Wilson Mar bio photo

Wilson Mar

Hello. Join me!

Email me Calendar Skype call 310 320-7878

LinkedIn Twitter Gitter Google+ Youtube

Github Stackoverflow Pinterest

https://wilsonmar.github.io/aws-onboarding/

for System Administration and billing


Overview

This is a hands-on tutorial to get new enterprise administrators setup to effecctively access and use the AWS cloud. Here you do some action and explanations and PROTIP advice is provided. PROTIPs included how to install and use AWS CLI automation, smart phone apps, and 3rd party tools used by the pros.

This highlights what is in Amazon’s Getting Started tutorials.

3rd-party cloud alternatives

Before we begin, know that the cloud services marketplace has competitors not just among the major cloud providers (Amazon, Microsoft, Google), but also among 3rd-party vendors offering niche solutions:

NOTE: Comparison-shop alternatives to services AWS offers:

aws-iam-alts-643x443

TCO Calculator

The Total Cost of Ownership calculator is basically a sales tool to calculate savings moving to AWS from on-premises servers:

Toggle Basic/Advanced for more fields.

The instance type is automatically selected based on the memory selected.

Root account sign-up

  1. Use an internet browser to get on the AWS marketing page at

    https://aws.amazon.com

  2. Get your credit card ready.

    PROTIP: You need a credit card to open an account. But to limit your exposure, some people buy a MASTERCARD GIFT CARD from a convenience store to provide AWS.

  3. Click the yellow “Sign-Up” button if you don’t already have an account.

  4. PROTIP: If you are creating a production account for an organization, create an email address which you use only for managing AWS and not for regular email use and certainly not for doing shopping on Amazon.

    The account which controls billing is called the root account, which as unlimited access to AWS resources and unlimited ability to rack up charges. By resources I mean: users, groups, roles, IAM Access Policies, API keys, etc. globally for all regions.

    Secure that email address with multi-factor authentication with Google or whoever hosts your email server. Also have a way for one person (or maximum two) you trust to be able to access the account in case you are not able to.

  5. Supply a strong password.

    PROTIP: Use 1Password so that you can easily generate up to 64 character password, but remember only one password to access the 1Password database of secrets. 1Password encrypts its database so that you can make backups (to a USB drive or secure cloud). I favor 1Password because it provides a way to sync changes with your smartphone without going through the internet.

    Because you only have to remember one master password, you can are free to change various passwords as often as you want with no fear of forgetting them.

  6. An example of a value for “AWS account name” is “master-billing”.

  7. Click “Continue”.

    If you have 1Password installed, you would be prompted to create a new account.

  8. Provide phone number, address, and credit card.

    Students may want to create several accounts to take advantage of the free tier multiple times. However, uniquely different phone numbers, addresses, and credit cards are not needed for each identity.

  9. PROTIP: Where you keep information about your credit card, note the email address and account name using that credit card.

  10. Confirm the phone number by answering Amazon’s phone call.

  11. For now, click “Free” to select a plan. A comparison on plans is discussed below.

  12. Click “Free” to be prompted to sign-in with your new credentials.

  13. Click your account name at the top black menu for this menu:

    aws-onboarding-myaccount-184x222-9824.jpg

  14. Copy the Account Id and paste it in the notes associated with where you saed your account email and password (within 1Password).

    PROTIP: This 12 digit number is given out for others to use to sign in using sub-accounts.

  15. Scroll down to click “Edit” next to “Alternate Contacts” and put the other person who knows how to get into the account in for the Billing.

  16. Scroll down to click Edit to the right of “Configure Security Challenge Questions”.
  17. Write down your security challenge questions and answers where you wrote your Account Id.

    PROTIP: Treat the answers as another set of passwords because others my discover the real answers via social engineering. Answer with some nonsense that has no basis in reality.

Billing tasks

“With great power comes great responsibility”.

Account administators who hold root accounts linked to credit cards should do the following:

### Activate Preferences

  1. Go to https://console.aws.amazon.com/billing/home#/preferences/tags or select your user name at the top black menu and select “My Billing Dashboard”. The Billing dashboard appears. An example:

    aws-onboarding-billing-dashboard-640x325.jpg

  2. Select Preferences from the left menu.
  3. Check all the boxes and provide your email address.
  4. Click “Save Preferences”.

