® Processor Technologies
Intel® AVX – Get dramatically better performance for highly
parallel HPC workloads such as life science engineering, data
mining, financial analysis, or other technical computing
applications. AVX also enhances image, video, and audio
processing.
Intel® AES-NI – Enhance your security with these new
encryption instructions that reduce the performance penalty
associated with encrypting/decrypting data.
Intel® Turbo Boost Technology – Get more computing
power when you need it with performance that adapts to
spikes in your workload with Intel® Turbo Boost Technology
2.0

Burstable Balanced Compute Memory GPU I/O Storage
AWS Instance Type T2 M4 C4 R3 G2 I2 D2
Intel® processor
Intel® Xeon®
family
Intel® Xeon®
E5-2676 v3
Intel® Xeon®
E5-2666 v3
Intel® Xeon®
E5-2670 v2
Intel® Xeon®
E5-2670
Intel® Xeon®
E5-2670 v2
Intel® Xeon®
E5-2676 v3
Intel® process
technology
22nm Haswell 22nm Haswell 22nm Ivy Bridge 32nm Sandy Bridge 22nm Ivy Bridge 22nm Haswell
Intel® AVX
Intel® AVX2
Intel® Turbo Boost
Storage EBS only EBS only EBS only SSD SSD SSD HDD
EC2 Instances with Intel® Technologies

Current Generation Instances
Instance Family Some Use Cases
General purpose (t2, m4, m3) • Low-traffic websites and web applications
• Small databases and mid-size databases
Compute optimized (c4, c3) • High performance front-end fleets
• Video-encoding
Memory optimized (r3) • High performance databases
• Distributed memory caches
Storage optimized (i2, d2) • Data warehousing
• Log or data-processing applications
GPU instances (g2) • 3D application streaming
• Machine learning

Instance Metadata & User Data
Instance Metadata:
Is data about your instance.
Can be used to configure or manage a running
instance.
Instance User Data:
Can be passed to the instance at launch.
Can be used to perform common automated
configuration tasks.
Runs scripts after the instance starts.

Retrieving Instance Metadata
To view all categories of instance
metadata from within a running
instance, use the following URI:
http://169.254.169.254/latest/meta-
data/
On a Linux instance, you can use:
Ø $ curl http://169.254.169.254/latest/meta-data/
Ø $ GET http://169.254.169.254/latest/meta-data/
All metadata is returned as text
(content type text/plain).

Adding User Data
You can specify user data when launching an
instance.
User data can be:
Ø Linux script – executed by cloud-init
Ø Windows batch or PowerShell scripts – executed by
EC2Config service
User data scripts run once per instance-id by default.

User Data Example Linux
#!/bin/sh
yum -y install httpd
chkconfig httpd on
/etc/init.d/httpd
start
User data shell scripts must start with the #!
characters and the path to the interpreter you
want to read the script.
Install Apache web server
Enable the web server
Start the web server

User Data Example Windows
<powershell>
Import-Module ServerManager
Install-WindowsFeature web-server, web-webserver
Install-WindowsFeature web-mgmt-tools
</powershell>
Import the Server Manager module
for Windows PowerShell.
Install IIS
Install Web Management Tools

Retrieving User Data
To retrieve user data,
use the following URI:
http://169.254.169.254/
latest/user-data
On a Linux instance,
you can use:
Ø $ curl
http://169.254.169.254
/latest/user-data/
Ø $ GET
http://169.254.169.254
/latest/user-data/

Amazon EC2 Purchasing Options
On-Demand
Instances
Pay by the hour.
Reserved
Instances
Purchase at
significant
discount.
Instances are
always available.
1-year to 3-year
terms.
Scheduled
Instances
Purchase a 1-
year RI for a
recurring period
of time.
Spot Instances
Highest bidder
uses instance at a
significant
discount.
Spot blocks
supported.
Dedicated
Hosts
Physical host is
fully dedicated to
run your
instances. Bring
your per-socket,
per-core, or per-
VM software
licenses to reduce
cost.

