Getting Started with AWS

Interested in learning about AWS? Now you can! Sign up for a 7-day, risk-free trial with INE to access all AWS content and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

Introduction

Cloud technologies are trending, and most businesses are moving towards them. The innovations to improve the business and data processing through the cloud platform are in huge demand. Several industry-leading companies are offering cloud services and products such as Amazon AWS, Microsoft Azure, IBM Cloud, Google Cloud Platform (GCP).

In this post, we will explore the fundamentals of Amazon AWS.

What is AWS?

AWS is one of the biggest cloud service providers today. It comprises over 200 cloud services and products that include compute, storage, databases, analytics, networking and many more. It offers all forms of Cloud Services including IaaS (Infrastructure-as-a-Service), PaaS (Platform-as-a-Service) & SaaS (Software-as-a-service).

AWS Cloud infrastructure is built around AWS Regions and Availability Zones. A Region is a physical location in the world which contains different Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities.

Creating an AWS-Free-Tier account

Firstly, we need an AWS account to get started and to use the services provided by Amazon.

AWS provides one year of free service in its Free Tier edition. All you need here is a credit card/debit card.

Go to AWS Webpage
You will be taken to the signup page

AWS Sign-up page

3. Fill out the details here and in the further pages as well

You will need a credit/debit card to create an account. The reason is that though it’s a free tier account, AWS has certain limits on the services that can be used.

Accessing AWS

There are many ways one can access the services provided by AWS.

Console

The most obvious way to access AWS products & services is via the web-portal AWS offers. After signing up for a new AWS account and logging in, you will see the console dashboard. This is the starting point for interacting with the various AWS services and other important console components.

AWS Console Dashboard

The dashboard consists of a navigation bar at the top and a number of widgets in the main body of the page, which you can configure and rearrange.

The Navigation bar contains different elements which gives you access to different things.

Account Information: This menu in the top right corner contains information and links for your account. It displays the AWS Account ID, and the current user logged in to the console, along with links to navigate to some important pages.
Region selector: This menu right next to Account Information shows the currently selected AWS Region or “Global” when you have selected a global service. When you click on the currently selected Region, a dropdown will appear with all the available Regions, and you can switch the console to a different Region by clicking on one in the list.
Search box: You can type in any AWS services and products or your resources in the universal search bar. When you enter text, the search engine searches across a number of different locations to match the text that you entered. It will return matches in eight sections namely, Services, Features, Blogs, Documentation, Knowledge Articles, Tutorials, Events & Marketplace.
AWS Cloud Shell: By selecting this icon, you will launch a browser-based shell environment that is pre-authenticated with your console credentials. CloudShell is a useful tool for securely interacting with your AWS account, and is Region specific, so any files that you upload are specific to that Region. It is a CLI on the web!
AWS Service Selector: You can use this to navigate between services offered by AWS. This is a great way to explore the various services by category, especially if you are new to AWS. You can also mark services as favorites by selecting the star next to their names, which will pin them to the navigation bar.

AWS CLI

You can access AWS through a tool called AWS Command-Line-Interface which would be installed on to your machine. You can run different commands to interact and access different services.

To start using AWS CLI:

Go to AWS CLI downloads page

AWS CLI Downloads Page

Select the package according to your operating system and install it on your machine.
After installation, go to AWS IAM to get your Access Key ID and Secret Access Key
In the IAM page, In the navigation pane, choose Users.
Choose the name of the user whose access keys you want to create, and then choose the Security credentials tab.
To view the new access key pair, choose Show. You will not have access to the secret access key again after this dialog box closes, so save the access key pair safely.
Now, open the AWS CLI and type the following code to configure your setup.

aws configureAWS Access Key ID [None]: [Your Access Key ID]
AWS Secret Access Key [None]: [Your Secret Access Key]
Default region name [None]: us-west-2 
Default output format [None]: json

Now, you can use the CLI to interact with the AWS services.

The AWS CLI provides direct access to the public APIs of AWS services. You can explore a service’s capabilities with the AWS CLI, and develop shell scripts to manage your resources.

