AWS Fundamentals: Regions, Availability Zone and IAM
AWS Regions & Availability Zones:
AWS has Regions worldwide. Regions can be named as eu-east-1, eu-west-2, etc. Regions are physical locations around the globe with clusters of data centers and most of the AWS services are Region-Scoped.
Each region is assembled of numerous, isolated, or physically separated sectors within a particular area known as Availability Zones (AZ). An Availability Zone (AZ) is one or more distinct data centers with redundant power, networking, and connectivity in an AWS Region. AZ offers the potential to operate production applications and databases that are more highly available, fault-tolerant, and scalable with the interconnection f high-bandwidth. low latency networking. Traffic between the AZs is encrypted.
Identity & Access Management (IAM):
AWS Identity & Access Management (IAM) enables management access to AWS services and resources successfully. Using IAM we can create and manage AWS users and groups, and the permissions to allow and deny their access to AWS resources.
To get started using IAM with AWS, go to AWS Management Console and start with IAM Best Practices.
AWS has a list of best practices to manage access to the AWS resources:
Users- Create individual users.
Groups- Manage permissions with groups.
Permissions- Grant least privilege.
Auditing- Turn on AWS CloudTrail.
Password- Configure a strong password policy.
MFA- Enable MFA for privileged users.
Roles- Use IAM roles for Amazon EC2 instances.
Sharing- Use IAM roles for Amazon EC2 instances.
Rotate- Rotate security credentials regularly.
Conditions- Restrict privileged access further with the condition.
Root- Reduce or remove the use of root.
IAM Federation:
Big enterprises usually integrate their own repository of users with IAM. This way, one can log in to AWS using their company credentials. Identity Federation uses the SAML standard (Active Directory)
Note:
One IAM User per Physical Person
One IAM Role per Application
IAM credentials should NEVER be Shared
Never write IAM credentials in code.
Never use the ROOT account except for initial setup
Never use Root IAM Credentials.