Module-2

By- Shyam
 IAM
• IAM (Identity and Access Management) in AWS (Amazon Web Services)
is a comprehensive service that enables you to manage access to AWS
resources securely.
• It allows you to control who can access your AWS resources (such as
EC2 instances, S3 buckets, databases, etc.) and what actions they can
perform on those resources.
• IAM in AWS plays a crucial role in enforcing security best practices,
ensuring compliance, and maintaining the confidentiality, integrity, and
availability of your AWS resources.
• It is a foundational component of AWS security and access management.
 IAM

key aspects of IAM in AWS:

• Users: IAM enables you to create and manage individual IAM users within
your AWS account. Each user can have its own unique set of security
credentials (such as username and password, access keys, or SSH keys) and
access permissions.
• Groups: You can organize IAM users into groups and manage permissions for
multiple users collectively. This simplifies permission management by
allowing you to assign permissions to groups rather than individual users.
• Roles: IAM roles are a secure way to grant permissions to entities that you
trust, such as AWS services, applications, or external identities (like users
from another AWS account). Roles define a set of permissions that the trusted
entity can assume.
 IAM

key aspects of IAM in AWS:

• Policies: IAM policies are JSON documents that define permissions. You can attach policies to
users, groups, or roles to specify the actions they are allowed or denied to perform on AWS
resources. Policies can be either managed policies (created and managed by AWS) or inline
policies (created and managed by you).
• Multi-Factor Authentication (MFA): IAM supports multi-factor authentication, which adds
an extra layer of security to user sign-ins by requiring users to provide additional authentication
factors (e.g., a one-time password generated by a hardware or software token) along with their
username and password.
• Identity Federation: IAM allows you to federate identities from your existing directory
systems (such as Microsoft Active Directory) and enable single sign-on (SSO) access to AWS
resources using those identities.
• Access Analyzer: IAM Access Analyzer helps you identify resources that are shared with an
external entity or account and provides detailed findings to help you understand and mitigate
unintended access.
 CloudFormation

• AWS CloudFormation is a service provided by Amazon Web Services (AWS)

that allows you to define and provision AWS infrastructure as code (IaC).
• With CloudFormation, you can create and manage AWS resources using
templates, which are JSON or YAML formatted text files that describe the
desired state of your infrastructure.
• CloudFormation automates the process of provisioning and configuring
resources, making it easier to manage infrastructure in a scalable and
repeatable manner.
• AWS CloudFormation simplifies and automates the process of provisioning
and managing AWS infrastructure, enabling you to deploy applications faster,
improve consistency, and reduce the risk of configuration errors
 CloudFormation

Key features of AWS CloudFormation include:

• Infrastructure as Code (IaC): CloudFormation enables you to define your
AWS infrastructure in a declarative template format, allowing you to version-
control and manage your infrastructure alongside your application code.
• Templates: CloudFormation templates are text files written in JSON or
YAML format that describe the resources and their configurations. Templates
can be parameterized and modularized to promote reusability across different
environments and applications.
• Stacks: A CloudFormation stack is a collection of AWS resources that are
created and managed as a single unit. You create, update, and delete stacks as
a whole, making it easy to manage complex sets of resources.
 CloudFormation

• Key features of AWS CloudFormation include:

• Resource Management: CloudFormation supports a wide range of AWS
resources, including compute instances (e.g., EC2 instances), storage (e.g., S3
buckets), networking (e.g., VPCs), databases (e.g., RDS instances), security
(e.g., IAM roles), and more.
• Dependency Management: CloudFormation handles dependencies between
resources automatically, ensuring that resources are created and configured in
the correct order.
• Change Sets: Before making changes to a CloudFormation stack, you can
preview the changes using change sets. Change sets allow you to review the
proposed changes and understand their impact before executing them, helping
to prevent unintended modifications to your infrastructure.
 CloudFormation

Key features of AWS CloudFormation include:

