Difference between revisions of "Talk:AWS Solutions Architect"

From Freephile Wiki
Jump to navigation Jump to search
(add Control Tower)
Line 4: Line 4:
 
## AWS Control Tower allows you to setup and govern multi-account environments.   
 
## AWS Control Tower allows you to setup and govern multi-account environments.   
 
# Identity Management and Permissions including RBAC, ABAC and permissions boundaries
 
# Identity Management and Permissions including RBAC, ABAC and permissions boundaries
 +
## Roles are '''assumed''' by users, applications and services.
 +
## Policies are JSON and may be either Identity based, or Resource based.
 +
## Authentication methods: password + optional MFA token; Access Key + Secret Access Key; X-509 Certificate
 +
## AWS Security Token Service (STS) sts:AssumeRole returns temporary security credentials.
 +
## Multi-Factor Authentication
 +
;Something you '''know'''
 +
;Something you ''' have'''
 +
;Something you '''are'''
 +
A Trust Policy is also an example of a resource-based policy.
 +
A Permissions Policy is an identity-based policy.
 
# AWS Directory Services and Federation including Identity Federation, AWS SSO, and Cognito
 
# AWS Directory Services and Federation including Identity Federation, AWS SSO, and Cognito
 
# Advanced Amazon VPC including a routing deep dive and multi-account VPC configurations
 
# Advanced Amazon VPC including a routing deep dive and multi-account VPC configurations

Revision as of 23:27, 6 February 2024

  1. AWS Accounts and Organizations including Service Control Policies (SCPs)
    1. SCPs "deny" will override any higher up "allow" permissions. So even though an allow permission will cascade down through all Org Units, any explicit deny will also cascade and override allow.
    2. You can choose your own strategy. By default an Organization will have the FullAWSAccess SCP attached to it and every OU and account. This is the 'Deny List Strategy' because you must override the 'default' allow full access with deny rules. On the other hand, you can remove (delete) this SCP and then you would have an 'Allow List Strategy' because you would need to specifically list each service you want to allow in the Organizations, OUs and Accounts.
    3. AWS Control Tower allows you to setup and govern multi-account environments.
  2. Identity Management and Permissions including RBAC, ABAC and permissions boundaries
    1. Roles are assumed by users, applications and services.
    2. Policies are JSON and may be either Identity based, or Resource based.
    3. Authentication methods: password + optional MFA token; Access Key + Secret Access Key; X-509 Certificate
    4. AWS Security Token Service (STS) sts:AssumeRole returns temporary security credentials.
    5. Multi-Factor Authentication
Something you know
Something you have
Something you are

A Trust Policy is also an example of a resource-based policy. A Permissions Policy is an identity-based policy.

  1. AWS Directory Services and Federation including Identity Federation, AWS SSO, and Cognito
  2. Advanced Amazon VPC including a routing deep dive and multi-account VPC configurations
  3. Hybrid Connectivity including S2S VPN, Direct Connect, and AWS Transit Gateway
  4. Compute, Auto Scaling, and Load Balancing including ALB, NLB, EC2, and NAT
  5. AWS Storage Services including EBS, EFS, and Amazon S3
  6. DNS, Caching, and Performance Optimization including Route 53, CloudFront, and AWS Global Accelerator
  7. AWS Database Services including Amazon RDS, Aurora, ElastiCache and DynamoDB
  8. Serverless Applications including AWS Lambda, EventBridge, SQS, SNS, and API Gateway
  9. Docker Containers and PaaS including Amazon ECS, Fargate, and Elastic Beanstalk
  10. Deployment and Management including AWS CodeCommit, CodePipeline, Service Catalog, Systems Manager and more
  11. Migration and Transfer Service including AWS DMS, SMS, DataSync, and Snowball
  12. Analytics Services including Amazon Athena, AWS Glue, RedShift, EMR, and Kinesis
  13. Monitoring, Logging and Auditing including CloudWatch, CloudTrail and AWS X-Ray
  14. Defense in Depth including how to build a secure application with ACM, KMS, Config, Inspector and WAF/Shield
  15. Cost Management including how AWS services are priced, consolidated billing, and AWS Budgets