    Activate Billing Tags

    TBD:

    My Much? Estimate bills

  5. PROTIP: Before you dive in, calculate your potential bills by providing usage estimates to the AWS Calculator.

    It has a different sheet for each service. Parameters for EC2 include the number of EC2 instances, hosts, EBS volumes, IPs, data transfer, app and network load balancing.

    PROTIP: Remember that there is an additional surcharge for support as a percentage of the whole bill. Rates vary depending on the level of support chosen.

  6. Budget:

    https://console.aws.amazon.com/billing/home?#/budgets/create?type=COST

    https://aws.amazon.com/premiumsupport/compare-plans

    Over time, the cost per EC2 instance has trended downward* aws-onboarding-cost-ec2-447x288.jpg

    Billing alerts

  7. NOTE: Setup billing alerts and notifications

    IAM Policies for this include:

    • Billing
    • AWSPriceListServiceFullAccess

    Define organizations

  8. Click your account name at the black top menu:

    aws-onboarding-accounts-167x128-5783

  9. Click “My organizations”.

  10. Review the User Guide

    PROTIP: Up to 20 linked AWS accounts can be grouped together for consolidated billing under “AWS Organizations” to take advantage of volume discounts above.

    IAM Policies for this does not include:

    • AWSOrganizationsServiceTrustPolicy (A policy to allow AWS Organizations to share trust with other approved AWS Services for the purpose of simplifying customer configuration)

Create Forum Account

  1. PROTIP: To ensure anonymity interacting on public forums, the Administrator should create in a public email system (such as gmail.com, hotmail.com, etc.) an email address for use on forums. Don’t use a real name in the email address, but a positive adjective with a number to ensure it’s unique, such as “concerned123”.

    AWS says “Your email will be kept private” but I don’t trust that they can’t be hacked.

  2. Go to the AWS forums at URL:

    https://forums.aws.amazon.com/forum.jspa?forumID=150

  3. Register the new email address along with an AWS Nickname without a proper name, such as, again, “concerned123”.

  4. Use that email in StackOverflow.com and other public forums.

Compare Pricing of Plans

This can be

  1. Click Amazon’s Support Plan page here.

    The Basic account does not enable you to communicate with Amazon people who can answer technical questions.

    The $29/month Developer Plan enables you to open an unlimited number of support cases only via email, with a 12-hour response time if “system impaired”. Otherwise, the SLA is 24 hours.

    The $100/month Business Plan enables you to have 24/7 chat, phone, as well as email access with AWS Support people on an unlimited number of support cases, with a 1-hour response time for “production down” issues, or 4-hour response for “production impaired” issues.

    Amazon also has an Enterprise Plan for $15,000/month to get 15 minute response on “business critical system down” issues. This plan also comes with an assigned TAM (Technical Account Manager).

    These dollar amounts are minimums, not fixed prices.

  2. Scroll down to mouse over the “$29” on the Pricing line at the bottom of the table.

    aws-onboarding-pricing-179x101-7688

    PROTIP: Pricing for Developer support is the Greater of $29 or 3% of monthly AWS usage, so you will pay more than $29 if you spend more than $966.67.

  3. Scroll back up to click the “Pricing example” link on the right.
  4. Notice that if your spend is $2,000, Amazon bills you $60 for support, not $29.

    aws-onboarding-price-example-533x307-27004.jpg</a>

  5. Click the “Business” and “Enterprise” buttons in the pop-up to see sample volume pricing tiers.

    Cases in Support Center

  6. To view support cases filed and their status, see:

    https://console.aws.amazon.com/support/home

    Policies for this are:

    • AWSSupportAccess (Allows users to access the AWS Support Center)
    • SupportUser (This policy grants permissions to troubleshoot and resolve issues in an AWS account. This policy also enables the user to contact AWS support to create and manage cases)
  7. Scroll down to view videos on specific technical issues by Amazon people.

    On the lower-right corner, there are links to AWS Documentation, Getting Started Guides, Knowledge Center, Whitepapers, and AWS Forums.