• Rollback and Drift Detection: CloudFormation tracks the state of your stacks
and automatically rolls back changes in case of failures. It also detects drift
(differences between the desired stack configuration and the actual resources)
and provides insights into any configuration changes made outside of
CloudFormation.
• Integration with AWS Services: CloudFormation integrates with other AWS
services such as AWS Identity and Access Management (IAM), AWS
CloudTrail for auditing, AWS CloudWatch for monitoring, and AWS
CodePipeline for continuous integration and deployment.
 SES, SQS and SNS

SES, SQS, and SNS are three messaging services provided by Amazon
Web Services (AWS) that serve different purposes:
• Amazon SES is used for sending and receiving emails,
• Amazon SQS is used for message queuing and processing, and Amazon SNS
is used for pub/sub messaging and notifications.
• Each service is designed to address specific messaging requirements and can
be integrated with other AWS services to build scalable and resilient
applications.
 SES, SQS and SNS

Amazon Simple Email Service (SES):

• Amazon SES is a scalable and cost-effective email service that allows you to
send and receive emails using your own email addresses and domains.
• It provides a reliable infrastructure for sending marketing emails, transactional
emails, and notifications to customers.
• Amazon SES offers features such as email validation, dedicated IP addresses,
email feedback loops, and support for DKIM (DomainKeys Identified Mail)
and SPF (Sender Policy Framework) to enhance email deliverability and
security.
• SES integrates with other AWS services like AWS Lambda, Amazon S3, and
AWS IAM for additional functionality and security.
 SES, SQS and SNS

Amazon Simple Queue Service (SQS):

• Amazon SQS is a fully managed message queuing service that enables you to
decouple and scale microservices, distributed systems, and serverless applications.
• It provides a reliable, scalable, and fault-tolerant messaging infrastructure where
messages are stored in a queue and processed asynchronously by consumers.
• SQS offers two types of queues: Standard Queues (provide best-effort ordering and
at-least-once delivery) and FIFO Queues (provide first-in-first-out ordering and
exactly-once processing).
• It supports message retention, message deduplication, long polling, and dead-letter
queues for handling failed messages.
• SQS integrates with other AWS services like AWS Lambda, Amazon SNS,
Amazon EC2, and AWS IAM for event-driven architectures and application
workflows.
 SES, SQS and SNS

Amazon Simple Notification Service (SNS):

• Amazon SNS is a fully managed pub/sub (publish/subscribe) messaging service that
enables you to send and receive messages or notifications to distributed systems or
mobile devices.
• It provides a highly available and durable messaging infrastructure with support for
multiple protocols (such as HTTP, HTTPS, Email, SMS, SQS, Lambda, and mobile push
notifications).
• SNS allows you to publish messages to topics (logical channels) and deliver them to
multiple subscribers (such as HTTP endpoints, email addresses, mobile devices, SQS
queues, Lambda functions, etc.).
• It supports message filtering, message attributes, delivery retries, and dead-letter queues
for handling message delivery failures.
• SNS integrates with other AWS services like AWS Lambda, Amazon SQS, Amazon
EC2, and AWS IAM for building event-driven architectures and distributed systems.
 AWS Lambda

• Serverless computing with AWS Lambda is a cloud computing model

where you can run code without provisioning or managing servers.
• AWS Lambda automatically scales and manages the infrastructure
required to run your code in response to events or triggers.
• AWS Lambda simplifies the process of building and deploying
serverless applications by abstracting away the underlying
infrastructure management, allowing you to focus on writing code to
handle business logic and respond to events effectively.
 AWS Lambda

Serverless computing with AWS Lambda works:

Event-Driven Execution:
• AWS Lambda executes your code in response to events or triggers from various AWS
services, such as Amazon S3, Amazon DynamoDB, Amazon SNS, Amazon SQS, API
Gateway, and more.
• You can also invoke Lambda functions manually or schedule them to run at specific
intervals using Amazon CloudWatch Events.
Supported Runtimes:
• AWS Lambda supports multiple programming languages and runtimes, including Node.js,
Python, Java, .NET, Go, Ruby, and custom runtimes through the use of Lambda Layers.
• You can write your Lambda functions using any of these supported languages, and AWS
Lambda will automatically manage the execution environment for you.
 AWS Lambda

