Forem: Sathish P

Amaon cognito

Sathish P — Sat, 15 Apr 2023 09:17:52 +0000

What does Cognito?
Give users an identity to interact with web or mobile application
Cognito user pools:

sign in functionality for all users
integrate with API gateway & application load balancer

Cognito identity pools(Federated Identity):

provides temporary AWS credentials to users so they can access AWS resources directly
integrate with cognito user pools as an identity provider

Features:

create a serverless database of user for your web and mobile apps
simple login:username(or email)/password combination
password reset
Email and phone number verification
MFA
federated identities: users from facebook,google,SAML
feature:block users if credentials are compromised elsewhere
login sends back a JSON Web Token(JWT) Daigram:

choosing to create a user pool
Authentication can be done in 2 ways

cognito user pool(username &password, email)
federation identity providers(google,facebook,SAML)

password can be default or customied

Multi factor Authentication can be chosen whether it should be mandatory, option or not required

account recovery can be enable or diable
if enable, in which way we can recover through forgot password can be chosen

enabling new users to register for your app(enable self registartion)

verification

we can add the reuired attributes to the signup page(if reuired)

if any other custom attributes needs to be added we can

configure how user pool sends message to users

call back urls can be specified after successful login

can review once and can be created

In sign in experience tab if required can add identity provider

click on view hosted to create a user

this will open the login page in new tab once sign up with the page sends verification SMS to the registered mail. after successful login, navigate to the call back url page

we can specify lambda triggers for any of the functionality

cognito user pools - lambda triggers

Hosted Authentication UI

cognito has hosted authentication UI that can be add to your own app to handle signup and sign in workflows
using the hosted ui, your app can integrate with social login, OIDC or SAML
can be customised with custom logo and custom CSS

Hosted UI custom domain

for custom domains you must create ACM certificate(us-east-1)
custom domain is defined in app integration section

JSON Web Token(JWT)

CUP issues JWT tokens
- headers
- paload
- signature
the signature can be verified to ensure the JWT token can be trusted

Application Load Balancer - Authenticate users
your application load balancer can securely authenticate users

offload the work of authenticating users to load balancer
- your application can focus on the business logic
  - authenticate users through:
  - identity provider(IdP): OpenIDConnect(OIDC) Compliant
  - cognito user pools:
    - social IdP's such as amazon, facebook or google
    - corporate identities using SAML, LDAP or Microsoft AD
must use an HTTPS listener to set authenticate-oidc and authenticate-cognito rules
onunauthenticated request- authenticate(default),deny,allow

Application Load Balancer - Cognito Auth

Application Load Balancer - OIDC Auth

Cognito Identity pools - diagram

cognito identity pools - diagram with CUP

Creating Identity pool:

we can enable the unauthenticated identities and can change the authentication flow. by default it will follow enhanced, we can change to basic flow as well

we can select authentication providers

pool id and client id needs to be copied from previous steps where we have created the user pool

after creating identity pool it will ask us to allow two IAM roles

for authenticates identities
unauthenticated identities

we can select the platform where we are installing the SDK and after installation if we run the below code it will generate AWS credentials

from the dashboard we can check number of authenticated and unauthenticated identities

we can customize the IAM roles by navigatin to IAM-> roles

we can see created IAM roles in previous step. by hitting on edit we can customize.

Note:- User pools are for authentication, identity pools for authorisation.

Policies and MFA

Sathish P — Sun, 09 Apr 2023 17:51:17 +0000

What is policy?
A policy is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS Management Console, AWS CLI, or AWS API to create customer managed policies in IAM. Customer managed policies are standalone policies that you administer in your own AWS account. You can then attach the policies to identities (users, groups, and roles) in your AWS account.

Policy is Nothing but JSON document which contains below parameters to provide permissions to the users/groups/roles.

Version: policy language version
Id: an identifier for the policy(optional)
statement: one or more statement(required) statement consists of below parameters:-
Sid: an identifier for the statement(optional)
Effect: whether the statement policy allows or denies the access(Allow,Deny)
Principal: specifies to which account/user/role this policy applied to
Action: list of actions this policy allows or denies
Resource: list of resources to which the actions applied to
Condition: Conditions for when this policy is in effect(optional)

Existing policy structure can be defined below.

We can create our own policies in two ways.

Visual editor: where we can select services, actions, permissions and automatically editor will create the JSON for it.

