# Identity Access Management 101

IAM - allows you to manage users and their level of access to the AWS console.

It is important to understand IAM and how it works, both for the exam and for adiminstrating a company's AWS account in real life.

### Key features of IAM

Identity Access Management offers the following features:
- centralised control of your AWS account
- shared access to your AWS account
- granular permissions
- identity federeation (including active dir like Facebook, google)
- multifactor authentication
- provide temporary access for users/ devices and services where necessary
- allows you to set up your own password rotation policy
- integrates with many different AWS services
- supports PCI DSS Compliance (credit card framework)

### Key terminology for IAM

- Users: 
    - end users sch as people, employees of an organization etc
- Groups:
    - a collection of users. Each user in the group will inherit the permissions of the group
- Policies:
    policies are made up of documents, called policy documents
- Policiy Documents:
    - documents are in JSON and give permission as to what a User/Group/Role is able to do
    
- Roles
    - you create roles and then assign them to AWS resources

# Identity Access Management - LAB


### Activate multifactor security

### Creating an individual IAM group

- Create a new user with a unique name
- assign user a group by selecting what privileges to add
- optional to create tags
- can send him an email
- can download credentials 

### Creating a group policy 

every group starts with no policy and has to be added.

All group policies are in JSON format for this case admin access

Version: date version
Statement
    - Effect : Allow
    - Action : * this means anything
    - Resource: *
    
### Password policy

Can have requirements for password like:
- Minimum password length is {12} characters
- Require at least one uppercase letter from Latin alphabet (A-Z)
- Require at least one lowercase letter from Latin alphabet (a-Z)
- Require at least one number
- Require at least one non-alphanumeric character (!@#$%^&*()_+-=[]{}|')
- Enable password expiration
- Password expiration requires administrator reset
- Allow users to change their own password
- Prevent password reuse

In the console you can alter passwords, like deleting or resending password to users.




### Roles 

Allow on AWS service to use another AWS service

like allows a virtual machine to talk to S3

### Exam tips

What have we learnt so far?

- IAM is universal, it does not apply to regions at this time
- the 'root account' is the account created when first setup your AWS account. It has complete Admin access
- New users have **NO permissions** when first created
- New users are assigned Access Key ID and Secret Access Keys when first created
    - Can have programatic access or console access.
- These are not the same as a password. you cannot use the access key ID and secret access key to login into the console. you can use this to access AWS via the API's and command line, however
- You only get to view these once. if you lose them, you have to regenerate them.
- always setup mulltifactor authentication on your root account
- you  can create and customise your own password rotation policies



# Creating a billing alarm - lab

CloudWatch - way to monitor your cloud account

- Go into cloud watch create billing
- select  create alarm
- select metric
- select instance to observe
- specify metric parameters or conditions
- select notification trigger 
- give it a description 
- preview and commit

in exam, how can you get automatic notifications if account goes over 1,000?

You can create a billing alarm in cloud watch, have the billing alarm send a sns topic to email.



# S3 101

### What is S3?

S3 provides developers and IT teams with secure, durable, highly scalable object storage. Amazon S3 is easy to use, with a simple web services interface to store and retrieve any amount of data from anywhere on the web.

### So what is S3?
- S3 is a safe place to store your files
- it is object-based storage
- the data is spread across multiple devices and facilities

### The basics of s3 are:
- S3 is object-base and allows you to upload files
    - Key: or filename of the object
    - Value: the data being stored
    - Version Id: important for versioning
    - Metadata: data about your data
    - Subresources:
        - access control lists
        - torrent 
    
- files can be from 0 Bytes to 5 TB
- There is unlimited storage
- files are stored in buckets (sort of like folders)
- S3 is a universal namespace, that is names must be unique globally
    - this is because it creates a web addressed based on its name
    - given as https://bucketname.regionlocation.amazonaws.com/
- when you upload a file to S3, you will receive a HTPP 2-- code f the upload was successful


### How does data consistency work for S3?
- Read after write consistency for PUTS of new objects
    - if you upload a file to S3, you are able to read it immediately
- Eventual consistency for overwrite PUTS and DELETES (can take time to propagate)
    - if you change the file, you will have to wait for it to update. will get an eariler version if it is not ready

In other words;
- if you write a new file and read it immediately aftwards, you will be able to view that data
- if you update AN EXISTING file or delete a file and read it immediately, you may get the older version, or you may not. Changes to objects can take time to propagate.