Stateless Execution:
• Lambda functions are stateless, meaning they do not maintain any server state between invocations.
• Each invocation of a Lambda function is independent, and AWS Lambda automatically handles the
scaling and execution of multiple concurrent invocations of the same function.
Pay-Per-Use Pricing Model:
• With AWS Lambda, you only pay for the compute time consumed by your function, measured in
milliseconds.
• There is no charge when your code is not running, and AWS Lambda automatically scales your
function's capacity up or down based on incoming request traffic.
Integration with Other AWS Services:
• Lambda integrates seamlessly with other AWS services, allowing you to build serverless applications
that react to various events and triggers within the AWS ecosystem.
• For example, you can use Lambda functions to process data uploaded to Amazon S3, trigger code in
response to changes in Amazon DynamoDB tables, handle API requests from Amazon API Gateway,
and more.
 AWS Lambda

Security and Access Control:

• AWS Lambda integrates with AWS Identity and Access Management (IAM)
to control access to your Lambda functions and AWS resources.
• You can define IAM roles and policies to grant specific permissions to your
Lambda functions, limiting their access to only the resources they need.
Monitoring and Logging:
• AWS Lambda provides built-in monitoring and logging through Amazon
CloudWatch, allowing you to monitor the performance and behavior of your
Lambda functions in real-time.
• You can view metrics, set up alarms, and analyze logs to troubleshoot and
optimize your serverless applications.
 Route-53 & KMS

Route 53 and KMS are two different services provided by Amazon Web
Services (AWS) that serve distinct purposes:
Amazon Route 53:
• Amazon Route 53 is a scalable and highly available Domain Name System (DNS)
web service that enables you to route traffic to various AWS services, such as EC2
instances, S3 buckets, Load Balancers, and other resources, as well as to external
resources outside of AWS.
• Route 53 provides domain registration services, DNS health checks, traffic routing
policies (such as weighted routing, latency-based routing, geolocation routing, and
failover routing), and DNS query logging for monitoring and troubleshooting.
• It also integrates with other AWS services like CloudWatch for monitoring and
metrics, and AWS Identity and Access Management (IAM) for access control.
 Route-53 & KMS

AWS Key Management Service (KMS):

• AWS Key Management Service (KMS) is a managed service that allows you to
create and control the encryption keys used to encrypt your data stored in various
AWS services and applications.
• KMS provides a secure and scalable key management solution with features such
as key rotation, key versioning, key aliasing, fine-grained access controls, and
audit logging.
• It integrates seamlessly with other AWS services like Amazon S3, Amazon EBS,
Amazon RDS, Amazon Redshift, and Amazon DynamoDB for encryption of data
at rest and data in transit.
• KMS also supports integration with AWS CloudTrail for logging of key usage
events and AWS Identity and Access Management (IAM) for access control and
permissions management.
 Database

Amazon Web Services (AWS) offers several database services to cater to

different use cases, performance requirements, and scalability needs.
key database services provided by AWS include:
Amazon RDS (Relational Database Service):
• Amazon RDS is a managed relational database service that supports several database
engines such as MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Amazon
Aurora.
• It handles routine database tasks such as provisioning, patching, backup, recovery,
scaling, and replication, allowing you to focus on your application development rather
than database administration.
• Amazon RDS offers features like automated backups, automated software patching,
monitoring metrics through Amazon CloudWatch, and Multi-AZ deployments for high
availability.
 Database

Amazon DynamoDB:
• Amazon DynamoDB is a fully managed NoSQL database service that
provides fast and predictable performance at any scale.
• It is designed for applications that require single-digit millisecond latency and
can handle large-scale, high-throughput workloads with low-latency access to
data.
• DynamoDB offers features like automatic scaling, built-in security controls,
data encryption at rest and in transit, global tables for multi-region replication,
and integration with AWS Lambda for event-driven architectures.
 Database

