- AWS Regions
- All around the world, and they have unique names
- cluster of data centers
- Most services are scoped to a certain region
- Potential Test Question:
- How to choose an AWS region?
- Compliance with data governance and legal requirements
- Proximity to customers: reduced latency
- Available services within a region
- Pricing
- AWS Availability Zones
- Each region has many availability zones
- min 3, max 6
- eg: ap-southeast-2a,ap-southeast-2b, etc
- Each zone is one more more discrete data centers with redundant power, networking, and connectivity
- zones are isolated from each other in case of disaster
- connected with bandwidth, ultra low latency networking
- AWS Data Centers
- AWS Edge Locations / Points of Presence
- Content is delivered to end users with low latency
IAM: Users and Groups
- Global service
- Users are within your organization:
- A user can be a part of more than one org or not be part of any organization
- Groups can only contain users, not other groups
IAM: Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*/*"
}
]
}
Least Privilege Principle: Dont give more permissions than a user needs
Permission Inheritance: When a user is added to a new group, they inherit the permissions of the group, permissions are attached to users via the group name
IAM Roles for Services
- Some AWS services will need to perform actions on your behalf
- Assign permissions to aws services instead of users with the IAM roles
- Common roles
- EC2
- Lambda
- Roles for cloud formation
IAM Security Tools