DEVELOPyo

[ 1. AZ (Availability Zones) ]

AWS 의 물리적 자원은 지역적 제약조건이 있다

region 은 지역, Availability Zones 은 지역 밑에 물리적으로 분리되어있는 더 작은 지역의 개념.

AZ 밑의 각각의 데이터센터는 서로 떨어져 있으므로 재난으로부터 동시에 영향을 받지 않는다

EC2 인스턴스는 region 기반, IAM 은 global (region 제약이 없음)

each region has many availability zones ( min 2, max 6)

eg) ap-southeast-2 has following AZs.

ap-southeast-2a

ap-southeast-2b

ap-southeast-2c

1) Each AZ is one or more discrete data centers with redundant power, networking and connectivity

2) They're separate from each other, so that they're isolated from disasters

3) They're connected with high bandwith, ultra-low latency networking

* EC2 based on region

* IAM is global

* Some service is not offered in some regions

(can check at AWS > Regional Table)

[ 2. IAM (Identity and Access Management) ]

AWS 보안 관련 설정으로 Users/Groups/Roles/Policies 등의 설정이 있다

IAM 설정은 Global

Root 계정(AWS계정)의 직접 사용을 지양하고 IAM 으로 Admin 계정/그룹을 생성하여 Admin policies 를 부여, Admin 계정을 대신 사용한다

Your whole AWS security is there:

- Users : physical person

- Groups : contains users

- Roles : internal usage within AWS resources (for machine)

- Policies : AdministratorAccess, ... 등

Root account should never be used (and shared)

Users must be created with proper permissions

IAM is at the center of AWS

Policies are written in JSON

IAM has a global view(can be across all the regions)

Permissions are governed by Policies(JSON)

MFA(Multi Factor Authentication) can be setup (do not use root account)

IAM has predefined "managed policies"

It is best to give users the minimal amount of permissions thy need to perform their job (least privilege principles)

# IAM Federation (for big enterprise)

big enterprises usually integrate their own repository of users with IAM

this way, one can login into AWS using their company credentials

Identity Federation uses the SAML standard (Active Directory)

*

One IAM User per physical person

One IAM Role per application

IAM credentials should never be shared

never write IAM credentials in code. ever.

and even less, never commit your IAM credentials.

never use the root account except for initial setup.

never use ROOT IAM credentials

[ IAM 최초 Admin 설정 ]

1. activate MFA (multi factor authentication)

continue to security credentials 버튼 클릭

virtual MFA device 클릭

google OTP app download 

OTP app으로 QR 코드 인식 후 auth code 1, 2 입력

2. User 생성 (Admin)

access type programatic access 체크

AWS management console access 체크

Console password : autogenerated password

require password reset : user must create a new password at next login 체크

Attach existing policies > AdministratorAccess 체크

Create user without a permissions boundary 체크

* user 생성 완료 페이지에서 유저 정보가 있는 .csv 파일 다운로드

3. Group 생성 (Admin)

AdministratorAccess policy 체크

4. Group 에 2에서 생성한 Admin User 추가

5. User의 Admin policy 재설정

User 설정에서 User 에 직접 부여된(Attached directly) Admin 권한 제거 

6. IAM password policy 설정

enable password expiration 등등

7. IAM users sign-in link 커스터마이징

IAM users sign-in link 우측의 customize 버튼 클릭 후 link alias 입력

8. link 에 접속후 생성한 Admin User 아이디로 로그인 및 패스워드 변경(최초 로그인은 2에서 다운로드 받은 .csv 파일에 적혀있음)