# aws-sa-pro ## AWS Certified Solutions Architect Professional ### IAM #### Security Token Service (STS) * If permission policy of a role is changed, the change is immediately reflected to the privileges of temporary credentials obtained with AssumeRole * If temporary credentials are leaked, they can revoked by doing the following * Update role permission policy with AWSRevokeOlderSessions inline DENY for any sessions older than now * In the IAM role UI, there is a helper for that in "Revoke sessions" tab. This will apply the inline policy to role * This will revoke all temporary credentials which were obtained before the current, but legitimate users can get new credentials with AssumeRole call * Fetching EC2 instance role temporary access keys from metadata endpoint * Get name of role: `curl http://169.254.169.254/latest/meta-data/iam/security-credentials` * Get the credentials: `curl //169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE_NAME` #### Permission boundaries * Only identity permissions are affected by permission boundaries * permission boundary can be applied to IAM Users or IAM Roles * They don't grant access by themselves, but only define maximum permissions identity can receive * Boundaries can be used to solve delegation problems with IAM permissions #### Policy evaluation logic * Within same AWS account * Explicity Deny * Organization Service Control Policies (SCPs) * Resource Policies - can allow access and evaluation stops * IAM Identity Boundaries * Sessions Policies * Identity Policies * Cross-acccount access - different AWS accounts * needs explicit allow from source account identity policy * allow from destination account to source account #### S3 cross-account access * If bucket ACLs are used, canonical user IDs need to be used to reference other AWS accounts * Cross account S3 access can be done using three methods * ACLs - context is the whole bucket and the object * Bucket policies - policies can be applied to bucket or objects * Assuming role in destination account, which has access to S3 and/or objects ### Resource Access Manager (RAM) * RAM can be used to share resources between AWS accounts * Shared service needs to have RAM support * As AZ names are rotated between different accounts, AWS introduced AZ ids, which are consistent across accounts * Resources shared with accounts in same AWS Organization are automatically accepted, if sharing within organization feature is enabled * This enables for example to create shared services VPC, which can be shared to other accounts * Resource-wise, participant accounts only have read-only access * each account owns the resources, which it creates to VPC * as the resources are in the same VPC, there is network-level connectivity * Some resources can be shared with any AWS accounts, some can only with AWS acxounts in the same organization * Name tag is not shared ### Service Quotas * Service quota request template can be used to request quota changes to all AWS accounts in the same AWS organization * Cloudwatch Alarms can be created for reaching certain percent of the quota * Changes to quotas can be done from * Console Service Quota service * Using support ticket * Using AWS API, for example with AWS CLI ### Advanced Identities and Federation * Use SAML 2.0 (Security Assertion Markup Language) federation if * enterprise identity provider which supports SAML 2.0 is used * there is existing identity management team and federation source is not migrated * single source of truth with more than 5000 users * SAML 2.0 federation uses IAM Roles and AWS Temporary Credentials (max. 12h duration) * AWS SSO is preferred for identity federation if there are no exclusions * SSO can also manage access for external applications * SSO permissions sets bind SSO Users or Groups to certain permissions in one or more AWS accounts * AWS Cognito * provides authentication, authorization, and user management for web/mobile apps * two main concepts * User Pool - allows to sign-in and get JSON Web Token (JWT) * user directory, sign-up, sign-in, and etc. * Identity Pool - allows you to offer access to Temporary AWS credentials * unauthenticated identities - guest users * swap external identities (FB, Google, Apple, SAML 2.0, User Pool) for short term AWS credentials to access AWS resources ### AWS Workspaces * AWS Workspaces use Directory Service for authentication and user management * simple AD * managed full AD * external AD with AD connector * Workspace use VPC networking to access internet or on-prem networks, so there are extra costs * Can access on-prem resources using VPN or direct connect * Not HA, because they use only on AZ ### Directory Service #### Microsoft AD * Native Active Directory * HA, min. 2 AZs * Support one-way and two-way external and forest trusts with on-prem AD * Supports more than 5000 users * Automatic patching and maintenance * Supports AD native schema extensions * Supports MFA with Radius #### AD connector * redirects requests to existing directory services * no directory data stored in AWS * requires working network connection to existing AD * requires two subnets in VPC, different AZs ### VPC #### DHCP in VPC * By default resources use Amazon provided DNS server in VPC * Route53 resolver in VPC * EC2 instances get private hostnames * EC2 instances get public hostnames if public ip is configured * If wanted, user can provide own DNS server * DHCP is