S3 has the following guarantees from Amazon;
- built for 99.99% availability for the S3 platform
- Amazon guarantees 99.95 availability
- amazon guarantees 99.99999999% durability for S3 information. thats 11 x9s

S3 has the following features;
- Tiered storage available
- lifecycle management
- versioning
- encryption
- MFA Delete
- secure your data using access control lists and bucket policies

### S3 storage classes:
1. S3 Standard
    - 99.99% availability
    - 99.999999999% durability
    - stored redundantly across multiple devices in multiple facilities, and is designed to sustain the loss of 2 facilities concurrently
2. S3 - IA (infrequently Accessed)
    - for data that is accessed less frequently, but requires rapid access when needed. Lower fee than S3, but you are charged a retrieval fee
3. S3 One Zone -IA
    - for where you want a lower-cost option for infrequently access data, but do not require the multiple availability zone data resilience
4. S3 - Intelligent Tiering
    - optimize costs by automatically moving data to the most cost-effective access tier without performance impact or operational overhead
5. S3 Glacier
    - a secure, durable and low-cost storage class for data archiving. you can reliably store any amount of data at costs that are competive with or cheaper than on-premises solutions. Retrieval times configurable from minutes to hours.
6. S3 Glacier Deep Archive
    - S3 lowest-cost storage class where a retrieval time of 12 hours is acceptable.
    
![Image of S3 tiers](https://raw.githubusercontent.com/JonathanWamsley/AWS-Certified-Solutions-Architect-Associate-2020/master/images/S3%20comparision.JPG)

### S3- Charges

- storage
- requests
- storage management pricing
- data transfer pricing
- transfer acceleration
- cross region replication pricing

### cross region replication

When you upload a file to a bucket in one region and it is automatically replicated to other buckets in other regions

### S3 Transfer Acceleration

- Amazon S3 Transfer Acceleration enables fast, easy and secure transfers of files over long distances between your end user and S3 buckets.
- tranfer acceleration takes advantage of Amazon CloudFront's globally distributed edge locations.
    - As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path
  
take-away: speeds up time users get a file by accessing local edge locations to retreive data instead of at the source region, which can be much further

### Exam Tips

- Remember that S3 is Object-based: allows you to upload files
- files can be 0 to 5 TB
- there is unlimited storage
- files are stored in Buckets
- S3 is a universtal namespace, that is names must be unique globally
- a file can be seen as a bucketname.s3.amazonaws.com in default region
- or at other regions, bucketname.regionname.amazonaws.com

- not suitable to install an operating system or databsase on, will want block based storage for that. S3 is object based storage

- when you successfully upload a file you will get HTTP 200 status code
- you can turn on MFA delete

The key fundamentals of S3 are:
- Key
- Value
- Version
- Metadata
- Subresources
    - access control lists
    - torrent
    
- read after write consistentcy for PUTS of new objects
- eventual consistency for overwrite PUTS and DELETES

Storage Classes:
- S3 Standard
- S3 - IA
- S3 - One Zone - IA
- S3 - intelligent tiering
- S3 - Glacier
- S3 - Glacier Deep Archeive

Tip read S3 FAQs before taking exam and get hands dirty
https://aws.amazon.com/s3/faqs/

(will do notes on this later)

# Create an S3 Bucket-lab

### Steps
- go to S3 in the AWS console
- create a bucket name(like a file) and it must be unique
- select region  

**Bucket features that can be turned on**
- versioning
- service access logging
- tags of key/value pairs
- object level logging
- encryption
- cloudwatch to monitor s3

### more steps
- AWS makes it default to no public access
- a summary is shown before you create the bucket

- can now go into bucket
- upload a file
- shows a success (200 status code)
- can click on the file and see the overview, properties and permissions

Right now the object is not public
- go to bucket and edit public access settings 
- uncheck block all public access
- go to file, and change to make public under actions

### Overview
Can change the bucket storage class in the properties change storage class

### Properties
To do changes to a bucket as a whole, go to properties tab and change on bucket level.

### Permisions
The access control list can set access level for each bucket or individual file
bucket policies are applied to the whole bucket

### Management

looks at lifecycle and replication rules

There are a lot more features is their S3 Master class

### Exam tips

Control access to buckets using either a bucket ACL or using Bucket Policies

### S3 pricing tiers

Popular exam question is which tier of S3 should you use for a given scenario?