Console demo

RDS and DynamoDB
Managed Databases

Data Storage Considerations
No one size fits all.
Analyze your data requirements by considering:
Ø Data formats
Ø Data size
Ø Query frequency
Ø Data access speed
Ø Data retention period

SQL and NoSQL Databases
SQL NoSQL
Data Storage Rows and Columns Key-Value
Schemas Fixed Dynamic
Querying Using SQL Focused on collection of
documents
Scalability Vertical Horizontal
ISBN Title Author Format
9182932465265 Cloud Computing
Concepts
Wilson,
Joe
Paperback
3142536475869 The Database
Guru
Gomez,
Maria
eBook
SQL NoSQL
{
ISBN: 9182932465265,
Title: “Cloud Computing Concepts”,
Author: “Wilson, Joe”,
Format: “Paperback”
}

Amazon Relational Database Service (RDS)
Cost-efficient and resizable capacity
Manages time-consuming database
administration tasks
Access to the full capabilities of Amazon
Aurora, MySQL, MariaDB, Microsoft SQL
Server, Oracle, and PostgreSQL databases
Amazon
RDS

Amazon RDS
Simple and fast to deploy
Manages common database administrative tasks
Compatible with your applications
Fast, predictable performance
Simple and fast to scale
Secure
Cost-effective

How Amazon RDS Backups Work
Automatic Backups:
Ø Restore your database to a
point in time.
Ø Are enabled by default.
Ø Let you choose a retention
period up to 35 days.
Manual Snapshots:
Ø Let you build a new
database instance from a
snapshot.
Ø Are initiated by the user.
Ø Persist until the user deletes
them.
Ø Are stored in Amazon S3.

Cross-Region Snapshots
Are a copy of a database
snapshot stored in a
different AWS Region.
Provide a backup for
disaster recovery.
Can be used as a base
for migration to a
different region.

Amazon RDS Security
Run your DB instance in an Amazon VPC.
Use IAM policies to grant access to Amazon RDS resources.
Use security groups.
Use Secure Socket Layer (SSL) connections with DB instances
(Amazon Aurora, Oracle, MySQL, MariaDB, PostgreSQL, Microsoft
SQL Server).
Use Amazon RDS encryption to secure your RDS instances and
snapshots at rest.
Use network encryption and transparent data encryption (TDE) with
Oracle DB and Microsoft SQL Server instances.
Use the security features of your DB engine to control access to
your DB instance.

A Simple Application Architecture
Amazon RDS database
instance
Amazon EC2
Application Servers
load balancer instance
DB snapshots in
Amazon S3

Multi-AZ RDS Deployment
With Multi-AZ operation, your database is
synchronously replicated to another AZ in the same
AWS Region.
Failover automatically occurs to the standby in case
of master database failure.
Planned maintenance is applied first to standby
databases.

A Resilient, Durable Application Architecture
Amazon RDS database
instances:
Master and Multi-AZ standby
Application, in Amazon
EC2 instances
load balancer instance
DB snapshots in
Amazon S3

Amazon DynamoDB
Store any amount of data with no limits
Fast, predictable performance using SSDs
Easily provision and change the request
capacity needed for each table
Fully managed, NoSQL database service
Amazon
DynamoDB

Provisioned Throughput
You specify how much provisioned throughput capacity
you need for reads and writes.
Amazon DynamoDB allocates the necessary machine
resources to meet your needs.
Read capacity unit:
Ø One strongly consistent read per second for items as large
as 4 KB.
Ø Two eventually consistent reads per second for items as
large as 4 KB.
Write capacity unit:
Ø One write per second for items as large as 1 KB.