    Inspector service

    The Inspector Service (described here automates security assessments to help improve the security and compliance of applications deployed on AWS.

    The first 250 agent-assessments is free during your first 90 days. Then it’s $0.30 per agent per assessment (agent-assessment) per month. And you can have many agents on each machine.

    What security vulnerabilities an organization has is rather confidential information. So be stingy about granting policies related to Inspector:

    Policies for auditors who evaluate security would be:

    • AmazonInspectorReadOnlyAccess (to auditors who evaluate security)
    • SecurityAudit

    Policies for those who carry out security assessments:

    • AmazonInspectorFullAccess
    • AmazonInspectorServiceRolePolicy grants Amazon Inspector access to AWS Services needed to perform security assessments.

    Related policies include:

    • AWSAccountActivityAccess
    • AWSAccountUsageReportAccess
    • AWSConfigRole
    • AWSResourceGroupsReadOnlyAccess
    • AWSServiceCatalogAdminFullAccess
    • AWSServiceCatalogEndUserFullAccess

    • PowerUserAccess
    • SecretsManagerReadWrite

    Well-Architected Framework

    Enterprise subscribers can have AWS Solution Architects (from Amazon Professional Services) conduct a “Well-Architected Review” of advice covered in the Well-Architected Framework described in this free video training and books (in pdf and Kindle).

    Topics covered in the Well-Architected Framework:

    • Cost Optimization
    • Performance
    • Security
    • Fault Tolerance
    • Service Limits

    There is a separate document/video for each of the above topics.

    Trusted Advisor

    “Trusted Advisor” is not a person, but a report.

    The Trusted Advisor Dashboard reports the result from scans of your account’s setup based on the Well-Architected Framework.

    The policy needed for this:

    • AWSTrustedAdvisorServiceRolePolicy

    The AWS CLI command:

    aws support describe-trusted-advisor-check-result \
       --check-id eW7HH0l7J9 \
       --query 'result.sort_by(flaggedResources[?status!="ok"],&metadata
    

    To get the check-id:

    # region must be us-east-1 as it only when support command works
    CHECK_ID=$(aws --region us-east-1 support describe-trusted-advisor-checks --language en --query 'checks[?name==`Service Limits`].{id:id}[0].id' --output text)
    echo $CHECK_ID
    

    If you don’t have a premium subscription, this error message appears:

    An error occurred (SubscriptionRequiredException) when calling the DescribeTrustedAdvisorCheckResult operation: AWS Premium Support Subscription is required to use this service.

Mobile apps for smart phones

  1. On your Android, Get the AWS Console installed:

    On Google Android mobile phones

  2. On your iOS, open the Store app and search to get AWS Console. It’s from “AMZN Mobile LLC” which creates all Amazon’s apps.

    PROTIP: These app got low review scores because the app only lets people read-only, but not change anything. And the 2FA is clunky.

  3. In the Store app, search for “Google Authenticator” and install it for multi-factor authentication to strength security of your Amazon cloud account.

    PROTIP: Many keep the Authenticator running on their smart phone.

TODO: To avoid embedding an access key with the app (even in encrypted storage), use Amazon Cognito to manage user identity by authenticating users using Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)–compatible identity provider.*

AWS CLI Automation

In enterprises today, servers are built by scripts and configuration files generated from templates. This is so the build process can be debugged and changed slightly through the lifecycle from test to prod.

Instead of clicking and typing, server administrators work with template files in JSON format for Cloud Formation or Terraform to process.

The next step up is to use Atlas which generates
JSON files based on information typed into their web Consoles.

The command line interface is used by programs rather than the manual Console.

AWS CLI install

PROTIP: There are several ways to install AWS CLI using Python.

  1. The simplest and most reliable for me is to use HomeBrew on Macs:

    brew install awscli

    Alternately, one can use pip install awscli –upgrade –user –ignore-installed six installed from https://pypi.org/project/awscli. But when I did, aws cannot be found.

    Another alternative to install (on CentOS 7) is:

    curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
    unzip awscli-bundle.zip 
    sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
    
  2. Verify what version of awscli you have installed:

    aws --version
    

    Something went wrong if your response is:

    -bash: aws: command not found

    The expected sample response (May 28, 2018):

    aws-cli/1.15.20 Python/3.6.5 Darwin/17.5.0 botocore/1.10.20
    

    PROTIP: Awscli now uses Python 3, not 2.7.

