How to choose an AWS Region if you need to launch a new app
- Compliance: with data governance and legal requirement, data never leaves a region w/o your explicit permission
- Proximity: to customers, to reduce latency
- Available services: some region doesn't have all services
- Pricing: varies region to region
Availability Zones:
each region has many availability zones, usually 3, min is 2, max is 6
each AZ is 1+ discrete data centers with redundant power, networking and connectivity, they are separate from each other, but connected with high bandwidth, ultra-low latency
AWS Points of Presence (Edge Locations)网点
AWS has Global Services
- ldentity and Access Management (lAM)
- Route 53 (DNS service)
- CloudFront (Content Delivery Network)
- WAF (Web Application Firewall)
Most AWS services are Region-scoped
- Amazon EC2 (Infrastructure as a Service)
- Elastic Beanstalk (Platform as a Service)
- Lambda (Function as a Service)
- Rekognition (Software as a Service)
ldentity and Access Management (lAM)
- Root account created by default, shouldn't be used or shared
- Users are ppl in your org, and can be grouped. After getting a root user, we can create an Admin account, then create users account
- Groups only contain users, not other groups
- An user can belong to multiple groups
- We want the users to use their AWS account
- Permissions: users or groups can be assigned JSON documents called policies to grant their permissions to the AWS services. Please do Least Privilege Principle : don't give more permission than a user needs
Inline policy: a policy only assigned to one person
IAM Policies Structure
An Example for Permission JSON
The "*" below means any, it permits any action and any resource
Two Ways to Protect Your AWS Account
Password Policy
- Strong passwords = higher security for your accountIn AWS, you can setup a password policy:
- Set a minimum password lengthRequire specific character types.including uppercase letters
- lowercase letters
- numbers
- non-alphanumeric charactersAllow all lAM users to change their own passwords
- Require users to change their password after some time (password expiration)
- Prevent password re-use
Multi Factor Authentication - MFA
- Users have access to your account and can possibly change configurations or delete resources in your AWS account
- You want to protect your Root Accounts and lAM users
- MFA = password you know + security device you own
- You can use:
- Virtual MFA device: Google Authenticator (Phone only), Authy (multi-device);
- Universal 2nd Factor (U2F) Security Key, ex. YubiKey
- Hardware Key Fob: Gemalto
- Hardware Key Fob for AWS GovCloud(US): SurePassID