### What makes up the cost of S3?

- storage
- requests and data retrievals
- data transfer
- management and replication

### What are the different Tiers?

Cost decreases per GB , more GB less it cost
1. standard
2. IA
3. one zone - IA
4. inteliigent tiering
5. glacier
6. gllacier deep archive

![s3 tier price](https://raw.githubusercontent.com/JonathanWamsley/AWS-Certified-Solutions-Architect-Associate-2020/master/images/S3%20price%20by%20tier.JPG)

https://aws.amazon.com/s3/storage-classes/

# S3 Security and Encryption

By default, all newly created buckets are PRIVATE. You can setup access control to your buckets using;

- Bucket Policies
- Access Control Lists

S3 buckets can be configured to create access logs which log all requests made to the S3 bucket. This can be sent to another bucket and even another bucket in another account.

### Encryption in transit is archieved by

- when you go to a website thats in https, the website is encrypted in transit, that is between your computer and the server.
- Achieved by SSL/ TLS (Client Side)
- Encryption at rest is (Server Side) encryption of data that is being stored.
    - A word document encrypted means others can not read it if the file is taken

AWS can only help with Server Side encryption in 3 ways
1. S3 Management Keys - SSE-S3 (server side encryption s3)
    - amazon manages keys for you(way to encrypt and decrypt file)
2. AWS Key Management Service, Managed Keys - SSE KMS
    - You and amazon manage keys together
3. Server Side Encrpytion with customer provided keys - SSE-C
    - Customer give amazon own keys
- can also encrypt on the client side. Encrypt then use AWS to put into S3 bucket

### Encrypting in AWS console

- go into S3
- click in bucket
- click on file
- look at properties, encryption
- can change to services

# S3 Versioning - Lab

Using versioning with S3:
- Stores all versions of an object (including all writes and even if you delete an object)
- great backup tool
- once enabled, versioning cannot be disabled, only suspended
- integrates with lifecycle rules
- versioning MFA delete capability, which uses multi-factor authentication, can be used to provide an additional layer of security

Using the previous public bucket 
- go to versioning and enable
- add another file
- edit the file
- access of the file is now denied.
- make public again
- can now see it again
- can see versions in bucket name toggling show. shows last modified date, version ID. size and storage clasee

To delete
- go to actions delete(your folders is now empty) but you can show versions again
- has a delete and shows version history
- restore by deleting the delete marker
- most recent version is now shown


### exam tips

-stores all versions of an object (including all writes and even if you delete an object)
- great backup tool
- once enabled, versioning cannot be disabled, only suspended
- integrates with lifecycle rules
- versioning's MFA delete capability, which uses multi-factor authentication, can be used to provide an additional layer of security




### Lifecycle management with S3 - LAB

in S3 bucket
- under management go to lifecycle rule
- will automate transitioning your bucket to different tiers of storage
- can expire objects as well

Creating a lifecycle rule:
- enter name of rule
- storage class transition
    - enable for current version
    - enable for previous version
    - establish a tier translation in X days
- configure expiration
    - current version
    - prevous version
    - clean up expires object delete markers and incomplete multipart uploads
        - clean up expired object delete markers (specify days)
        - clean up incomplete multipart uploads (specify days)
- confirm in summary
        
### exam tips

- automate moving your objects between the different storage tiers
- can be used in conjunction with versioning
- can be applied to current versions and previous versions


# AWS Organizations and Consolidating Billings

# What is AWS Orgnaizations?

"AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create an centrally manage"


![aws organizations](https://docs.aws.amazon.com/organizations/latest/userguide/images/BasicOrganization.png)

We have your root AWS account (master account)
- best practices are to use this account for billing only
- no resources deployed

The OU are organizational units
- developers, financial department, test, dev, etc
- apply permissions by using policies
    - applies a policy document that will then be inherited to the OU group
    - Allow S3 Bucket, and EC2. Then all branches also have this policy

Consolidating billing:
- all your accounts are aggregated together
- one bill per AWS account
- very easy to track charges and allocate costs
- volume pricing discount

![](http://d1nqddva888cns.cloudfront.net/consolidated_billing_diagram.gif)


Watching him use multiple accounts to set up AWS organizations

- go into AWS organization in console
- create organization (makes you the root account) and give an organization a name
- can now invite account (can also create account in master acount)
- enter acount email or account id
    - will have to have the other account verify that email address
    
    
- from the second account you recieve the invitation that can be accepted
- second account has the option to leave the organization


- from the master account can now see the 2nd account as the organization name
- on the organize accounts tab, you can organize them and give them policies
    - can create policies similar to IAM
    
### Exam tips

- always enable MFA on root account
- always use a strong and complex password on root account
- paying account should be used for billing purposes only. Do not deploy resources into the paying account
- enable/disable AWS services using service control policies (SCP) either on OU or on individual accounts