DynamoDB Use Case
AdRoll, an online advertising platform, serves 50
billion impressions a day worldwide with its
global retargeting platforms.
We spend more on snacks
than we do on Amazon
DynamoDB.
Valentino Volonghi
CTO, Adroll
”
“
Adroll Uses AWS to grow by more than
15,000% in a year
Needed high-performance, flexible
platform to swiftly sync data for
worldwide audience
Processes 50 TB of data a day
Serves 50 billion impressions a day
Stores 1.5 PB of data
Worldwide deployment minimizes
latency

Simple Application Architecture
Elastic Load
Balancing Amazon EC2
app instances
Clients
Amazon
DynamoDB
Business logic

DynamoDB Data Model
Table:
Music
Items
Attributes (name-value pairs)
Artist Song
Title
Album
Title
Year Genre

Primary Keys
Partition Key
Sort Key
Table: Music
Partition Key: Artist
Sort Key: Song Title
(DynamoDB maintains a sorted index for both keys)
Table:
Music
Artist Song
Title
Album
Title
Year Genre

Global Secondary Index
Choose which attributes
to project (if any)
Table: Music
Partition Key: Artist
Sort Key: Song Title
GSI: MusicGSI
Partition Key: Genre
Sort Key: Year
Table:
Music
Artist
Song
Title
Album
Title
Year Genre
Genre Year Song Title

Database Considerations
If You Need Consider Using
A relational database
service with minimal
administration
Amazon RDS
• Choice of Amazon Aurora, MySQL, MariaDB, Microsoft
SQL Server, Oracle, or PostgreSQL database engines
• Scale compute and storage
• Multi-AZ availability
A fast, highly scalable
NoSQL database
service
Amazon DynamoDB
• Extremely fast performance
• Seamless scalability and reliability
• Low cost
A database you can
manage on your own
Your choice of AMIs on Amazon EC2
and Amazon EBS that provide scale compute and
storage, complete control over instances, and more.

Amazon S3

Amazon S3
• Provides simple web services interface to store and
retrieve any amount of data.
• Can be accessed at any time from anywhere on the
web.
• Provides highly secure, durable, and scalable object
storage.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Use Cases
• Content storage and distribution
• Backup and archiving
• Big data analytics
• Static website hosting
• Disaster recovery

Key Concepts

Introduction to S3 Buckets
• Data is stored in S3 buckets as objects.
• Bucket names must be globally unique.
Ø Follow simple naming rules for buckets.
• Use 3 to 63 characters.
• Use only lower case letters (at least one),
numbers, and hyphens (-).
• Do not use period (.) character in bucket
name.
• Buckets can be versioning-enabled.
• Buckets are associated with regions.
Ø Choose region based on latency, cost, and
regulatory requirements.

Introduction to S3 Objects
Each object has a unique key.
Ø Key encoding: UTF-8
Ø Maximum key length: 1024 bytes
Ø Safe characters in key name
• Alphanumeric characters [0-9a-zA-Z]
• Special characters ! - _ . * ‘ /
An object has associated
metadata.
Object Key Examples
• SomeDocument.doc
• prog/java/collections.htm
• 94531/xstreet/JohnSmith.pdf
In versioning-enabled buckets, each
object has a version ID. Key: collections.htm
Version ID:111111
Key: collections.htm
Version ID:1222222

URLs for S3 Objects
Path-style URL
Ø Structure: http://<region-specific endpoint>/<bucket name>/<object name>
Ø Example:
http://s3-eu-west-1.amazonaws.com/gogreen/sensordata.html
Virtual hosted-style URL
Ø Structure: http://<bucketname>.s3.amazonaws.com/<object key>
Ø Example: http://gogreen.s3.amazonaws.com/sensordata.html
Ø Example: http://www.example.com/sensordata.html (DNS name configured as
a CNAME alias for www.example.com.s3.amazonaws.com)
gogreen
Bucket name is www.example.com to match domain name. Works only with HTTP URLs.
www.example.com

Operations on Objects: Put
• Upload object
• Copy object
Ø Use copy operation to
• Create copies of an object.
• Rename objects by creating
a copy and deleting the
original object.
• Move objects across S3
locations.
• Update object metadata.
Size < 5 GB
> 5
GB
< 5 TB
Size
Single
upload
Multipart
upload
Recommended
if size > 100
MB

Operations on Objects: Get
Retrieve a whole object or part of an object
Get complete object Get range of bytes

