Inspired by Govind Krishna as per canonical url
Let’s explore the fundamentals of Amazon Web Services & how to get started with it.
AWS is one of the biggest cloud service provider. It comprises over 200 cloud services and products that include compute, storage, databases, analytics, networking and many more. It offers all forms of Cloud Services including IaaS (Infrastructure-as-a-Service) , PaaS (Platform-as-a-Service) & SaaS (Software-as-a-service)
AWS Cloud infrastructure is built around AWS Regions and Availability Zones. A Region is a physical location in the world which contains different Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities.
Firstly, we need a AWS account to get started and to use the services provided by Amazon.
AWS provides one year of free service in its Free Tier edition. All you need here is a credit card/debit card.
- Go to AWS Webpage
- You will be taken to the sign up page
AWS Sign-up page
3. Fill out the details here and in the further pages as well
You will be needing a credit/debit card to create an account. The reason is that though it’s a free tier account, AWS has certain limits on the services that can be used.
There are many ways one can access the services provided by AWS.
The most obvious way to access AWS products & services is via the web-portal AWS offers. After signing up for a new AWS account and logging in, you will see the console dashboard. This is the starting point for interacting with the various AWS services and other important console components.
AWS Console Dashboard
The dashboard consists of a navigation bar at the top and a number of widgets in the main body of the page, which you can configure and rearrange.
The Navigation bar contains different elements which gives you access to different things.
- Account Information: This menu in the top right corner contains information and links for your account. It displays the AWS Account ID, and the current user logged in to the console, along with links to navigate to some important pages.
- Region selector: This menu right next to Account Information shows the currently selected AWS Region or “Global” when you have selected a global service. When you click on the currently selected Region, a dropdown will appear with all the available Regions, and you can switch the console to a different Region by clicking on one in the list.
- Search box: You can type in any AWS services and products or your resources in the universal search bar. When you enter text, the search engine searches across a number of different locations to match the text that you entered. It will return matches in eight sections namely, Services, Features, Blogs, Documentation, Knowledge Articles, Tutorials, Events & Marketplace.
- AWS Cloud Shell: By selecting this icon, you will launch a browser-based shell environment that is pre-authenticated with your console credentials. CloudShell is a useful tool for securely interacting with your AWS account, and is Region specific, so any files that you upload are specific to that Region. It is a CLI on the web!
- AWS Service Selector: You can use this to navigate between services offered by AWS. This is a great way to explore the various services by category, especially if you are new to AWS. You can also mark services as favorites by selecting the star next to their names, which will pin them to the navigation bar.
Resource hierarchy means how resources are organized inside a cloud platform account. The hierarchies have some similarities to a file system in a way how entities are organized and managed, e.g., each resource can have multiple children, but only one parent.
AWS has 4 levels : Organization, Organizational unit, Account and Resource.
Organization is used to manage multiple AWS accounts as a single entity. The entity is the parent container for all the accounts for an organization. The amount of control that the organization entity has over the accounts depends on the configuration.
Organizations with multiple AWS accounts can use the organization entity to centrally view and manage all of their accounts in the same place.
Organizational unit is basically a container which can contain accounts, other organizational units and maybe both. They are used to model an organization’s or a project’s structure within the organization.
For example, An Organization can have different departments which consists of different teams each working on multiple projects. Here, Organizational unit comes into play, we can create Organizational units for Departments, teams within departments and projects assigned to each team respectively. Hence, different Organizational units have different environments making it easier to work.
Account and resource can be considered as a single entity, cause all the resources are created inside an account. It is a container for all the Amazon AWS services such as S3, Lambda, DynamoDB, API Gateway, etc.
Organizations and organizational units may have multiple accounts, but an account may only have a single parent. An organization can have two types of accounts: a single master account, and multiple member accounts.
AWS IAM plays a crucial role in almost anything you do with AWS. Be it interacting with services or simply authenticating the CLI, understanding AWS IAM is must.