# Lab- Sharing S3 Buckets Across Accounts

### 3 different ways to share S3 buckets across accounts

- using bucket policies and IAM (applies across the entire bucket), Programmatic access only
- Using buckets ACLs and IAM (individual objects). Programmatic access only
- cross-account IAM Roles. programatic and console access

Roles: a way of temporarily granting access to an AWS resource, either from another AWS service such as EC2 or other AWS accounts

starting in aws organizations root account:
- go to IAM and select create role
    - Select another AWS account
    - put the account number of the other account you are giving permision to
    - attach policies to the role (AmazonS3FullAccess) with a name
    - click into role created
        - there is a link that you give to users who can switch role in the console
- in second account, go to IAM
    - go to users add users (give AWS Management console access)
    - (can give custom or autogenerated password)
    - add user to group (admin access) and create user

- in third account with that new user created with admin access sign in
    - has a switch role under the name drop bar
    - can use the role that was created in 1st account with the role url link
    - shows a cross account access under name
    - no permissions for billings (only S3 permission)
    - can create a bucket and access previous buckets on account 1
    
### exam tips

3 different ways to share S3 buckets accross acounts

- using bucket policies and IAM (across buckets)
- using buckets ACLs and IAM (individual objects)
- cross-account IAM Roles. (programmatic and console access)

### Cross region replication-lab

in AWS console
- in buckets, go to management
    - to to replication
        - add rule (requires versioning to be enabled)
            - can select entire bucket or files or (prefix/tags)
            - can assign a destination bucket(in this or other account)
            - create DNS bucket name and select region (can change ownership/storage class)
            - select IAM role and role name
- In buckets, you see the replicated bucket but the files are not there
- as soon as you make changes to a bucket with cross region replication turn on it will update
- upload new file in the original bucket
- view new bucket at different region (turn public) and view

Note if you delete an original bucket, it does not put a delete marker on the cross region buckets

if you delete the latest version in the original bucket, then the cross region still shows the latest version that was deleted in the original bucket

### Exam tips

- versioning must be enabled on both the source and destination buckets
- regions must be unique
- files in an existing bucket are not replicated automatically
- all subsequent updates files will be replicated automatically
- delete markers are not replicated
- deleting individual versions or delete markers will not be replicated

# S3 Transfer Acceleration

### what is S3 acceleration

S3 transfer accesleration utilises the CloudFront Edge Network to accelerate your uploads to S3. Instead of uploading directly to your S3 bucket, you can use a distinct URL to upload directly to and edge location which will then transfer that file to S3. You will get a distinct URL to upload to:

BucketName.s3-accelerate.amazonaws.com

So users around the world can upload a file to an edge location that will then upload to our S3 bucket

There is a tool to test transfer acceleration
https://s3-accelerate-speedtest.s3-accelerate.amazonaws.com/en/accelerate-speed-comparsion.html

compares how much faster it works on world wide regions

# What is CloudFront?

### common terms 

- CloudFront: A content delivery network (CDN) is a system of distributed servers (network) that delivers webpages and other web content to a user based on the geographic locations of the user, the origins of the webpage, and a content delivery server.

- Edge Location: this is a location where content will be cached. THis is seperate to an AWS Region/AZ.

- Origin: This is the origin of all the files that the CDN will distribute. This can be an S3 Bucket, an EC2 instance, an elastic load balancer or route53

- Distribution: this is the name given the CDN which consists of collection of Edge Locations

### simple example

Without a CDN, a user from lets say Austrailia wants a service in the US would have to pull directly from the US server which can take time.

With a CDN, a user from lets say Austrailia wants a service in the US would now connect to an Edge Location if there is a copy of the content on it. If there is no copy then it will download a copy to that location to be cached for (lets say 72 hours). Then if another user grabs that info he will grab the cached version and the time will increase.

### Amazon CloudFront features

Amazon CloudFront can be used to deliver your entire website, including dynamic, static, streaming, and ineteractive content using a global network of edge locations. Requests for your content are automatically routed to the nearest edge location, so content is delivered with the best possible performance. 

