AWS Quick Notes

0. Identity Access Management

- IAM is AWS service to centrally manage login credentials: users, groups, roles, permissions
- Best practice is to refrain from using the root user in production environments, grant least priviledges, using roles to delegate permissions, enable MFA, label Access levels to separate differing permissions, favor managed instead of inline policies, prune unused creds, monitor activities, 
- A user can be a member of 10 groups and an account can have 100 groups

- How to create a user: login to console > Services > Identity and Access Management > Add User > set username, credential type (access key, password), console password > click Next: Permissions > select either 'Add user to group', 'Copy permissions from an existing user', 'Attach existing policies directly' > click Next: Tags > input keys (quick tags to remember) > Review > click Create User

- How to create Groups: click Add Groups > select users > attach certain permissions (policies) > create group

- Common Permissions:
- IAMUserChangePassword
- AWSEC2FullAccess

- IAM Roles:
- a role is similar to a user, with the difference that it can be assumed by users
- roles can be granted to identity provider , linked to a web service or AWS service, or used cross-accounts, SAML federation, or custom trust policy

- Permission policies:
- access to certain resources (e.g. AmazonDynamoDBFullAccess of EC2)
- stored in AWS as JSON files and ran as objects
- version

- Statement:
- Sid
- Effect: allow, deny
- Principal
- Action
- Resource
- Condition

- Managed policies: can be AWS or customer managed
- Inline policies: ad-hoc policies that are created when instantiating resources


1. EC2: Elastic Cloud Compute

- Console URL: https://console.aws.amazon.com/ec2
- Quick list of instance types (capacities & costs): https://instances.vantage.sh/
- Amazon Mission Image (AMI): template to launch instances
- Amazon elastic Block (ABS): storage to be associated with instances
- Instance is a running virtual machine being "launched" or spawned by an AMI. Its stages are pending, running (including rebooting, stopping, stopped statuses), shutting-down, and terminiated.
- Instance types are specifications for allocations of memory & vCPU to be assigned toward an instance. The general types are general purpose, compute optimized, memory optimized, and storage optimized.
- Instance Store: management GUI of instances
- Elastic File Share (EFS): storage that can be shared across multiple instances
- Ephemeral storage: term describing storage that only exists while an instance exists
- Elastic Block Store (EBS):
- normal type: volumes that are attachable exclusively toward an instance
- multi-attach EBS: more expensive type of storage
- Solid State Drives (SSD): storage type of higher performance
- Snapshots: backup of moment in time of EBS. Multiple snapshots are stored in Buckets.
- View account Info: click on top right corner drop down > view the Account ID, Service Quotas, Billing Dashboard, Security Credentials

- How to navigate to EC2: goto https://aws.amazon.com/ > click on services > Compute > select the correct region by clicking on the drop down toward the top right of the screen (e.g. N. Virginia) > click on EC2

- Launch a new instance: click on instances > Launch an instance > select an AMI (E.G "Ubuntu Server 20.04 LTS") > choose an instance type (e.g. "t2.medium") > Configure Instance Details (pay attention to Network, Domain join, IAM role, Shutdown behavior) > Add Storage (e.g. set Root as /dev/sda1, size = 100GB, Volume type = General Purpose, check 'Delete on Termination') > Add Tags (e.g. Key = test machine, Value = test machine) > Configure Security Group (asign a security group or select an existing SG, set SSH port and Source as 0.0.0.0) > Select an existing key pair or create a new key pair (make selection and name the key) > download the key pair (the instance will have the private key preinstalled and we use the public key to login)

- Review Instance Launch: either select the drop-down menu labeled 'Actions' OR after launched, view the instance status > select the newly created instance > navigate to Details (Instance ID), Security (security group ID's), Networking (VPC ID, Public IP, Private DNS, Availability Zone), Storage (EBS, SSD), Status checks, Monitoring (Network I/O, Disk stats), Tags

- How to enable ingress on certain port: click on Instance > Security > select Security Group link > under Inbound Rules, Add Rule > select the protocol (e.g. SSH, HTTPS, source = anywhere)

- How to connect: click on the Connect button while having an instance selected
- EC2 Instance Connect: using browser, this method is known to be buggy
- Session Manager: not commonly used
- SSH Client: most common method, either use putty (Windows) or Shell (Linux: sudo chmod 400 key.pem > ssh -i "/path/to/key.pem" [email protected])
- EC2 Serial Console: require additional setup on AWS before using this method
- How to download files to local machine: scp -i ~/Desktop/key.pem ec2-user@remoteIP:/path/tofile/filename.tgz ~/Download/
- copy a file to an Instance: scp -i key.pem fileToCopy ec2-user@remoteIP:~/.
- Location of an Instance's private key: /home/ec2-user/.ssh/mk.pem
- How to create a 'gold image':
- Creation: select an instance > Actions > Image and templates > Create Image > provide name, etc > create AMI > wait for status to become 'available'

- Usage: select AMI > launch > go through the wizard > select the same security as original instance > choose an existing key pair > create instance




2. Auto Scaling:

- Auto Scaling groups is a logic to control the number of EC2 instances to handle desired usage. Instances would programmically creates and terminates automatically.

These are the components:
- Groups: specify max, min, and desired number of EC2 instances
- Configuration templates: more recommended than launch configurations.
- Scaling options: conditions or schedule
- CLI: aws autoscaling create-auto-scaling-group --auto-scaling-group-name my-asg-from-instance \
  --instance-id i-instanceID --min-size 1 --max-size 2 --desired-capacity 2

- Create Auto Scaling Group from AMI: Navigate to EC2 > Instances > Launch Instance > Browse more AMIs from Application and OS Images > choose My AMIs > select the desired AIM > under Summary, input a Number of instances as more than 1 > choose Consider EC2 Auto Scaling > Continue > Create launch template > input name and description > select appropriate key pair, network settings, storage > Create launch template > confirm Create Auto Scaling Group

- How to use:
- First, create a launch template basing on an AMI of an existing EC2 instance
- Second, create Auto Scaling Groups: click Auto Scaling groups > Create > provide name, VPC, Availability Zones, Load balancing (optional), desired capacity, min, max, metric type (CPU average utilization 85% for 5 minutes) > done
- Other considerations: configuring alarms and auto scaling together is common practice




3. VPC: Amazon Virtual Private Cloud

- VPC
- default VPC: will be available on new accounts
- non-default VPC: when nondefault subnets are created
- Subnets: the netmask of each Availability Zone to separate each from the whole VPC's CIDR Block (e.g. CIDR 10.0.0.0/16 vs Subnets 10.0.1.0/24 Zone 1A, 10.0.2.0/24 Zone 2A)
- How to create: VPC > Subnets > Create subnet > input, name, Availability Zone, CIDR Block, tags > create
- Consideration for public subnets: select a subnet > edit subnet settings > enable auto-assign public IPv4 address > Save
- To make public subnets accessible from the Internet, we need to associate such subnets with the Internet Gateway in the Route Table
- CIDR Block: classless blocking of private IP addresses
- Route table: will contain the routes to all subnets and some endpoints or targets (ids of a gateway interfaces)
- How to configure route table to associate certain subnets with an Internet Gateway: click on Route Tables > select a route table ID that is to be associated with the public subnets > edit subnet associations > select a public subnet > Save associations. Then, proceed to associate such subnet(s) with the Internet Gateway in a separate procedure
- VPC endpoint: either an elastic network interface with a private IP or a Gateway endpoint in the route table as pointer to and AWS service (S3 or DynamoDB)
- VPC peering connection: bridging between VPCs
- Under Virtual Private Cloud, click Peering Connections > select two or more VPC's > create Peering Connection > provide name, Account selection, Region, Accepter (remote VPC) > create connection
- Modify route tables: Route Tables > select a Route Table that is associated with a Peer > edit > add route > Destination = <subnet of a peering VPC>, Target = Peering connection created previously > Add route > Save changes > repeat for the other peering VPC's

- Access Control List (ACL): rules table to control ingress/egress
- Rule numbering: lower numbers will be processed before higher numbers
- Inbound: incoming traffic
- Outbound: outgoing traffic
- Ephemeral ports: 32768-65535
- Protocols: TCP, UDP, HTTP

- Internet gateway: attached to VPC to provide traffic between VPC and the Internet.
- To create, click on Internet Gateways > give it a name > attach to a VPC
- To use, select a Route table > Edit routes > set Destination 0.0.0.0/0 (anywhere) with target as newly created Internet Gateway > Save changes > edit subnet associations > add a subnet (e.g. private, public, Trusted, Untrusted, or DMZ) > save association

- NAT Gateway: Network Address Translation (NAT) is charged per hour and per GB of data being used. This gateway enables egress traffic from Instances with private IPs to the Internet, but not the opposite direction
- click on Create NAT Gateway > input name, select Subnet (pick a public subnet), Connectivity type = Public, Allocate a new Elastic IP, Tags > create NAT Gateway

- Create custom route table: 
- Elastic IP: public IP to be attached to certain instance to enable Ingress traffic from the Internet. Also known as elastic network interface. Free if attached to an instance. This interface will not automatically delete upon Instance termination.