Operations on Buckets: List Keys
Prefix: 2014/
2014/score/english/john.txt
2014/score/english/sam.txt
2014/score/math/john.txt
2014/score/math/sam.txt
2014/score/summary.txt
• List object keys by prefix and delimiter
• Determine common prefixes
Prefix: 2014/score/
Delimiter: /
Get Common Prefixes
2014/score/english/
2014/score/math/
List Keys for 2014
List Key for 2014 Score Summary
Find Subjects For Which Scores Exist
Bucket name: scores
2014/score/english/john.txt
2014/score/english/sam.txt
2014/score/math/john.txt
2014/score/math/sam.txt
overallsummary.txt

Operations on Objects: Delete
Delete one or more objects.
Key: jazz.mp3
Version ID:111111
Key: jazz.mp3
Version ID:2222222
DELETE MARKER
Key: jazz.,mp3
Version ID:3333333
Delete key: jazz.mp3
Key: jazz.mp3
Version
ID:111111
Key: jazz.,mp3
Version
ID:2222222
Delete Key: jazz.mp3
Version ID:2222222
Key: jazz.mp3
Delete Key: jazz.mp3
Versioning Enabled in BucketsVersioning Disabled in Bucket

Operations on Objects: Restore
• Restore an object previously archived on Amazon
Glacier.
• Specify bucket name, key, and number of days for which
the restored copy of the object should be available.

User Authentication and
Authorization

AWS Identity and Access Management (IAM)
• Centrally manage users and user permissions in AWS.
• Using AWS IAM, you can:
Ø Create users, groups, roles and policies.
Ø Define permissions to control which AWS resources users can
access.
• IAM integrates with Microsoft Active Directory and AWS
Directory Service using SAML identity federation.

EMR1
Getting Started with IAM
IAM
Policy
Maria
IAM
User
IAM
Group
IAM
Role
Login: Maria@email.com
Password: *********
Admins
Joe
Policies contain permissions which
specify which actions an entity can
perform and on which resources.
Root
Account
Analysts
Liam
Anya
Chae-won
Developers
Wei
Bernardo
Inès
DevApp1
Roles provide a simple way to
delegate groups of permissions to
specific users or AWS services.
An IAM user account provides one
login with its own specified
permissions.
An IAM group allows you to apply
specified permissions to a group of
users.
TempDev1

AWS IAM Credentials
• Multiple types of credentials
• Use multi-factor authentication (MFA) for extra security.
Tool Credentials
AWS Management Console User name/Password
AWS Command Line Interface (CLI) Access key/Secret key
Software Development Kits (SDKs) Access key/Secret key
Query APIs Access key/Secret key

Security Credentials: Access keys
• Use credential files
• Use temporary credentials from AWS STS
• Use IAM roles (preferred)
Do Not:
❌Use root account credentials
❌Put AWS credentials in your code
❌Store credentials in public places like GIT, Wikis, and SharePoint
[default]
aws_access_key_id = ACCESS_KEY_ID
aws_secret_access_key = SECRET_ACCESS_KEY_ID
[prod]
aws_access_key_id = ACCESS_KEY_ID
aws_secret_access_key = SECRET_ACCESS_KEY_ID

IAM Policies
• A statement of one or more permissions
Ø Created, maintained, and versioned as a distinct object.
Ø Attached to a user, group, role, or resource.
• Used to control access to:
Ø AWS APIs
Ø AWS resources
• IAM policies are not for OS or application permissions.
• Best practice: Grant least privilege.

Amazon Resource Names (ARN)
Used to uniquely identify AWS resources in places where
ambiguity is not tolerated, such as in IAM policy.
Example - DynamoDB table:
arn:aws:dynamodb:us-west-2:123456789012:table/accounts
Example - S3 bucket contents:
arn:aws:s3:::my_corporate_bucket/*

IAM Policy for Administering AWS Resources: Example
A policy that allows users to perform any Amazon EC2 action on
resources that have the tag Department=Test, as long as the
request occurs before the beginning of the year 2016:
{
"Version": "2012-10-17",
"Statement": {
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {"ec2:ResourceTag/Department": "Test"},
"DateLessThan": {"aws:CurrentTime": "2016-01-01T00:00:00Z"}
}
}
}

AWS IAM Permission Types
Read Write List
Bob ü ü ü
Doug ü ü ü
Jim ü ü
Sara ü
Read Write List
Bob ü ü ü
Larry ü
Sam ü ü
Resource X
Resource Y
Read Write List
Resource X ü ü ü
Read Write List
Resource Y ü
Resource Z ü
Read Write List
Resource X ü
Resource Y ü
Resource Z ü
Bob
Larry
User-Based Permissions Resource-Based Permissions
Managers
What does a particular entity have access to? Who has access to a particular resource?

