AWS IAM Account and Policy

IAM (Identity Access Management) in AWS is services which control the access of AWS Resource and Services which is always user Based.

• AWS IAM provide the Facility of User Management,  AWS Resource and services access control management, Security Management of AWS resource. It defines the user Access permission to the AWS Services. 
• Every AWS account is assigned with the root account which controls everything including resource access, users, security etc. Root Account is the head of your account which have the full power of AWS IAM Resource. Never Share the root account credential with any one. Don't Use the root account for your daily task or for your administrative purpose. 
• Root User is called the creator of the account Which have the full permission and access to the AWS Resource. 
• By default 5000 users can be created per AWS account Using IAM. At a time you can add 10 user.
• By default you can create max 300 Groups per AWS account using IAM.
• You can create 1000 roles per AWS Account using IAM.
• IAM User can be the member of 10 Group.
• IAM services is available free of cost. And it is not region specific. IAM is Global services.
• While creating group in IAM, you can't create group inside group. Nested group is not possible in IAM AWS.
• Using IAM in AWS you can control the resource access and action by applying various default policy and IAM inline policy 

 Feature of IAM in AWS

• Shared Access to your AWS Account with giving them the root Credential.
• Granular Permission means here is level of access to the AWS resource. Example sometime you want to give user only Read Permission.
• Secure Access of Application which will run on EC2 Instance.
• Multifactor Authentication 
• Identity Federation
• Identity Information for Assurance.(You can check which user have access which resource using log record).
• PCS DSS compliance (PCI : Payment card Industry, DSS : Data Security Standard).
• Eventually Consistent and highly Available.

AWS IAM Terms

• Principal ( Principal can be Users Perform and use the resources or It can be Application also because sometime request will go through the Application, Roles etc. )
• Request : Principal which send the request.
• Authentication :  Authentication will check and verify the principal. Only Authentic Users can have the access of the AWS Resource.
• Authorization : Authorization check the level of task permission and restrict the task performed by the authentic user if it is not permitted and assigned to him. 
• Action / Operation : Any task what you performed which is authorized to do by root user. 
• Resources : It's Basically AWS resource. 

IAM Default Policy and Inline Policy

AWS Autoscaling and Amazon Auto Scaling Group

Most of the company is migrating to the cloud because of Scalability, Fault Tolerance, High Availability of resource. AWS Auto scaling Group is one of the most important feature of AWS cloud. 

Scalability or Autoscaling have the same mean. In terms of Cloud Scalability or AWS Autoscaling means based on the requirement scaling the server resource up and down to meet the users request requirement without fault Tolerance and with high availability of resource .

• AWS Autoscaling is region Specific Amazon services.
• Auto scaling is a process of scaling (Scale Out[Increase] or Scale In[Decrease]) your EC2 Instance up or down based on the set of condition. 
• Amazon Autoscaling is Horizontal Scaling of EC2 Resource. This Horizontal scaling ensure that you must have the right number of server to handle the Request.
• Auto Scaling help in the cost Management. In cost management Auto scaling don't have extra charge for creating instance in AWS ASG.
• Instance Running only you can include in Autoscaling Group. Terminated or Stopped Instance can't be included in ASG Group. 
• EC2 instance can be the part of only one Auto scaling Group. It can't be the part of Multiple auto scaling Group. You can have multiple AWS ASG but we can't attach single EC2 Instance in multiple ASG.
• When you want to delete the AWS Auto scaling group first you have to detach the Existing EC2 of that particular ASG and then you can delete it.  If you delete the ASG without detaching the EC2 instance then it will delete the EC2 Instance also.
• We can attache multiple Elastic Load balancer with auto scaling group. 
• Whenever you apply Scale-Out Policy you must apply Scale-in Policy also. Other wise your cost will come high.
• If you are creating AWS ASG using CLI then the basic monitoring will be 60 second. But if you are using console then the basic monitoring time will be 300 second (5 min). Through CLI by default it will be detailed monitoring will be created which is chargeable. Basic Monitoring is free of cost.
• Merging of AWS ASG is possible only through CLI(Command Line Interface).

Component of AWS Autoscaling

Launch Configuration : In launch Configuration we define the type of instance, Key pair, AMI, Security Group. Once the Launch configuration is created after that you can't edit it. You can only delete it or Copy it.