### Types of distributions

- web distribution: typically used for websites
- RTMP: used for media streaming

### exam tips

- Edge Location: this is the location where content will be cached. This is seperate to an AWS Region/AZ
- Origin: this is the origin of all the files that the CDN will distribute. This can be either an S3 Bucket, an EC2 instance, and Elastic Load Balancer, or Route53
- Distribtion: this is the name given the CDN which consists of a collection of Edge Locations
- Web Distribution: typically used for websites
- RTMP: used for media streaming
- Edge locations are not just READ only, you can write to them too (put an object on them)
- obects are cached for the life of the TTL(time to live)
-  you can clear cached objects, but you will be charged(can invalidate cached objects at a cost $$)

# creatingg a CloudFront Distribution - LAB

- In S3, will be using a bucket as the origin that will attached the CloudFront distribution to.

- In AWS CloudFront distribution (is a global service) click create ditribtion
    - can create web distribution (clicks on this one)
    - can create RTMP distribtion
    
- click on origin domain name, which displays all origins
    - select the S3 bucket used earlier 
    - leave everything else default and create
- can take time to set up(hour?)
- select domain name and copy it, (dtnj0cfnndcgw.cloudfront.net)
- go to S3 services
- type dtnj0cfnndcgw.cloudfront.net.BucketName into browser to deliver content using edge location
- go to cloudfront distribution
    - in invalidation
    - can invalidate files in the bucket
    - go and select then disable it  (takes time)
    - go and delete it after its prcoessed
    
    

# Snowball

### What is Snowball?

- Snowball is a petabyte-scale data transport solution that uses secure appliances to tranfer large amounts of data into and out of AWS (a physical container)
- Using Snowball Addresses common challenges with large-scale data transfers including:
    - high network costs
    - long transfer time
    - security conerns
- Transferring data with Snowball is:
    - simple
    - fast
    - secure
    - can be one-fifth the cost of high-speed internet
    
### Snowball Info

- Comes in 50TB or 80 TB
- Uses multiple layers of secuirty designed to protect your data including
    - temper-resistent enclosures
    - 256-bit encryption
    - industry-standard Trusted Platform Module (TPM)
        - designed to ensure both secuirty and full chan-of-custody of your data
- Once data transfer job has been procced and verified, AWS performs a software erasure of the Snowball appliance


### Snowball Edge

- comes in 100 TB data
- data transfer device with on-board storage and compute capabilities
- you can use snowball edge to move large amounts of data into and out of AWS as temporary storage tier for:
    - large local datasets
    - support local workloads in remote or offline locations

(Like having a mini AWS at your disposole)

- snowball edge connects to your existing applications and infrastructure using standard storage interfaces, streamlining the data transfer process and minimizing setup and integration.
- snowball edge can cluster together to form a local storage tier and process your data on-premises, helping ensure your applications continue to run even when they are not able to access the cloud

### What is Snowmobile

![lol](https://raw.githubusercontent.com/JonathanWamsley/AWS-Certified-Solutions-Architect-Associate-2020/master/images/AWS%20snowmobile.png)

- AWS Snowmobile is an Exabyte-scale data transfer service used to move exremely large amounts of data to AWS.
- you can transfer up to 100PB per snowmobile, a 45-foot long ruggedized shipping container, pulled by a semi-trailer truck
- snowmobile makes it easy to move massive volumes of data to the cloud including:
    - video
    - libraries
    - image repositories
    - complete data center migration
- transferring data with snowmobile is secure, fast and cost effective.

### When should I use Snowball?

![comparison](https://raw.githubusercontent.com/JonathanWamsley/AWS-Certified-Solutions-Architect-Associate-2020/master/images/Snowball%20comparision.JPG)

When internet connection is slow and data size is high


### exam tips

- snowball can:
    - import to S3
    - export from S3
    

# Storage Gateway

### What is storage gateway?

- Storage Gateway: a service that connects an on-premises software applicance with cloudbased storage to provide seamless and secure integration between an organization's on-premises IT enviorment and AWS's storage infrastructure
- The service enable you to securely store data to the AWS cloud for scalable and cost-effective storage


-Storage gateway's software applicaiance is available for download as a virtual machine (VM) image that you install on a host in your datacenter
- supports either your gateway and asscociated it with your aws account through the activation process, you can use the aws management console to create the storage gateway option that is right for you

### The three different types of storage

- file gateway(NFS & SMB)
- volume gateway (iSCSI)
    - store volumes
    - cached volumes
- tape gateway (VTL)

### file gateway

files are stored as objects in your S3 buckers, accessed through a network file system (NFS) mount point. Ownership, permissions, and timestamps are durably stored in S3 in the user-metadate of the object associated with the file. Once onjects are transferred to S3, they can be managed as native S3 objects, and bucket policies such as versioning, lifecylce management, and cross-region replication apply directly to objects stored in your bucker.

2:30 

STOPPED IN MIDDLE :(