JSON:- where can we implement our own policy.

MFA:-(Mukti Factor Authentication)
MFA=password you know+security device you own

MFA device options in AWS:

google authenticator(phone only)
Authy(multi-device)
Yuikey(3rd party)

we can remain the default IAM policy or can change the password policy by navigating through Account settings as per below

To add MFA to our account have to navigate to security credentials and we can hit on assign MFA. there we can see different devices of MFA as per below.

From the devices we can select one and MFA will be added to our account. After MFA whenever we try to login it will be asked for password and code of device which we chose in MFA setup.

AWS EBS

Sathish P — Sun, 09 Apr 2023 17:31:45 +0000

AWS Lambda

Sathish P — Sun, 09 Apr 2023 17:30:42 +0000

AWS EC2

Sathish P — Sun, 09 Apr 2023 17:29:31 +0000

What is EC2?

Elastic compute cloud (EC2). It's a virtual machine in AWS. Develop and deploy application faster without worrying about the hardware investments. We can choose the Instance Type and family and attach the security groups to handle the inbound and outbound traffics. We can create the EC2 instance by choosing the AMI (Amazon Machine Image), there are many AMI's available. We can choose anything based on our requirements and attach the security policies or group for the security purpose.

Create or launch an EC2 Instance

Steps to launch an instance. Go to the Instance tab and find the launch instance button to configure the instance.
Name the instance

Select the AMI type and instance types, family
Create the key-pair and download the .pem or .ppk file to access the instance in SSH.
Launch the instance and go to the instance list and you can find your instance using name.

Instance Name

Select the instance family

Edit the network details

Creating Key-Value Pair for accessing the instance using SSH

After Instance was successfully launched, we can see the following pages

List of available instances

Instance details

User data for an instance

We can add the user data to the instance. If we add the user data script, it ll run only once when the server is getting launched.

User data should be in shellscript. We can add manually or import from a file and we cannot be able to modify the user data when the instance is in Start stage. We need to stop the instance and modify the user data and restart the instance again.

Command to access ec2 instance using SSH

ssh -i .pem/location Username@publicIPV4

Username should be ec2-user

Command to upload files to ec2 instance using SSH

scp -i .pem/location fileLocation username@publicIPV4:~/.

SSH Summary table

SSH Summary	SSH	PuTTY	EC2 Connect
MacOS	Y	N	Y
Linux	Y	N	Y
Windows >= 10	Y	N	N
Windows < 10	N	Y	Y

Purchasing options

Several options we can buy EC2 instances

On Demand

Short workloads, Predictable pricing, Pay by Second
- Linux or Windows - Pay per second
- All other platforms - Pay per hour
Highest cost by no upfront payment
No Long-term commitment

Recommend for short-term and unintereppted workloads or services where you can't predict the application behaviours.

Reserved Instances

72 % discount when compared to OnDemand
We can reserve specific instances i.e, Instance Type, Region, OS, Tenancy
Reservation period 1 year with minimal discount and 3 year with maximum discount
Reserved instance scope like regional or zonal

Recommended for steady state workloads like databases. We can buy and sell the instance at marketplace if not needed.

** Payment options

No Upfront (+)
Partial Upfront (++)
All Upfront (+++)

Convertible reserve instances like we can change the EC2 instance type, family, OS, scope and tenency.

Savings plan

Discount on long term
Commit to a certain type of usages, like we set $10 / hour.
Usage beyond EC2 savings plans is billed at OnDemand price.
Locked to specific instance family and region
Flexible on Instance Size and OS, that means we can change the instance size and OS.

Spot Instances

90% discount compared with OnDemand
Instances that you can "lose" at any point of time if the maximun price is less than the current spot price.
Most cost effective instances in AWS useful for workloads that are resilent to failure.
- Batch Jobs
- Data Analysis
- Image Processing
- Distributed workloads
- Flexible start and stop workloads

Useful links

Users, Groups & Roles

Sathish P — Mon, 25 Jul 2022 06:30:00 +0000

Demonstration on how to setup and configure users, groups and roles and differences between them.

In AWS IAM, all three elements are considered as objects.

Users

A User object can represent a real person who requires access to operate and maintain the AWS environment or access the AWS resources or services programmatically.

Users are representing an Identity which are used in the authentication process to the AWS account.