    AWS Boto for Python

    PROTIP: “AWS SDK for Python” enables your Python (.py) programs to invoke AWS CLI commands.

    The Python package botocore on GitHub provides a low-level foundation for AWS CLI software.

  3. To install Boto3:

    pip install boto3 –upgrade –ignore-installed six

    Code for boto3 is obtained from https://github.com/boto/boto3. Read about it at https://aws.amazon.com/sdk-for-python.

    NOTE: The package is installed into folder:
    /usr/local/lib/python2.7/site-packages/boto3/*

    Bash Shell completions

  4. To enable bash completion for aws commands at the Linux shell:

    echo ‘complete -C aws_completer aws’ » ~/.bashrc

  5. Test out autocompletion by typing the first two characters and pressing Tab for a list of all aws cli commands that begin with those characters:

    AWS Shell completion

    PROTIP: For automatic complex autocompletion of AWS CLI commands, there is a 3rd-party utility that provides a shell GUI that suggest as you type:

  6. To install the awesome AWS Shell:

    pip install aws-shell

    Read about it at https://github.com/awslabs/aws-shell

    NOTE: The package is installed in folders:
    /usr/local/bin/aws-shell

  7. To enable AWS Shell:

    aws-shell

    You show now be in the sub-shell with prompt:

    aws>

    aws-onboarding-aws-shell-config-207x58-5051.jpg

  8. Exit aws-shell back to bash:

    .exit

    Alternately, .quit works too.

    jp command

    The jp command enables JSON to be manipulated within Bash scripts. For example, jp enables a simple syntax to extract the 1st value from bar within foo:

    echo '{"foo": {"bar": ["a", "b", "c"]}}' | jp foo.bar[1]

    The response should be: “b”

  9. Install it on Macs, in any folder:

    brew tap jmespath/jmespath
    brew install jp
    
  10. Verify it works by running the command above.

  11. See other usage and examples at https://github.com/jmespath/jp#usage

    jp is required by Aliases, below.

    Aliases

    Create folder ~/.aws/cli/alias:

    mkdir -p ~/.aws/cli
    pushd ~/.aws/cli
    # From git clone https://github.com/awslabs/awscli-aliases --depth=1 alias
    curl -O https://raw.githubusercontent.com/awslabs/awscli-aliases/master/alias
    popd
    

    Further explained in video https://www.youtube.com/watch?v=Xc1dHtWa9-Q&t=26m35s

    IAM user configuration

    Regardless of how you get the command:

  12. Run the command to create files in folder ~/aws referenced by all other aws cli commands:

    aws configure –profile root-admin-work

    PROTIP: The example “root-admin-work” would be replaced with the user’s account name being created. Different accounts may be needed for different permissions in prod vs. dev use. Having separate access keys for different applications also generates distinct entries in AWS CloudTrail log files, which makes it easier to determine which application performed specific actions.

    Without the profile specification, “aws configure” by itself defines default credentials.

    The command prompts you for:

    AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
    AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    Default region name [None]: us-west-2
    Default output format [None]: json
    

    PROTIP: If you do not explicitly specify an endpoint, US West (Oregon) us-west-2 is the default Region.

    The default output format is json.

    PROTIP: The aws configure command creates key/value pairs “aws_access_key_id” and “aws_secret_access_key” in file credentials for use by all AWS SDKs. Key/value pairs “region” and “output” are saved in file config used by the CLI.

    TODO: http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-environment

  13. The region in ~/.aws/config can be set also by:

    
    aws configure set profile.prod.region us-west-2
    

    Path ~/.aws/config is in variable $AWS_CONFIG_FILE

    Path ~/.aws/credentials is in variable $AWS_SHARED_CREDENTIALS_FILE

    aws configure set region \ $(curl -s http://162.254.169.254/latest/dynamic/instance-identity/document \ | jp -u ‘region’)

    Roles for Tasks

    TODO: Temporary security credentials Roles for Tasks stored in ~/.aws/config file:

    [profile iam-role]
    role_arn = arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE
    source_profile = iam-user
    output = json
    region = eu-west-1
    

    PROTIP: The ~/.aws/config file also houses settings that speed up S3 sync.