Auto Scaling Group : Here we define the AWS ASG name, group Size, Group Subnet , vpc etc.

Scaling Policy : Metric Type, Target Value

Autoscaling Group always try to balance the EC2 Instance distribution across Region AZ's. Because if it is not balanced then in case of any failure of AZ's the load will come to the other AZ's for short time. To avoid that AWS Autoscaling Group distribute instance equally in multiple AZ's in that region itself (Autoscaling is Region Specific.). Below is the image as a example.

SNS (Simple Notification Services) in Auto Scaling Group sends email in four condition  which is below for your reference. SNS is chargeable services.

• An Instance Is Launched
• An Instance is terminated
• An Instance is fail to launch
• An Instance is fail to terminate 

Amazon Auto Scaling Policy

• Manual AWS Auto Scaling Policy ( In this scaling Policy the Min and Max Number of server will be same in all the condition.)
• Dynamic AWS Auto Scaling policy ( In this scaling Policy the Min and Max Number of server will not be same and based on the condition it increase within the min and max range)
  
  • Target Tracking Policy : In this policy we define the target. To maintain that target AWS ASG will increase or decrease the EC2 Instance. Like we are setting the target that one EC2 instance can have 70% of traffic. If that traffic will cross 70% automatically new EC2 instance will be launched. Target Tracking Policy always maintain the level of 70%. If it traffic decreases across all the Instance then it will terminate the EC2 instance and bring down the instance. In this we define or set the CPU Utilization. Below is the Image where target Tracking Policy we set.
    
     
  • Simple Scaling Policy :
  • Step Scaling Policy :  We have to set Increase and decrease group Size as well as we have to the alarm before applying this scaling policy.
    
  • Predictive Scaling / Schedule Scaling / Cyclic Scaling : Predictive scaling will check the traffic history and based on the history it will scale up and down. Or we can decide like Scale Out on Saturday and Sunday. It uses machine learning Help and help in Scaling Out and In. 

AWS Route 53 DNS and Amazon Route53 Hosted zone

AWS Route 53 is mainly for 

A) DNS Management
B) Traffic Management
C) Availability Management (Server Health Check)
D) Domain Registration

DNS (Domain Name Server) it's like a phone-book. It actually translate the Domain name in to IP address. Whatever the Device is connected with the internet have the Unique IP which we cant remember easily. So that's why Name came in picture. DNS will translate that name to IP Address.

For Example :

website: www.example.com have the Unique IP 111.111.1.11. Whenever any request comes using the www.example.com DNS will translate it into the respective IP.

Port Number is used to identify the specific process or request comes via internet or network and it forward to the server for further processing. Port 53 sets a communications protocol for the Internet network layer, transport layer, and session layer. Name server basically route the traffic to the server.

Why Named Amazon Route53?

Route53 which manages our DNS runs on port number 53. Any request comes to Route 53 it will translate the Web address to specific IP address for further communication with the server. 

We can perform all sort of task using Route53 Hosted Zone such as DNS Management, Domain name Registration, Domain transfer, Server health check and traffic management etc.

Points to Remember about Amazon Route53:

• Route53 is Global Services like IAM.
• Route 53 supports IPV6 also. AWS Provide two type of domain one is Generic Top level domain(.com, .net, .org etc) and second one is Geographic Top level domain(.in, .uk, .us etc)
• Multiple Hosted zones can be created with the same name but the name server inside the hosted zone will be different. 
• Route 53 assign four name server to hosted zone which will be different and unique.
• SOA (Start of Authority) will contain the information about the hosted zone what you create.
• Transfer of Domain is possible between two AWS account for that you must contact The AWS Support.
• When you migrate domain name from one AWS Account to other AWS Account in that case only domain get transferred not Route53 hosted zone.

AWS Route53 Function request handling  

There is two type of hosted Zone, Public and Private Hosted Zone. Whenever we create or register a  domain using Route 53 at that time Four  name server and one SOA(Start of Authority) is created automatically.

Supported Route 53 DNS Record Type

A Record(IPV4): It map the Domain name to IP Address (IPV4 which is 32 bit).