configured with option sets * immutable, so can't edited after creation * option set can be associated with zero or more VPCs * Each VPC max one DHCP option set * When VPC DHCP option set is changed, it requires DHCP renew * Default gateway in option set can't be changed * it's always VPC Router (subnet +1) * DNS server can be changed, by default it's Route53 Resolver (subnet +2) #### VPC Router * HA across all AZs in the region * Routes traffic between subnets * Routes from external networks into the VPC and from VPC into external networks * Has interface in every subnet (subnet+1) * Controlled usin route tables * Every VPC in created with default route table * it's default for every subnet in VPC * Custom route table can associated for subnet * Subnet are associated with one route table * Most specific route wins in route table * Local routes always take precedence #### Network Access Control Lists (NACL) * Every subnet has associated NACL * NACLs filter traffic crossing the subnet boundary * Connections within subnet is not impacted by NACLs * There are inbound and outbound rules * Rules match dst/src ip range and port. Rules can allow or deny * Rules are processed in order, lowest number first. Once match occurs, processing stops * * is an implicit deny, if nothing else matches * NACLs are stateless, so both inbound and outbound traffic needs to be allowed * VPC is created with default NACL * Custom NACLs are created for a specific VPC and are initially associated with no subnets * At first custom NACLs has only deny all rules * NACLs can be used to deny specific IPs or ranges, where as security groups can't do that * Generally security groups are used to allow traffic, NACLs to deny * Can't reference logical resources and can't be assigned to logical resources * One NACL can be associated with many subnets ======= ### VPC #### Security Groups * No explicit deny * Allow referencing logical resources, like other security Groups * self-referencing can be done * Attached to ENI (Elastic Network Interface) #### BGP (Border Gateway Protocol) * AS - Autonomous System - routers controller by one entity, network in BGP * ASN Range is 0-65535, controlled by IANA * private range is 64512-65534 * Operates over tcp port 137 * Peering between ASs is manually configured * Path-vector protocol is exchanges the best path to destination between peers - ASPATH * iBGP - internal BGP - routing within an AS * eBGP - external BGP - routing between ASs * in path table, i is the origin * By default, BGP does not take link speed to account, only the path length * this can overridden with AS Path Prepending * this is done by adding artificial ASs to AS Path #### AWS Global Accelerator * Anycast IPs allow ip address to be in multiple location at the same time * Routing moves traffic to the closest location * Global Accelerator Edge Location has pair of anycast IPs * traffic can be the routed to the closest location * When traffic is directed to Global Accelerator ip addresses, rest of the transit is using AWS links and networks * Works with TCP/UDP - difference from CloudFront * Does not cache anything #### Site-to-site VPN * Logical connection between a VPC and on-prem network * encrypted using IPSec * Runs over public internet * HA - when correctly architected and implemented * Quick to provision * Virtual Private Gateway (VGW) is associated to VPC and can be target in route tables * has endpoints in each AZ * Customer Gateway (CGW) logical device to act as VPN connection endpoint * VPN connection - linked to one VGW and one CGW * Static VPC means that VPN connection is statically configured with ip ranges for both sides * Customer on-prem router is single-point-of-failure - partial high-availability * There can be two on-prem customer gateways, so the whole architecture is HA * Dynamic VPN uses Border Gateway Protocol (BGP) * Routers exchange routing information * can communicate status of links between customer gateways and AWS side * if route propagation is enabled, routes are automatically added * AWS VPN speed limitation is 1,25Gbps and there is encryption overhead * Latency can be inconsistent, because traffic is routed over public internet * Cost - AWS hourly cost, GB out cost, data cap (on-premises) * Can be used as backup for Direct Connect * Can be used with Direct Connect #### Transit Gateway * Network transit hub, connecting VPCs to an on-premises network using Direct Connect or Site-to-Site VPN connections * Network Gateway object - HA and scalable * Other AWS network resources uses attachments to connect to Transit Gateway * VPC * Site-to-site VPN * Direct Connect Gateway * Is capable of transitive routing * Can be peered with another TGWs - cross-account or cross-region * TGWs can be shared to other accounts using Resource Access Manager (RAM) * One DX gateway can be connected to three TGWs * By default, Transit Gateway has one default route table, which has routes to attached network resources * all attachments use this route table for routing decisions * all attachments propagate routes to it * the two above-mentioned combined means all attachments can route to all attachments * Routes are not propagated over peering attachments (two peered TGWs) - static routes need to be used * Use unique ASNs for future route propagation features * Public DNS to private IP resolution is not supported over peers * Up to 50 peering attachments per TGW * different