    [profile default]
    ...
    s3 =
      max_concurrent_requests = 100
      max_queue_size = 10000
      use_accelerate_endpoint = true
    

    Configure profiles

    PROTIP: You’ll likely need to use several AWS accounts, so specify a profile for each account.

    Services list

    Now that you have permissions after configuration:

  14. For a list of Amazon services with command access:

    aws commands help

    PROTIP: Drag the left/right edge of the Terminal to widen the screen.

    See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-using.html

AWS Services Management Console

  1. If you are at the AWS marketing page, click “My Account” for this menu:

    aws-onboarding-landing-250x252-18241

  2. Get the AWS Management Console:

    https://console.aws.amazon.com/console/home

    All Amazon services

  3. Click to view all Services at the upper-left black menu band.

  4. Read the User Guide for each service at:

    https://aws.amazon.com/documentation

    Quick Access icons

    Save time by quickly get to the most frequently used services by having their icons at the top (black) menu bar.

  5. Click the push-pin icon.
  6. One by one, drag the icon on the list and drop it on the top black menu to the left of the orange push pin. If you don’t see the black menu, pause just under the browser URL for the browser to automatically scroll.

    PROTIP: The services most often used are IAM, VPC, EC2, S3

  7. If you have good memory of what icons mean, change the Settings to “Icons only”.

    aws-onboarding-icons-only-277x112-9365.jpg

    Claim S3 Bucket names

    The AWS Account Administrator has a fudiciary responsibility to secure Intellectual Property assets.

    S3 Bucket names are universally unique among all AWS customers. So just as there are domain name squatters who register and sit on .com host names for sale at high prices to those who actually use the names, the administrator of root accounts for an organization should register your organization’s brand names before others get them first.

    To create a bucket for each host name registered on GoDaddy, Google Domains, etc.

  8. Click S3 from among services.
  9. Click the blue “Create bucket” button.
  10. Type in the host name (such as “wilsonmar.com”) in the Bucket name field.
  11. Select your home Region.

    PROTIP: Claiming a Bucket name in one region locks it up for all Regions.

  12. Click “Next”.
  13. Click “Next”.
  14. Click “Next” to manage users.
  15. Click “Create Bucket”.

Security services

  1. Scroll to the category “Security, Identify, and Compliance” list of ever-growing services:

    aws-iam-svcs-cat-207x318-16992

    • WAF (Web Application Firewall) provides application-level attacks such as SQL injection and cross-site scripting.
    • Shield protects against DDoS (Denial of Service) attacks

    • Click “Artifact” (at the bottom of the list) to read documents associated with security certifications.
    • Cognito provides an API to federate authentication with various social identity providers (Facebook, Twitter, etc.)
    • GuardDuty
    • Inspector
    • Amazon Macie
    • AWS Single Sign-On
    • Certificate Manager manages security certificates
    • Cloud HSM provides
    • Directory Service

    What’s not listed is the AWS Best Practices is:

    • Cloud Trail audits usage

    Lockdown Root Account

  2. From the AWS Console, select IAM (for Identity Access Management) for the list Security Status

    aws-iam-status-334x256-24837

    To get back to this screen, click “Dashboard” on the IAM menu on the left.

    The FAQ to this is at https://aws.amazon.com/iam/faqs

  3. Click on “Delete your root access key”.

  4. Check “Don’t show me this message again” and Continue to Security Credentials.

    MFA (Multi-Factor Authentication)

    Have AWS text or call your smartphone (a virtual device) to make sure that it’s really you logging in.

  5. Click Activate MFA on your root account.
  6. Click Mange MFA.
  7. Select “A virtual MFA device”.
  8. Click “Next Steps” for the note about installing Google Authentiator.
  9. On your iPhone or Android, if you have not already installed Google Authenticator app, do it.
  10. In the the Google Authenticator app, click the “+” icon at the top of the screen.
  11. Click “Scan barcode”.
  12. Align the QR code (with the square of dots) within the green box.
  13. Wait for the Google Authenticator app to display two codes. Under the codes we want now begins with “root-account-mfa-device@” followed by the 12-digit Account Id.
  14. Type the first code for the account into the AWS Console website “Authentication code 1”.