Amazon Aurora:
• Amazon Aurora is a fully managed relational database engine compatible with
MySQL and PostgreSQL, offering the performance and availability of
commercial databases at a fraction of the cost.
• Aurora provides high performance, reliability, and scalability with features
like automatic scaling, fault-tolerant storage, read replicas for scaling read
workloads, and Multi-AZ deployments for high availability and data
durability.
• It is designed to deliver up to five times the throughput of standard MySQL
databases and up to three times the throughput of standard PostgreSQL
databases.
 Database

Amazon Redshift:
• Amazon Redshift is a fully managed data warehouse service that allows you to
analyze large datasets using SQL and business intelligence tools.
• It is optimized for analytics workloads and offers fast query performance by
using columnar storage, parallel query execution, and advanced compression
techniques.
• Redshift integrates with popular business intelligence tools like Tableau,
Looker, and Amazon QuickSight, and supports data lake integration with
Amazon S3 for scalable storage and analytics.
 Database

Amazon Neptune:
• Amazon Neptune is a fully managed graph database service that allows you to
build and run applications that work with highly connected datasets.
• It supports two popular graph database models: Property Graph and RDF
(Resource Description Framework).
• Neptune is suitable for use cases such as social networking, recommendation
engines, fraud detection, knowledge graphs, and network and IT operations.
Data Management and Storage Testing in AWS
Testing data management and storage in AWS involves ensuring that your
data is securely stored, efficiently managed, and accessible when needed.
• key aspects to consider and strategies for testing:
• Data Integrity Testing: Verify the integrity of data stored in AWS services such as
Amazon S3 (Simple Storage Service), Amazon EBS (Elastic Block Store), or
Amazon RDS (Relational Database Service). This involves performing checksums,
data comparisons, and ensuring data is not corrupted during storage or retrieval.
• Backup and Recovery Testing: Test the backup and recovery processes to ensure
data can be reliably backed up and restored. This includes testing backup
schedules, retention policies, and recovery time objectives (RTOs) and recovery
point objectives (RPOs).
Data Management and Storage Testing in AWS
key aspects to consider and strategies for testing:
• Data Access Testing: Verify that authorized users have appropriate access to data
stored in AWS. Test access controls, permissions, and encryption mechanisms to ensure
data confidentiality and integrity are maintained.
• Performance Testing: Evaluate the performance of data storage and retrieval
operations. This includes testing latency, throughput, and scalability of AWS storage
services under different loads and configurations.
• Data Lifecycle Management Testing: Test data lifecycle management policies to
ensure data is appropriately retained, archived, or deleted according to regulatory
requirements and business needs. This involves testing data expiration, archiving, and
deletion processes.
• Disaster Recovery Testing: Test disaster recovery procedures to ensure data can be
recovered in case of failures or disasters. This includes testing failover mechanisms,
data replication, and failback procedures for AWS storage services.
Data Management and Storage Testing in AWS
key aspects to consider and strategies for testing:
• Compliance and Security Testing: Ensure compliance with data security standards
and regulations (e.g., GDPR, HIPAA) through security testing and audits. Test
encryption, access controls, and logging mechanisms to ensure data security and
compliance requirements are met.
• Cost Optimization Testing: Test cost optimization strategies for data storage in AWS.
This includes testing storage tiering, lifecycle policies, and data compression to
optimize storage costs while meeting performance and availability requirements.
• Cross-Region Replication Testing: If using multi-region architectures for data
redundancy and disaster recovery, test cross-region replication mechanisms to ensure
data consistency and availability across regions.
• Data Transfer Testing: Test data transfer mechanisms between on-premises systems
and AWS storage services or between different AWS regions. This includes testing data
transfer speeds, reliability, and costs.
 Data Management and Storage Testing in AWS

To conduct tests effectively, we can use AWS services as follow:

• AWS CloudFormation for infrastructure automation,
• AWS CloudWatch for monitoring,
• AWS CloudTrail for auditing, and
• AWS SDKs or APIs for programmatic access to AWS resources. Additionally,
• AWS's testing environments such as AWS CodeBuild and AWS CodePipeline
for continuous integration and deployment of testing scripts and environments.
Amazon Web Services (AWS) - LABS
Thank you 