IAM (Identity and Access Management) is a permission system that regulates access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. It simply allows you to assign permissions to users or group of users.
Users are specific individuals who can receive personal login information. you can give access to your AWS account to specific users identities that you create with custom permissions. You can further simplify access for those users by federating existing identities into AWS.
Instead of sharing your root user credentials with others, you can create individual IAM users within your account that correspond to users in your organization. IAM users are not separate accounts; they are users within your account. Each user can have its own password for access to the AWS Management Console. You can also create an individual access key pair for each user so that the user can make programmatic requests to work with resources in your account.
An IAM user doesn’t have to represent an actual person; you can create an IAM user in order to generate an access key for an application that runs in your corporate network/account and needs AWS access.
Groups are nothing but collection of users with same theme in the account. You can create a group of users and give them specific permissions to interact with the services.
An example for it is the case of interns and senior developers in an organization. Obviously interns will have very few permissions compared to senior developers. Senior developers must have more permissions to resources so that they can work effortlessly and make changes to the production environment, whereas the interns do not require much permissions since they only have work which do not probably go into final production. This can be achieved by creating 2 groups and giving them different set of permissions.
Roles are collection of policies or permissions. They are set of permissions that grant access to actions and resources in AWS. These permissions are attached to the role, not to an IAM User or a group. It can be used by anyone who needs it.
A role does not have long term security credential, i.e., password or security key. Instead, if the user uses a role, temporarily security credentials are created and provided to the user.
Basically, Roles are collection of permissions which can be assumed by users/groups. We can take the same example of interns and senior developers, but now a intern needs some additional permissions to access a certain service in AWS, so he/she can assume the role with those specific set of permissions and work on the service. In this way we don’t need to change the permission set for the whole group or neither change permissions for the users.
Policies are low-level permissions to resources in AWS service. They are simply allow/deny permissions of a resource. You can organize IAM users into IAM groups and attach a policy to a group. In that case, individual users still have their own credentials, but all the users in a group have the permissions that are attached to the group.
The following example shows a JSON policy that allows the user to perform all Amazon DynamoDB actions (
dynamodb:*) on the
Books table in the
123456789012 account within the
These are the types of policies in the AWS
Identity-based policies: You can attach multiple policies to IAM identities i.e. Users, Groups & Roles.
Resource-based policies: You can attach policies to specific resources like a table in the DynamoDB or Amazon S3 bucket policies and IAM role trust policies
Organizations SCPs: You can use an AWS Organizations service control policy (SCP) to apply a permissions boundary to an AWS Organizations organization or organizational unit (OU). Those permissions are applied to all entities within the member accounts.
Access control lists (ACLs): You can use ACLs to control what principals can access a resource similar to Resource-based policies.
Here are the most popular services offered by AWS.
EC2 is the most popular service offered by AWS. EC2 is a cloud platform provided by Amazon that offers secure, and resizable compute capacity. Its purpose is to enable easy access and usability to developers for web-scale cloud computing, while allowing for total control of your compute resources.
Amazon Relational Database Service makes database configuration, management, and scaling easy in the cloud. Automate tedious tasks such as hardware provisioning, database arrangement, patching, and backups — cost-effectively and proportionate to your needs.
Amazon S3 is a cloud storage service which facilitates object storage. One can even host websites via Amazon S3. It has high scalability, data availability and security for storing notoriously large amounts of data for an organization.
Lambda is a unique service which offers you to run code without owning any infrastructure or servers. It is an example of serverless computing. Users can just write the code, and Lambda will handle the rest. Amazon Lambda uses amazon’s language specific libraries to interact with different AWS services which makes it easier to manage task automation.
To summarize, we went through how to create an AWS account , how to access AWS via different ways and the structure hierarchy of AWS & IAM followed by exploring some most popular services on AWS.
This is just the fundamentals of AWS there is much more to learn and I hope you will get further understanding of AWS via the links provided in the Further Readings section.