    PROTIP: Do not type the space between numbers so that you enter only 6 digits.

  15. Press Tab and type the second code in “Authentication code 2”.

    PROTIP: A new code is created every minute.

  16. Scroll down to click “Activate virtual MFA” at the bottom of the screen.

    MFA in profile

    To specify use of MFA in an assumed role provider profile, see this example of credentials file:

    [profile prod-access]
    role_arn=arn:aws:iam::123456789012:role/ReinventProdAccess
    source_profile=development
    
    [profile prod-full-s3-access]
    role_arn=arn:aws:iam::123456789012:role/FullS3Access
    source_profile=development
    mfa_serial=arn:aws:iam::18490616333:mfa/james
    
  17. Test

    aws s3 ls --profile prod-full-s3-access

    The response is a prompt waiting for manual input:

    Enter MFA code: _

    See video https://www.youtube.com/watch?v=xVyx23bvamI

    Create Admin sub-account

  18. In the IAM page click “Create individual IAM users”. What it says is important:

    “Create IAM users and give them only the permissions they need. Do not use your AWS root account for day-to-day interaction with AWS, because the root account provides unrestricted access to your AWS resources.”

  19. Click “Manage users”.
  20. Click “Add User”.
  21. PROTIP: For the user name field, define a pattern of up to 64 characters with dashes (instead of spaces and underlines) to separate words.

    For the Administrator to do work (of assigning):

    root-admin-work

  22. Click “Programmatic access”.
  23. If you would like to use AWS Management Console access, leave the default for Autogenerated password because you’ll create a new password at next sign-in.
  24. Click “Next: Permissions”.

    We’ll add groups later, below.

  25. Click “Attach existing policies directly” because the Admin account it is limited.

  26. Rather than granting “AdministratorAccess” which gives all access, give policy to what :

    • SystemAdministrator
    • IAMFullAccess covers the others:

      • IAMReadOnlyAccess
      • IAMSelfManageServiceSpecificCriteria
      • IAMUserChangePassword
      • IAMUserSSHKeys
  27. Click “Next: Review”.
  28. Click “Create user”.

    Inform user of credentials

  29. To see what is sent if you click “Send email”, right-click on the link and “Copy Link”, then paste in a text editor to see:

    subject=Welcome to Amazon Web Services
    body=Hello,  You have been given access to the AWS Management Console for the Amazon Web Services account ID ending in 8630. You can get started by using the sign-in information provided below.%0A%0ASign-in URL: https://103265058630.signin.aws.amazon.com/console%0AUser name: root-admin-work   
    Your initial sign-in password will be provided separately from this email. When you sign in for the first time, you must change your password. 
    Sincerely, Your AWS Account Administrator
  30. PROTIP: Along with the Access Key Id and Secret access key, the default Region and format are also required to perform “aws configure”, so add that information in the email.

    PROTIP: Add what AWS Groups and associated Policies the user has been given.

    PROTIP: Also include in the email, for those who use AWS CLI, how to install it and 3rd-party tools.

    For those who use the AWS Console GUI, explain the mobile apps to install. Provide them the URL with the region included, such as:

    https://us-west-2.console.aws.amazon.com/lambda/home?region=us-west-2

    NOTE: Baking different zones into Console URLs makes for more direct connections and removes issues from using a single URL/DNS.

  31. Click “Download .csv” to download a “credentials.csv” file to your Downloads folder. It contains columns are a couple columns different than the “Add User” GUI:

    User name, Password, Access key ID, Secret access key, Console login link

    The “Console login link” is the “Sign-in URL” in the email.

    Apply an IAM password policy

  32. Click “Manage Password Policy” so AWS will ensure that “strong” passwords are used (and not easy to guess ones). AWS defaults are terrible:

aws-iam-weak-386x336-39852</a>

PROTIP: Over time, as hackers have access to more powerful computers that can guess passwords quicker, larger passwords are necessary to make them more difficult to crack.