AAAA Record(IPV6):  It map the Domain name to IPV6 Address (IPV6 Which is 128 bit)

CNAME Record (Canonical Name Record) : It  will point the different URL format to the registered URL.You cant create the CNAME for the top domain (Main Domain).

Example:  example.com, www.example.com, http://example.com all are same this all canonical name must point to single domain what you wish among the list. 

NS Record :  Which point to your server or name server or Domain name server is same.

SOA (Start of Authority) : SOA contain all the information about the Domain owner, changes made in the hosted zone. It contain the authoritative server detail.

MX Record: MX Record maintain the record of mail created using the mail. example info@example.com

Route 53 Hosted Zone Policy

• Simple Routing(By Default) : Simple Routing is very simple routing policy. At the time of creating record set if we don't select routing policy by default it will be assigned.  
• Failover Routing : In this Failover Routing Policy we create two server one as a primary server and second as a standby server. Initially all the request will be sent to the primary server in case of primary server failure the standby server will be activated and the request will be serve by standby server.  
• Geolocation Routing : This Routing we apply when we have server in various location. Like if we have server in India and HTTP requests are coming from the India. In that case the traffic will be redirected to that particular geo location Instead of redirecting the traffic to other location. This routing policy will work if we have server in multiple location and you want to serve the local content.  
• Multivalue Answer Routing: Multiple IP will be assigned to handle the request.
• Latency Based Routing : Latency based routing will serve the request wherever it can get the faster response. Again it is similar to Geolocation routing but latency based routing is not location specific. if your request is getting response faster from USA then routing will serve your request from there. 
• Weighted Routing : Here we defined the traffic weight-age. Means you will decide that how much % traffic will go to which server. 
• Geo Proximity:

AWS Elastic Load Balancer and ELB and ALB Pricing

AWS Load balancer accept all the incoming Application incoming Traffic and distribute to multiple target such as EC2 instance, container etc.. Elastic Load Balancer support various type of Load Balancer.

1) Application Load Balancers
2) Network Load Balancers
3) Classic Load Balancers

   Load Balencer ensure that server resource must be available 24 x 7 without any fault. Amazon ELB ensures fall tolerance and High Availability of server resource. Web Traffic get distributed to the available backend server using AWS ELB. 

    Load Balancer contain mainly three part :- Listner (Which will listen Port), Traget Group and third is Traget.



Load Balancer distribute the traffic request to various server to balance the load more or less equally.
Whatever ( http / https ) request comes to the load balancer based on the server traffic and health status it will divert.

Amazon S3 Bucket Pricing and AWS Bucket Storage

AWS Storage Type

• S3 (Simple Storage Services) [Object Level Based Storage]
• EFS (Elastic File System)
• EBS (Elastic Block Storage)
• Glacier 
• Snowball

Amazon S3(Simple Storage Services)

• Amazon S3 is public storage resource in AWS (Amazon Web Services) Cloud which is object based storage.
• AWS S3 Bucket is storage same like a file folders which store objects with data and its Metadata.
• S3 stores all the files (like pdf, images, video, documents etc ) as a object in AWS Cloud. You cannot have the Bucket inside bucket, Bucket can have the folders which groups object inside in it. S3 bucket is having flat architecture (Bucket inside bucket you can't create.).
• If you want to use AWS S3 services, First you have to create the S3 Bucket in any of the AWS Region. Bucket name is unique Globally. Once Bucket is created it get shared with all the AWS Account. The bucket name cannot be used by any other AWS account.
• Amazon S3 services comes under IaaS (Infrastructure as a Services). The Important AWS Services which is offered as Iaas is S3 (Simple Storage Service), EC2 (Elastic computing 2)  and RDS (Relational Database Service). These IaaS services is charged per hour basis.
• We can't Install operating System in S3 Storage.
• AWS S3 have distributed Data Architecture where copy of data is stored in multiple location within the region.
• Bucket can store maximum 5TB Data, 100 bucket per aws Account which you can extend further.  
• S3 Bucket cannot be transferred from one aws account to another AWS account. It can be shared and can be access with multiple location.

