# Identity Access Management 101

IAM - allows you to manage users and their level of access to the AWS console.

It is important to understand IAM and how it works, both for the exam and for adiminstrating a company's AWS account in real life.

### Key features of IAM

Identity Access Management offers the following features:
- centralised control of your AWS account
- shared access to your AWS account
- granular permissions
- identity federeation (including active dir like Facebook, google)
- multifactor authentication
- provide temporary access for users/ devices and services where necessary
- allows you to set up your own password rotation policy
- integrates with many different AWS services
- supports PCI DSS Compliance (credit card framework)

### Key terminology for IAM

- Users: 
    - end users sch as people, employees of an organization etc
- Groups:
    - a collection of users. Each user in the group will inherit the permissions of the group
- Policies:
    policies are made up of documents, called policy documents
- Policiy Documents:
    - documents are in JSON and give permission as to what a User/Group/Role is able to do
    
- Roles
    - you create roles and then assign them to AWS resources

# Identity Access Management - LAB


### Activate multifactor security

### Creating an individual IAM group

- Create a new user with a unique name
- assign user a group by selecting what privileges to add
- optional to create tags
- can send him an email
- can download credentials 

### Creating a group policy 

every group starts with no policy and has to be added.

All group policies are in JSON format for this case admin access

Version: date version
Statement
    - Effect : Allow
    - Action : * this means anything
    - Resource: *
    
### Password policy

Can have requirements for password like:
- Minimum password length is {12} characters
- Require at least one uppercase letter from Latin alphabet (A-Z)
- Require at least one lowercase letter from Latin alphabet (a-Z)
- Require at least one number
- Require at least one non-alphanumeric character (!@#$%^&*()_+-=[]{}|')
- Enable password expiration
- Password expiration requires administrator reset
- Allow users to change their own password
- Prevent password reuse

In the console you can alter passwords, like deleting or resending password to users.




### Roles 

Allow on AWS service to use another AWS service

like allows a virtual machine to talk to S3

### Exam tips

What have we learnt so far?

- IAM is universal, it does not apply to regions at this time
- the 'root account' is the account created when first setup your AWS account. It has complete Admin access
- New users have **NO permissions** when first created
- New users are assigned Access Key ID and Secret Access Keys when first created
    - Can have programatic access or console access.
- These are not the same as a password. you cannot use the access key ID and secret access key to login into the console. you can use this to access AWS via the API's and command line, however
- You only get to view these once. if you lose them, you have to regenerate them.
- always setup mulltifactor authentication on your root account
- you  can create and customise your own password rotation policies



# Creating a billing alarm - lab

CloudWatch - way to monitor your cloud account

- Go into cloud watch create billing
- select  create alarm
- select metric
- select instance to observe
- specify metric parameters or conditions
- select notification trigger 
- give it a description 
- preview and commit

in exam, how can you get automatic notifications if account goes over 1,000?

You can create a billing alarm in cloud watch, have the billing alarm send a sns topic to email.



# S3 101

### What is S3?

S3 provides developers and IT teams with secure, durable, highly scalable object storage. Amazon S3 is easy to use, with a simple web services interface to store and retrieve any amount of data from anywhere on the web.

### So what is S3?
- S3 is a safe place to store your files
- it is object-based storage
- the data is spread across multiple devices and facilities

### The basics of s3 are:
- S3 is object-base and allows you to upload files
    - Key: or filename of the object
    - Value: the data being stored
    - Version Id: important for versioning
    - Metadata: data about your data
    - Subresources:
        - access control lists
        - torrent 
    
- files can be from 0 Bytes to 5 TB
- There is unlimited storage
- files are stored in buckets (sort of like folders)
- S3 is a universal namespace, that is names must be unique globally
    - this is because it creates a web addressed based on its name
    - given as https://bucketname.regionlocation.amazonaws.com/
- when you upload a file to S3, you will receive a HTPP 2-- code f the upload was successful


### How does data consistency work for S3?
- Read after write consistency for PUTS of new objects
    - if you upload a file to S3, you are able to read it immediately
- Eventual consistency for overwrite PUTS and DELETES (can take time to propagate)
    - if you change the file, you will have to wait for it to update. will get an eariler version if it is not ready

In other words;
- if you write a new file and read it immediately aftwards, you will be able to view that data
- if you update AN EXISTING file or delete a file and read it immediately, you may get the older version, or you may not. Changes to objects can take time to propagate.

S3 has the following guarantees from Amazon;
- built for 99.99% availability for the S3 platform
- Amazon guarantees 99.95 availability
- amazon guarantees 99.99999999% durability for S3 information. thats 11 x9s

S3 has the following features;
- Tiered storage available
- lifecycle management
- versioning
- encryption
- MFA Delete
- secure your data using access control lists and bucket policies

### S3 storage classes:
1. S3 Standard
    - 99.99% availability
    - 99.999999999% durability
    - stored redundantly across multiple devices in multiple facilities, and is designed to sustain the loss of 2 facilities concurrently
2. S3 - IA (infrequently Accessed)
    - for data that is accessed less frequently, but requires rapid access when needed. Lower fee than S3, but you are charged a retrieval fee
3. S3 One Zone -IA
    - for where you want a lower-cost option for infrequently access data, but do not require the multiple availability zone data resilience
4. S3 - Intelligent Tiering
    - optimize costs by automatically moving data to the most cost-effective access tier without performance impact or operational overhead
5. S3 Glacier
    - a secure, durable and low-cost storage class for data archiving. you can reliably store any amount of data at costs that are competive with or cheaper than on-premises solutions. Retrieval times configurable from minutes to hours.
6. S3 Glacier Deep Archive
    - S3 lowest-cost storage class where a retrieval time of 12 hours is acceptable.
    