  1. PROTIP: The largest Minimum password length AWS allows is 128 characters. But 1Password can generate up to only 64 characters. Practically, 22 characters is a reasonable minimum. Require at least one number and one non-alphanumeric character.

    aws-iam-1password-291x259-19343

    PROTIP: Each site may have different rules about what special characters are allowed. So generate a smaller string, then manually add special characters. Copy the final string before pasting into the form.

  2. Click “Apply password policy”.

    Deactivate regions not used

    On the same “Account settings” page:

  3. Scroll down to “Security Token Service Regions” and deactivate regions your organization are not using.

    PROTIP: Select a Region where most of your target users are located. New services are usually restricted to one region, such as N. Virginia or N. California where AWS does development work.

    Admin Sign In

  4. Sign out and sign in again to the AWS Console using the newly created admin sub-account.

  5. To verify the identity being used in AWS CLI:

    aws sts get-caller-identity

    A sample response:

     "Account": "103265058630", 
     "UserId": "AIDAJHXCZNAH2MEXAMPLE",
     "Arn": "arn:aws:iam::103265058630:user/root-admin-work"
    

    Alternately, use an alias defined:

    aws whoami

    Define groups to assign permissions

    PROTIP: For a user to do something usually require several AWS resources. So several permissions need to be granted to a user. To simplify assignments, we define Groups of permissions which we then can assign to each user.

    In other words, An IAM group is a management convenience to manage the same set of permissions for a set of IAM users.

    The AWS CLI command to create a group named “MyIamGroup” is:

    aws iam create-group --group-name MyIamGroup
    

    The response is:

    {
     "Group": {
         "GroupName": "MyIamGroup",
         "CreateDate": "2012-12-20T03:03:52.834Z",
         "GroupId": "AKIAI44QH8DHBEXAMPLE",
         "Arn": "arn:aws:iam::123456789012:group/MyIamGroup",
         "Path": "/"
     }
    }
    

    The AWS CLI command to create a S3 security group:

    aws ec2 create-security-group --group-name my-sg --description "My security group"
    

    A sample response:

    {
    "GroupId": "sg-903004f8"
    }
  6. Click Manage Groups then Create New Group.

    PROTIP: Groups are usually associated with a particular job: admin, sales, HR, front-end developer, back-end developer, etc.

    A user can belong to multiple groups. More complex organizations manage differences in permissions for company, division, project, location, job level, etc. So 128 characters may not be enough if large words are used. Thus, abbreviate and use acronyms.

    PROTIP: Put abbreviations and acronyms in a wiki publicly available to avoid duplicate usage.

  7. “aws_iot_buttons” is the group name I use as an example.

PROTIP: Use dashes. Space characters are not allowed. On March 1, 2018 AWS removed the ability to use underscores in S3 bucket names.

The list shown are “AWS Managed”.

  1. Click on Policy Type to select Job function.

  2. PROTIP: Instead of scrolling down the massive list in Attache Policy (Alexa, Amazon, AWS, etc.), type in the Filter field the first few letters (such as “IoT”) and the list gets smaller. Notice the filter you type is applicable to not just characters beginning with what you typed, but also characters inside names as well.

  3. Click to select.
  4. Click “Create Group”.

    Note different policies have different levels of access, with admin having more capabilities than “read only” ones.

  5. Names shown on the screen is called a “Policy Summary”.
  6. Click “JSON” to see the file that AWS reads to assign policies. Here you seen what Actions the policy allows.

  7. Click “Access Advisor” to see users who have been assigned to use the policy.

    https://docs.aws.amazon.com/iot/latest/developerguide/create-iot-policy.html

    Access keys (access key ID and secret access key)

    See that “AWS recommends that you rotate your access keys every 90 days”? Some find it easier to remember by doing it on the first day of each month. Why? There are thousands of big computers around the world literally staying up at night trying different combinations.

  8. PROTIP: Make an appointment on your Calendar with a recurring schedule.

    PROTIP: Rotation applies to access key of IAM child accounts, not the root account.

    You don’t want programmatic access to your root account, so you don’t need no stinkin’ keys.

  9. Click Delete to the key. Write down the date Created.
  10. Don’t create a new Access Key.

    Create IAM Users

  11. Click Users on the left menu.
  12. Click Add User.
  13. Specify User Name. For example: user1@myco.com

    PROTIP: Use underscores to separate words in IAM User Names rather than spaces.