regions and accounts * Data is encrypted * Attachments can be only associated with one route table * Route tables can be associated with many attachments * Attachments can propagate to multiple route tables - even those they are not associated with * Route table association is used when data is exiting an attachment * Route table propagation controls which route tables are populated by routes known by the attachment * The above-mentioned features can be used to create route isolation #### Advanced VPC Routing * IPv4 and IPv6 are handed separately within a route table * Route table default limit is 50 static routes and 100 dynamic (propagated) routes * Main route table is implicitly attached to all subnets * When custom route table is associated to subnet, main route table association is removed * However, if custom route table association is removed, main route table applies again * It's not possible to have subnet without route table association * Propagated route tables can be enabled per route table * More specific route always gets prioritized (for example /28 is selected over /32) * If prefix length is equal for same route, static route is selected over propagated one * For the same routes with same prefix lenght learned dynamically, the precedence order is the following: * Direct Connect * VPN Static * VPN BGP * AS\_PATH (Path between two ASNs, distance between systems) * Ingress routing * Gateway route tables can be used to control actions on inbound traffic for gateway (for example IGW) * for example forward it to security appliance #### IPSEC VPNs * Group of protocols to setup secure tunnels across insecure networks between two peers (local and remote) * Only "interesting" traffic is sent over the tunnel * Provides authentication and encryption * IPSEC has two phases * IKE phase 1 (slow and heavy) - Internet Key Exchange * authentication using pre-shared key or certificate * uses asymmetric encryption to agree on and create a shared symmetric key * end result is IKE SA created (phase 1 tunnel) * Uses Diffie-Hellman for key exchange * IKE phase 2 (Fast & Agile) * uses the keys agreed on phase 1 * agree encryption method, and keys for bulk data transfer * end result is IPSEC SA (security association) * There are two types of IPSEC VPNs * policy-based * rule sets match traffic per pair of security associations * allows network to have different security settings for different type of traffic * route-based * target matching (prefix) matches single pair of security associations * Tunnels have two ends, left and right. Customer and AWS, meaning local and remote. * IPs of these ends are referred as AWS outside IP and customer outside IP * Inside the tunnels there are AWS inside IP address and customer inside IP address * Routing and raw data travels through inside of the tunnel - encrypted traffic runs outside of the tunnel across public internet ## Accelerated Site-to-Site VPN * By default S2S VPN traffic transit is over public network * When S2S VPN is used in accelerated mode, AWS Global Accelerator network is used * VPN tunnel IPs are global, and connections are routed to the closest global accelerator edge location * Public internet is only used for minimal amount of time to route traffic to nearest edge location * Acceleration can be only enabled when creating a TGW VPN attachment, not using VPNs with VGW * Fixed accelerator cost and a transfer fee * New advanced S2S VPNs features are usually only released for TGW VPN, so the default recommendation is to use it ## AWS Client VPN * Managed OpenVPN product * Client VPN endpoint is associated to one VPC * Also associated with one or more target networks * After above-mentioned associations, Client VPN product starts to charge * Billing is based on * Number of subnet associations (flat rate) * hourly fee of Client VPN connection * One subnet per AZ * Defined route table is pushed to clients * By default, all traffic is routed through Client VPN * Pushed route table takes precedence over local route tables of clients * Split-tunneling enables clients to route only selected traffic through the VPN tunnel * not the default mode * needs to be separated manually * Auth methods * identity based * AWS Directory Service, for example * certificate based * User needs to create certificates and upload them to the AWS ACM * identity-based authentication only needs server certificate * Subnet association needs to be done seperately after the Client VPN Endpoint is created * Accessed networks need to be configured with authorization rules ## Direct Connect * Physical connection to AWS region * 1, 10, or 100 Gbps * Connection goes from business premises to DX Locatino to AWS Region * Orderind Direct Connect is in fact ordering a network port at a DX Location * Costs * Port Hourly costs * Outbound data transfer * Because the connection is physical, there is no resilience or high-availability * Provides low and consistent latency * Best way to achieve high speeds for hybrid networking * Can be used to access AWS private services (in VPCs) and AWS public services without internet connection * Internet connection needs proxy or other networking appliance * Cross Connect is a connection between AWS cage and customer/comms partner cage at the DX location --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.tatusl.dev/certifications/aws-sa-pro.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.