![Image of S3 tiers](https://raw.githubusercontent.com/JonathanWamsley/AWS-Certified-Solutions-Architect-Associate-2020/master/images/S3%20comparision.JPG)

### S3- Charges

- storage
- requests
- storage management pricing
- data transfer pricing
- transfer acceleration
- cross region replication pricing

### cross region replication

When you upload a file to a bucket in one region and it is automatically replicated to other buckets in other regions

### S3 Transfer Acceleration

- Amazon S3 Transfer Acceleration enables fast, easy and secure transfers of files over long distances between your end user and S3 buckets.
- tranfer acceleration takes advantage of Amazon CloudFront's globally distributed edge locations.
    - As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path
  
take-away: speeds up time users get a file by accessing local edge locations to retreive data instead of at the source region, which can be much further

### Exam Tips

- Remember that S3 is Object-based: allows you to upload files
- files can be 0 to 5 TB
- there is unlimited storage
- files are stored in Buckets
- S3 is a universtal namespace, that is names must be unique globally
- a file can be seen as a bucketname.s3.amazonaws.com in default region
- or at other regions, bucketname.regionname.amazonaws.com

- not suitable to install an operating system or databsase on, will want block based storage for that. S3 is object based storage

- when you successfully upload a file you will get HTTP 200 status code
- you can turn on MFA delete

The key fundamentals of S3 are:
- Key
- Value
- Version
- Metadata
- Subresources
    - access control lists
    - torrent
    
- read after write consistentcy for PUTS of new objects
- eventual consistency for overwrite PUTS and DELETES

Storage Classes:
- S3 Standard
- S3 - IA
- S3 - One Zone - IA
- S3 - intelligent tiering
- S3 - Glacier
- S3 - Glacier Deep Archeive

Tip read S3 FAQs before taking exam and get hands dirty
https://aws.amazon.com/s3/faqs/

(will do notes on this later)

# Create an S3 Bucket-lab

### Steps
- go to S3 in the AWS console
- create a bucket name(like a file) and it must be unique
- select region  

**Bucket features that can be turned on**
- versioning
- service access logging
- tags of key/value pairs
- object level logging
- encryption
- cloudwatch to monitor s3

### more steps
- AWS makes it default to no public access
- a summary is shown before you create the bucket

- can now go into bucket
- upload a file
- shows a success (200 status code)
- can click on the file and see the overview, properties and permissions

Right now the object is not public
- go to bucket and edit public access settings 
- uncheck block all public access
- go to file, and change to make public under actions

### Overview
Can change the bucket storage class in the properties change storage class

### Properties
To do changes to a bucket as a whole, go to properties tab and change on bucket level.

### Permisions
The access control list can set access level for each bucket or individual file
bucket policies are applied to the whole bucket

### Management

looks at lifecycle and replication rules

There are a lot more features is their S3 Master class

### Exam tips

Control access to buckets using either a bucket ACL or using Bycket Policies

### S3 pricing tiers

Popular exam question is which tier of S3 should you use for a given scenario?

### What makes up the cost of S3?

- storage
- requests and data retrievals
- data transfer
- management and replication

### What are the different Tiers?

Cost decreases per GB , more GB less it cost
1. standard
2. IA
3. one zone - IA
4. inteliigent tiering
5. glacier
6. gllacier deep archive

![s3 tier price](https://raw.githubusercontent.com/JonathanWamsley/AWS-Certified-Solutions-Architect-Associate-2020/master/images/S3%20price%20by%20tier.JPG)

https://aws.amazon.com/s3/storage-classes/

# S3 Security and Encryption

By default, all newly created buckets are PRIVATE. You can setup access control to your buckets using;

- Bucket Policies
- Access Control Lists

S3 buckets can be configured to create access logs which log all requests made to the S3 bucket. This can be sent to another bucket and even another bucket in another account.

### Encryption in transit is archieved by

- when you go to a website thats in https, the website is encrypted in transit, that is between your computer and the server.
- Achieved by SSL/ TLS (Client Side)
- Encryption at rest is (Server Side) encryption of data that is being stored.
    - A word document encrypted means others can not read it if the file is taken

AWS can only help with Server Side encryption in 3 ways
1. S3 Management Keys - SSE-S3 (server side encryption s3)
    - amazon manages keys for you(way to encrypt and decrypt file)
2. AWS Key Management Service, Managed Keys - SSE KMS
    - You and amazon manage keys together
3. Server Side Encrpytion with customer provided keys - SSE-C
    - Customer give amazon own keys
- can also encrypt on the client side. Encrypt then use AWS to put into S3 bucket

### Encrypting in AWS console

- go into S3
- click in bucket
- click on file
- look at properties, encryption
- can change to services