AWS IAM Permission Types
Resource-Based Policy
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AccountBAccess1",
"Effect": "Allow",
"Principal": {"AWS": "111122223333"},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
}
User-Based Policy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey*"
"iam:*SSHPublicKey*"
],
"Resource": "arn:aws:iam::account-id-
without-hyphens:user/${aws:username}"
}
}

Securing Your AWS Resources Using Policies
{
"Version":"2012-10-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::YourBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"AES256"
}
}
}
]
}

AWS IAM Policy Types
IAM Policies
Managed
Policies
AWS-
Managed
Policies
Customer-
Managed
Policies
Inline Policies
• Standalone, versioned policies
• Can be attached to multiple users,
groups, and roles
• Recommended method
• Two types:
• AWS-Managed Policies
• Customer-Managed Policies
Managed Policies
• Policy embedded in the entity (user,
group, or role)
• Useful for strict one-to-one relationship
between a policy and the entity to
which it is applied
Inline Policies

Ways to Work with AWS IAM Policies
• Library of pre-defined policies à Policy Template
• AWS Policy Generator
• Use your favorite JSON Editor
• Create policies in an object-oriented fashion using:
Ø AWS CloudFormation
Ø AWS SDKs
• JSON and AWS CloudFormation editors:
Ø AWS Toolkit for Eclipse
Ø AWS Toolkit for Visual Studio

AWS IAM Policy Rule Procedure
• Deny by default
• Most restrictive policy wins
• Evaluation Logic
If something is explicitly denied, it can
never be allowed: No Overrides
Is the
action
explicitly
denied?
Evaluate all
applicable
policies
Deny
Is the
action
explicitly
allowed?
Allow
Yes
Yes
No
No
Start with the
assumption that
the request is
denied

IAM Policy Example
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":["dynamodb:*","s3:*"],
"Resource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name",
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"]
},
{
"Effect":"Deny",
"Action":["dynamodb:*","s3:*"],
"NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name",
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"]
}
]
}
Gives users access to a specific DynamoDB
table and…
…Amazon S3 buckets
Explicit deny ensures that the users cannot use any other AWS
actions or resources other than that table and those buckets
An explicit deny statement takes
precedence over an allow statement

Example: AWS IAM Policy for Administering AWS
Resources
A policy that denies requests that come from external IP addresses:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {"NotIpAddress": {"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]}}
}
}

Policies
Trust policy
Access policy
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::1111:user/Jo"
},
"Action":"sts:AssumeRole"
}
{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"*"
}
Allow : Jo (IAM user) in the account 1111
Action: Ability to assume this role
Allow : Listing S3 buckets
Resource : All buckets in this account

Policy to Launch EC2 instances with a Specific Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/Get-pics"
}
]
}

Using Web Identity Federation
AWS Security
Token Service
Temporary security
credential DynamoDB
table
Users
Web Identity Provider
1
2
3
IAM policies

What is AWS Lambda?
• Compute service that runs your functions in response to
event.
• Automatically manages the compute resources for you.
• Requires zero administration.

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
This work may not be reproduced or redistributed, in whole or in part, without
prior written permission from Amazon Web Services, Inc. Commercial
copying, lending, or selling is prohibited.
Errors or corrections? Email us at aws-course-feedback@amazon.com.
For all other questions, contact us at:
https://aws.amazon.com/contact-us/aws-training/.
All trademarks are the property of their owners.

Virtual AWSome Day Training Sept 2017

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Virtual AWSome Day Training Sept 2017

Ähnlich wie Virtual AWSome Day Training Sept 2017 (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

Virtual AWSome Day Training Sept 2017