  14. Check “Programmatic Access”.
  15. Uncheck “User must create a new password at next sign-in”.
  16. Click “Next: Permissions”.
  17. Click “Attach existing policies directly” for the first user.

    PROTIP: The policy attached depends on what the user will be allowed to do.

  18. Send to each user the AccountId, UserName using a different mode of communication than the password.
  19. User signs in using the credentials Account Id, the UserName, and password
  20. Click “Send email”

    PROTIP: Send credentials to your alternate email rather than to a cloud drive (Amazon, Google, Box, etc.); an email account that you setup with a fake birthdate and other personal information; one you never give out to anyone.

Send out an email to Notify users https://103265058630.signin.aws.amazon.com/console

Send out passwords on a different channel (not just another email).


### IAM CLI #

AWS Identity and Access Management (IAM) controls access to users, groups, roles, and policies.

  1. List users:

    
    aws iam list-users --query Users[*].UserName
    
  2. List groups which the user belongs to :

    aws iam list-groups-for-user --username ???

  3. Create a new user named “MyUser”:

    aws iam create-user --user-name MyUser
    

</pre>

The response is:

{
    "User": {
        "UserName": "MyUser",
        "Path": "/",
        "CreateDate": "2012-12-20T03:13:02.581Z",
        "UserId": "AKIAIOSFODNN7EXAMPLE",
        "Arn": "arn:aws:iam::123456789012:user/MyUser"
    }
}
  1. Add the user to the group:

    aws iam add-user-to-group --user-name MyUser --group-name MyIamGroup
  2. To verify that the MyIamGroup group contains the MyUser, use the get-group command:

    aws iam get-group --group-name MyIamGroup

    The response:

     {
         "Group": {
             "GroupName": "MyIamGroup",
             "CreateDate": "2012-12-20T03:03:52Z",
             "GroupId": "AKIAI44QH8DHBEXAMPLE",
             "Arn": "arn:aws:iam::123456789012:group/MyIamGroup",
             "Path": "/"
         },
         "Users": [
             {
                 "UserName": "MyUser",
                 "Path": "/",
                 "CreateDate": "2012-12-20T03:13:02Z",
                 "UserId": "AKIAIOSFODNN7EXAMPLE",
                 "Arn": "arn:aws:iam::123456789012:user/MyUser"
             }
         ],
         "IsTruncated": "false"
     }

Linux AMIs

Types of operating system AMI:

  • Amazon Linux 2014.09.2 (CentOS)
  • Red Hat Enterprise Linux 6.6 (RHEL)
  • SUSE Linux Enterprise Server 12
  • Ubuntu Server 14.04

Advanced User Data

https://gist.github.com/mikepfeiffer/

   
  • https://aws.amazon.com/powershell
    AWS Powershell for Windows</a>

    aws Get-AWSCredentials -ListProfiles

Diagrams

ProcessOn.com provides a free on-line tool to draw diagrams such as this

At architecture/icons Amazon provides a sample .PPTX (PowerPoint 2010+) file (AWS_Simple_Icons_PPT_v16.2.22.zip). Lines used to illustrate the hierarchy:

PROTIP: Use different colors for lines and text to reduce visual confusion.

You can also download a zip containing .png and .svg files of icons (AWS_Simple_Icons_EPS-SVG_v16.2.22.zip).

Social

https://www.twitch.tv/aws/videos/all videos include:

Tutorial Rock Stars and their presentations

Jeff Barr (@jeffbarr), AWS Chief Evangelist makes announcements of all new stuff at the company’s AWS Blog and #AWS Twitter hash-tag

Yan Kurniawan

J O’connner:

  • http://joconner.com/

Ryan Scott Brown @ryan_sb

  • https://serverlesscode.com/post/new-ssl-tls-cert-manager-acm/

Matt Wood, @mza, Product Strategy @ Amazon Web Services

AWS Certifications

Practice exam dumps for AWS Certified Cloud Practitioner 2018 $5.99 or Kindle Unlimited.

AWS Training Resources

More on Amazon

This is one of a series on Amazon: