CompTIA Security+ ce Certification for Nathan Acks
I’ll be starting off by watching through the “AWS Essentials” YouTube playlist put together by the Linux Academy.
This is apparently the framing device for the entire series. Pretty skippable.
Core AWS services:
Wow, AWS is using voice calls for account authentication! (At least they’re automated…)
You can switch between regions in AWS using a simple drop-down in the AWS Console’s header.
The first user in an AWS account is the “root” user, and has the sort of privileges this name implies.
While the root user gets permission to everything, subsequent users receive no permissions beyond what’s required to log in — any additional capabilities must be added in the IAM interface.
After initially creating the root account, the first thing you should do is work through all of the “Security Status” items in the IAM console.
Amazon MFA is always TOTP-based (when AWS refers to a “hardware key fob”, it means an RSA-style device, not a Yubikey).
For obvious reasons, the first thing you should probably do is create an additional (admin) user, and then generally avoid using the root user. Admin users are defined by having the
AdministratorAccess policy attached.
Services (really, objects in a service) in AWS can’t be assigned policies directly, but can be assigned roles.
In general, roles are used to package policies for service objects, while groups are used to package policies for users.
VPC (Virtual Private Cloud) is the backbone of AWS’s offerings.
“Regions” are groupings of AWS resources that are concentrated in a given location (AWS data centers are not spread out uniformly).
“Regions” are in turn made up of “availability zone”, which are geographically isolated clusters of resources.
Every data center is assigned to only one availability zone; the purpose of availability zones is to provide redundancy within a region.
VPC settings can be changed in the AWS console under Networking > VPC.
Basically, this is logical partition of AWS. Importantly, this partitioning includes its own logical network layer. So you can kind of think of a VPC as a virtual network in AWS.
Note that a ”default” VPC is created along with a new AWS account, but additional VPCs can be created as needed.
The VPC “internet gateway” is roughly equivalent to a modem in a home or SMB, while VPC “route tables” function like an actual router. VPC NACLs roughly fill the role of a (very simple, stateless) firewall.
Basically: The part of a VPC that provides the actual connection to the internet. It’s automatically scaled by Amazon as needed, so there’s little that needs to be configured here.
Really, all a IGW is providing is a route from the attached VPC to the internet. There can only be one IGW attached to a VPC at any given time. (Amazon also won’t allow a IGW to be detached if there are any live resources like EC2 or RDS instances in the VPC.)
The Route Table is presented (almost) as a literal route table (think of the Linux
route command). So, no surprises here.
There can be multiple RTs per VPC. Similar to IGWs, however, RTs can only be deleted if they have no dependencies (active routes).
Think: Stateless firewall.
NACLs can be applied to one or more subnets in a VPC, and multiple NACLs are allowed in a VPC.
All NACLs end with a default DENY. However, the default NACL created with the default VPC has an “ALLOW ALL” rule ahead of this.
NACL rules are evaluated from lowest-to-highest rule number. Fortunately, the AWS console will automatically arrange rules in the order you’d expect (top-to-bottom).
Note that additional network security controls (“security groups”) can be applied to AWS resources like EC2 instances, etc. But NACLs are the only subnet level protection that’s available.
VPC subnets are limited to particular availability zones; by default, one subnet is created per availability zone for the region a VPC is created in.
Resources must be provisioned within a subnet. Since subnets cannot span availability zones, subnets are the level that AWS resources begin to correspond to physical computing structures in data centers.
Subnets can be “public” (internet routable) or “private” (not internet routable), which is determined by the associated route table. Note that every subnets must be associated with a route table.
The point of availability zones within a VPC is to allow redundancy to be engineered via mirrored subnets + resources.
Objects = Files
Buckets are limited to particular regions; data is automatically replicated across availability zones within that region.
Bucket names are globally unique.
Storage classes in S3 (standard, glacier, etc.) can be defined per object. Classes:
“Durability” is defined as the probability that a file will not be lost or corrupted in a given year.
“Availability” is defined as the probability that a file will be (immediately) available when requested in a given year.
Storage class can be set during upload, by using the object lifecycle tool, or just by editing in the AWS console (note that Glacier cannot be chosen in this way). Changing the storage type of a folder will change the storage class of all contained objects but will not effect subsequent uploads.
Reduced Redundancy Storage is actually recommended for backup (!), though Glacier is intended for actual archival usage.