Creating a User

Users can be created using AWS Management Console or Programmatically via AWS CLI, IAM HTTP API, Tools for windows powershell.

Creating user name which can be upto 64 characters in length.

Selecting AWS access type:

Programmatic:
Enables an access Key Id and Secret access key for the AWS CLI, API, SDK.
AWS Management Console :
Enables a password that allows users to sign-in to the AWS Management Console.

Set permissions for the user:

For give access to the user AWS has 3 ways.

From user groups

Add the user to one particular user groups, the permission which are assigned for the groups will automatically applicable for the particular user.

Add policies directly

Admin can directly add an existing policies or can create new policies.

Adding tags are optional
Reviewing the user

After the successful user creation

Download the .csv file for the access keys and password for the created user.

Admin can send e-mail for the user using send-email link.

Groups

-> Groups can contain only users and not other groups
creating group for an user/users:-

Have to provide the group name and there we can add the users to the group as well if already users exists as below

if user didn't exists while creating the group , we can specify the group while user creation.

While creating the group if we have to attach the policies at the group level we can as per the below screenshot.

Group has been create by showing the number users and creation time.

Roles

Roles can be assumed by the entities to get the credentials

Most commonly we will do for AWS services and common roles are EC2 and lambda

we can create our own policy or can select from exists policies. we have to provide role name and description.

The JSON document for the role will be defined in below format.

tags are optional.

The roles has been created.

AWS IAM

Sathish P — Mon, 25 Jul 2022 06:28:00 +0000

Covers features and elements of IAM

What is IAM?
Groups, Users and Roles
IAM Policies
MFA
IAM Federation
IAM Features

Get the details last from the understanding

What is IAM?

To manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within AWS Account.

IAM Components

Users
Groups
Roles
Policies
Access control and mechanisms.

IAM is globally avaliable AWS services, ie. IAM is not regionally available services and we can create regional specific policies and accesses to an AWS resources.

Without IAM there is no way of maintaining security or control access to the resources. IAM provides components to manage access, but it is only as strong as we configure it. The responsibility of implementing secure, robust and tight security within AWS is ours.

You can find the IAM services under security, Identity and compliance.

All services -> Security, Identity and compliance -> IAM (Manage access to AWS resources)

IAM Responsibilities:

How secure your access control procedures must be?
How much should admin restrict users access?
How complex password policies must be?
Resource should use MFA or not?

Admin can architect and implement upto the policies and security guidances from the company or self.

Restrictions and access are purely based on our own security standards and policies within our information and security management systems.

Elements of AWS

Other resources:
aws.plainenglish.io

Deployment on AWS

Sathish P — Mon, 25 Jul 2022 05:19:08 +0000

AWS developer associate certification exams have 22% of weightage and will be around 14 questions.

Deploy written code in AWS using existing CI/CD pipelines, processes and design patterns.
Deploy applications using Elastic Beanstalk.
Prepare the application deployment package to be deployed to AWS.
Deploy serverless applications.

Deploy written code in AWS using existing CI/CD pipelines, processes and design patterns

Continuous Integration
Continuous Delivery
Continuous Deployment

Useful services:

AWS CodeCommit
AWS CodeBuild
AWS CodeDeploy
AWS CodePipeline

AWS Developer Associate Certification Preparation

Sathish P — Mon, 18 Jul 2022 06:18:00 +0000

Short description:

Earners of this certification have a comprehensive understanding of application life-cycle management.
They've demonstrated proficiency in writing applications with AWS Service APIs, AWS CLI and SDKs, using containers and deploying with CI/CD pipeline.
Badge owners are able to develop, deploy and debug cloud-based applications that follow AWS best practices.

The exam validates two things

Understanding of core AWS services and uses.
Basic AWS architecture best practices.

Need to have a solid understanding of how to deploy, monitor and update code in the AWS cloud.

Exam Logistics

65 questions
130 minutes to complete

Exam Contents based on Exam guide:

Domain	Percentage
Deployment	22%
Security	26%
Development with AWS Services	30%
Refactoring	10%
Monitoring and Troubleshooting	12%
Total	100%

To pass AWS Developer Associate certification need to score above 720 out of 1000.

Document is about:

Understanding distributed systems.
Using available features to avoid wasting time and energy.
Being cost-effective, scalable, elastic and secure.

Services need to know for Developer Associate Certification