Monday, 11 September 2023

Amazon IAM Tutorial

Tutorial to provide cross account access using IAM role


Tutorial to provide cross account access using IAM role


Objectives:

Learn to create an IAM Role to provide cross account access to S3 Bucket


Prerequisites:

· 2 AWS Accounts: Account A (Production) and Account B (Development)

· Account A with a user having administrative permissions.


Login to Account A (Production) as an admin user and perform step 1 & 2.


Step 1: In AWS Management Console, go to IAM service console.

In the side panel, click on Roles under Access management.

Click on Create Role.

For Select Trusted Entity, under trusted entity type, select the AWS account.

Scroll down, and select Another AWS account radio button. Enter the Account ID number of the account that you want to delegate access to.

Leave the other options unselected. Go to next step.

Under Add Permissions, search and select AmazonS3ReadOnlyAccess. Proceed to next step.

In the next step mention suitable role name and description.

Role name: CrossAccountRoleS3

Description: A Role to delegate S3 access to another AWS account

Go through the details. Scroll down and click on Create Role.

Confirm the role is created. Click on the role.

In the next screen, copy the Link to switch roles in console. Store it for further use.


Also, copy the role ARN and store it for further use.


Step 2: Go to S3 console and create a bucket as follows.

Add an object or image.

This bucket will be required for further cross referencing.


Login as the admin user of Account B (Development) and perform the steps 3, 4, 5 & 6.


Step 3: Create a custom policy


In IAM, on the left pane, click on Policies and click on Create Policy.

Under JSON, paste the following policy by replacing the role ARN from Account A.

Code Snippet:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
           "Action": "sts:AssumeRole",
           "Resource": "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role"
        }
    ]
}

Click on Next:Tags, Next:Review.

Enter the name of the policy as CrossAccountPolicy.

Provide the description as Policy for Cross Account Access. Create the Policy.


Step 4: We will create a user.

In AWS Management Console, go to IAM service console.

In the side panel, click on Users under Access management.

Under Set user details give suitable name.

User name: EC2UserForCrossAccount

Check the Password – AWS Management Console access checkbox.

Select the Custom password radio button. Provide a password of your choice.

Uncheck Require password reset.

Continue to Next: permissions.

Select Attach existing policies directly.

Search and select AmazonEC2FullAccess policy and the created CrossAccountPolicy.

Proceed to last Review step. Review and Create user(EC2UserForCrossAccount).


Log out and log back in as the created user.


Step 5: Share the switch role link stored previously with the owner of Account B.

Once the link is clicked, it will open a new tab in his browser window.

Ideally the first two text boxes of Account and Role should be auto filled.

Enter a suitable Display Name. Select Colour.

Click on Switch Role.

You will be welcomed to AWS Console. Here the user EC2UserForCrossAccount of Account B has assumed the role of CrossAccountRoleS3.

Thus, although restricted to EC2 Full Access, he now has S3 Read permissions.


Step 6: To confirm this, you may go to S3 console. The bucket created in Account A will be visible to this user.

Thus we have successfully established cross account access.


Note: If you no longer need these resources, empty and delete the bucket in Account A. Log out of Account B user and you may as well delete the user.

Posted by at No comments:

Amazon Ec2 Tutorial

 Amazon Ec2 Instances

Amazon EC2 provides a wide range of instance types giving you an opportunity to choose the right one for your workload. Knowing them gives you the flexibility to choose the appropriate one for your applications.

When you launch an AWS EC2 instance, the instance type that you specify determines the hardware of the host computer used for your instance. Each instance type offers different compute, memory, and storage capabilities and are grouped in instance families based on these capabilities. Select an instance type based on the requirements of the application that you plan to run on your instance.

Amazon EC2 Instance Types:

General purpose instances provide a balance of compute, memory and networking resources and are ideal for applications that use these resources in equal proportions.

Use Cases:

Scale-out workloads such as web servers, containerized microservices, caching fleets, and distributed data stores, as well as development environments.


Compute Optimized instances are ideal for compute bound applications that benefit from high performance processors.

Use Cases:

High performance computing (HPC), batch processing, ad serving, video encoding, gaming, scientific modelling, distributed analytics, and CPU-based machine learning inference.


Memory optimized instances are designed to deliver fast performance for workloads that process large data sets in memory.

Use Cases: Memory-intensive applications such as open-source databases, in-memory caches, and real time big data analytics


Accelerated computing instances use hardware accelerators, or co-processors, to perform functions, such as floating-point number calculations, graphics processing, or data pattern matching, more efficiently than is possible in software running on CPUs.

Use Cases:

Machine/Deep learning, high performance computing, computational fluid dynamics, computational finance, seismic analysis, speech recognition, autonomous vehicles, drug discovery.

Storage optimized instances are designed for workloads that require high, sequential read and write access to very large data sets on local storage. They are optimized to deliver tens of thousands of low-latency, random I/O operations per second (IOPS) to applications.

Use Cases:

NoSQL databases (e.g. Cassandra, MongoDB, Redis), in-memory databases (e.g. Aerospike), scale-out transactional databases, data warehousing, Elasticsearch, analytics workloads.

Amazon EC2 Purchasing Option


Amazon EC2 provides various purchasing options to optimize your costs. One has to choose the right purchasing option based on the workload.

Knowing these can help you recommend a right cost optimisation strategy based on your workload. Also this can be a valuable input while migrating to AWS Cloud.

On-Demand Instances – Pay, by the second, for the EC2 instances that are launched on-demand.


Savings Plans – Reduce EC2 instance costs by making a commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years.


Reserved Instances – Reduce EC2 instance costs by making a commitment to a consistent instance configuration, including instance type and Region, for a term of 1 or 3 years.

Spot Instances – Request/bid for unused EC2 instances, which can reduce EC2 costs significantly.

Dedicated Hosts – Pay for a physical host that is fully dedicated to running your instances, and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs.

Dedicated Instances – Pay, by the hour, for instances that run on single-tenant hardware.

Capacity Reservations – Reserve capacity for EC2 instances in a specific Availability Zone for any duration.

Posted by at No comments:
Subscribe to: Posts (Atom)