S3 Bucket and Naming Rules

• Bucket name is Globally Unique. In AWS Cloud two bucket can't have the same name. It must be unique.
• Once the Bucket name is created it cannot be changed. If bucket name is deleted then again it will be available for other user to choose that Bucket name.
• Bucket name must contain atleaste 3 Character and max 63 Character.
• Bucket Name is URL part through which we try to access the bucket.
• Bucket name can be created using lower Case letter, number and hyphen. We cant use Upper case letter while naming the bucket. You cant start and end the bucket name with -(hyphen). Bucket name should not be an IP address.
• Whenever we create bucket or Object, By default it is private. Only bucket owner can access that.    

S3 Bucket Sub-resources

• Object Life cycle : In this we can define the object life cycle. We can move the object based on the time frame from one storage type to other storage. this can reduce the cost. See the below image where we are moving the object from one storage to other based on the recent data. 
  
• Website : We can use S3 for hosting Static website.
• Versioning : You can enable the versioning on your storage which will maintain your previous updated file and the current file too. You cant disable the versioning. You can enable or suspend the versioning.
• Access Control List : In this you can decide the security of your bucket regarding access.

S3 Bucket Versioning

Bucket Versioning help us to recover the data in the case of accidental delete. Suppose you deleted the Data accidentally, to retrieve the data we enable versioning. Versioning maintain the older data as well as the current data. If the versioning is enabled and the object / Data got deleted, in that case you can recover / restore the data easily.

Versioning Help us in data retention as well as data archive. Once you enable the Versioning, you can't disable it. You can suspend it only.

When Versioning is enabled and we delete the object / data , delete marker is placed on the object which we can recover whenever we want.

You will be charged for all the multiple versions. Example Just imagine you have 10 MB file initially, next versioning your file size became 14 MB, again in next versioning it became 18 MB. It will be charged for incremental only which will be 8 MB not for 42 MB. This is incremental versioning.   

You can apply the life-cycle on versioning which means as the object / data become older we can move it to cheaper storage or we can delete the data.

The Object which exist before version enabling will have the version ID Null. 

Multi Factor Authentication (MFA)

MFA is extra level of security which we can apply on our S3 Bucket. By Enabling the Multi-factor authentication you restrict the other users to delete the S3 object accidentally. Once the Multi-factor Authentication is enabled you can delete until unless the security code received by the registered physical device is shared with you within 30 second.  

S3 Multipart Upload

S3 Multipart Upload allow us to upload our file to server in parts. This object parts get uploaded independently and in parallel. You must use the multipart Upload facility to upload the file in the server if the size is equal or greater than 5 gb using Multipart Upload API.

Type of AWS S3 Storage  

1) Amazon S3 Standard [Storage Cost is High but Accessing / Retrieving cost is low. ]

    This Storage is useful if you need data access frequently. 

2) Amazon S3 Glacier Deep Archive  [Storage Cost is cheapest but Retrieving cost is High.]

    Amazon S3 Glacier Deep Archive is suitable when you have rare access to the data(Once in a year or rare access.). As S3 Glacier Deep Archive storage is damm Cheaper but accessing the data cost higher. Accessing Glacier Deep Archive Data takes time which is not fix. 

3) Amazon Glacier

Amazon S3 Glacier is little costlier then Glacier Deep Archive. This also we use when we don't need the data access frequently. Accessing Glacier Data takes time which is not fix. The Main difference between Amazon glacier and Glacier Deep Archive is, in AWS Glacier you have the option to select the data retrieval time. This means you can select the access time if you want to access the data. Three Option Available for data retrieval, you want retrieval within a minute, within a Hour, or within 12 hour.     

4) Amazon S3 Standard Infrequent Access 

Amazon S3 Standard Infrequent Access This storage is best for infrequent access. Sometime you need to access the data and you need it immediately. This storage provide immediate access it don't delay like Amazon Glacier or Amazon S3 Glacier Deep Archive. Overall it is infrequent access of data but whenever it is access data must available immediately without delay.

5) Amazon S3 One Zone - IA

By Default S3 Create three copy of your data and keep it as a back up and charge you accordingly. And in any disaster it will recover your data using other copy. S3 One Zone  allow you to keep only one copy of the data in one zone. In disaster your data is not recoverable. 

6) Amazon S3 Intelligent tearing. 

We use this Intelligent Tearing storage in case of when we dont know whether we are going to access the data immediately or not.