- How to create a new VPC: Your VPC > Create VPC > provide name, IPv4/CIDR block, Tenancy=Default (not dedicated, less costs), create > check DHCP options, Main route table, ACLs, etc

- Deletion routine: Instances must be terminated, then Elastic IPs, then other network resources


4. CloudWatch

- Use to Collect, Monitor, Act, Analyze applications
- Namespaces: store metrics that are separated from other metrics
- Metrics: time ordered data
- Dimensions: name/value pair as ID for a metric
- Alarms: threshold set to metrics to raise events. Examples: send an email when dollar spent amount is above $1000, when outbound passes 1PT of data
- Logs: to view info about log groups
- Metrics: select certain metric to view graphs, charts
- Events: view events
- Application monitoring: drill down to specific application
- Insights: view aggregate monitored info
- How to create a dashboard: click Dashboard > create > select the graph type > Add metric > save


5. Elastic Load Balancing

- ELB distributes traffic of these types:
- Application: layer 7 proxy reachable via VIP, used when having multiple features 
- Content based routing (e.g. trailing slash such as https://kimconnect/support pointing to a specific application different from the root)
- Health checks
- Sticky Sessions
- Load balancing algorithms

- Network: layer 4 proxy reachable via VIP, sources could be Internet or Internal with AWS PrivateLink connecting to ELB before reaching the targets. AWS Certificate Manager can be added for TLS offloading. Useful for directing internal traffic.

- Gateway: layer 3 GW & 4 ELB reachable via route table IP entry & not proxy, Internet ingress connects to AWS privateLink; then, that traffic is intercepted by load balancer before being allowed to reach its destination(s)

- Classic: layer 4 & 7 proxy reachable via VIP, TCP/HTTPS/TLS
- If cross-zone is enabled, each EC2 instance would get equal distribution regardless of zones. If disabled, then each ELB would get equal percentage, instead of each EC2 Instance.

- How to use:
- Create AMI of an existing Instance if not already available
- Create launch template: select the desired AMI, set key pair, associate Security Group, set storage, etc
- Create Scaling Group: select availability zones, load balancing algorithm, scaling policies (Metric type, percentage), scaling size numbers
- View scaling group: click on a group to view configured options




6. Elastic Beanstalk

- Tool to deploy and scale AWS resources via scripting. The workflow consists of Upload Application Script > Launch Environment > Manage Environment > Iterate with version control

- Environments:
- Web server environment: has an ELB with a Security Group to connect EC2 Instances within Auto Scaling Group inside an Availability Zone. There would be an associated Database which has a separate Security Group allowing ingress from the Web Server Zone

- Worker environment: does not connect to the Internet, rather only to the web server environment
- View Logs, Health, Monitoring (CPU, RAM, Network IO, Disk IO), Alarms, managed updates, Events, Tags

- Applications:
- How to create an environment: select Elastic Beanstalk > Create Application > provide name, key, tag, select Platform (Docker, PHP, etc.), either upload or create a sample application > click Configure more options > select the Presets (Single intance or High availability), Platform, Software, Auto Scaling, Instance types, Processor, Availability Zones, Scaling triggers (e.g. CPUUtilization Average 85% for 5 minutes), Storage, Snapshot, Network, Software, EC2 key pairs, Notifications, etc. > create > Navigate to the the Elastic Beanstalk > find the newly created environment > verify settings
- How to deploy an application: select an environment > click Upload > select the zip file > upload > check the health of application for status 'OK'


7. AWS LAMDA

- event-driven serverless model that allow devs to deploy apps without managing servers (Tomcat, Python, LAMP stack, )
- single threaded, single tasking, cost per memory usage & storage
- Comparing services and customer management:
- IaaS (Infrastructure as a Service): OS, network, users, policies (e.g. EC2)
- CaaS (Containers as a Service): Containers (e.g Kubernetes)
- PaaS (Platform as a service): Applications (e.g. Power BI)
- FaaS (Function as a service): Functions (e.g. Lamda)
- Event > trigger > handler > next event

- Sample quick Lamda code of a Python function:
# Lamda function to access external API and return a response
import json
import requests
def lamda_handler(event, context):

api = "https://type.fit/api/quotes"
response = requests.get(f"{api}").json()
print(response)
return {
'statuscode': 200,
'body': json.dumps(response)
}

- Sample Lamda code of a JavaScript function:
// source: https: //docs.aws.amazon.com/lambda/latest/dg/service_code_examples.html
import { LambdaClient, paginateListFunctions } from "@aws-sdk/client-lambda";
const client = new LambdaClient({});
export const helloLambda = async () => {
  const paginator = paginateListFunctions({ client }, {});
  const functions = [];
  for await (const page of paginator) {
    const funcNames = page.Functions.map((f) => f.FunctionName);
    functions.push(...funcNames);
  }

 console.log("Functions:");
  console.log(functions.join("\n"));
  return functions;
};