AWS CLI uses multipart command structure which must be specified in this order:

aws <command> <subcommand> [options and parameters]

aws — The base call to AWS program
<command> — The top-level command which corresponds to AWS CLI supported service.
<subcommand> — A subcommand that specifies which operation to perform
[options and parameters] — General AWS CLI options or parameters required by the operation. You can specify these in any order as long as they follow the first three parts.

Example command:

This command lists all your s3 buckets on AWS.

aws s3 ls

Here, aws is the base call to call the AWS service, s3 is the top-level command which specifies the service you want to use and ls is the subcommand which specifies what you want to do with the service.

Boto3

Boto3 is a python library published and maintained by Amazon which allows python developers to interact with AWS services. You can write code which makes use of different AWS services like Amazon S3, Amazon EC2, Amazon DynamoDB and many more.

Since, boto3 is a python library you will need a supported python installation on your machine. If you don't have python then visit python downloads page to install python.

To get started, install boto3 module on to your machine via pip. Go to terminal and type the following command to install boto3 module.

pip install boto3

Before using Boto3, you need to set up authentication credentials for your AWS account using either the IAM Console or the AWS CLI. If you haven’t set it up yet then refer to AWS CLI section above.

You can use boto3 in a python code by importing it and indicating which service or services you’re going to use:

import boto3

# Let's use Amazon S3
s3 = boto3.resource('s3')

Here, we are using Amazon’s S3 service. So, we mentioned s3 as the parameter in the boto3.resource() function. Now that you have an S3 resource, you can make send requests to the service. The following code uses the buckets collection to print out all bucket names:

# Print out bucket names
for bucket in s3.buckets.all():
    print(bucket.name)

You can also upload and download binary data. For example, the following uploads a new file to S3, assuming that the bucket my-bucket already exists:

# Upload a new file
data = open('test.jpg', 'rb')
s3.Bucket('my-bucket').put_object(Key='test.jpg', Body=data)

Boto3 is built-in to the python installation in the lambda functions, which is very useful to interact with other services on AWS.

AWS Hierarchy

Resource hierarchy means how resources are organized inside a cloud platform account. The hierarchies have some similarities to a file system in a way how entities are organized and managed, e.g., each resource can have multiple children, but only one parent.

Organization

Organization is used to manage multiple AWS accounts as a single entity. The entity is the parent container for all the accounts for an organization. The amount of control that the organization entity has over the accounts depends on the configuration.

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. Granular permission can be applied to the AWS Accounts, and based on the requirements; actions can be allowed or denied.

Organizations with multiple AWS accounts can use the organization entity to centrally view and manage all of their accounts in the same place.

Organizational Unit

An organizational unit is basically a container that can contain accounts, other organizational units, and maybe both. They are used to model an organization's or a project's structure within the organization. The permissions enforced by the service control policy on the organization unit are inherited by the children organization unit and member accounts.

For example, an Organization can have different departments which consists of different teams each working on multiple projects. Here, Organizational unit comes into play, we can create Organizational units for Departments, teams within departments and projects assigned to each team respectively. Hence, different Organizational units have different environments making it easier to work.

Account Resource

Account and resource can be considered as a single entity, cause all the resources are created inside an account. It is a container for all the Amazon AWS services such as S3, Lambda, DynamoDB, API Gateway, etc.

Organizations and organizational units may have multiple accounts, but an account may only have a single parent. An organization can have two types of accounts: a single management account, and multiple member accounts.

AWS IAM

AWS IAM plays a crucial role in almost anything you do with AWS. Be it interacting with services or simply authenticating the CLI, understanding AWS IAM is must.

What is IAM?

IAM (Identity and Access Management) is a permission system that regulates access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. It simply allows you to assign permissions to users, groups and roles.

A principal is a person or application that can make a request for an action or operation on an AWS resource.

Users

Users are specific individuals who can receive personal login information. You can give access to your AWS account to specific user identities that you create with custom permissions. You can further simplify access for those users by federating existing identities into AWS.

Instead of sharing your root user credentials with others, you can create individual IAM users within your account that correspond to users in your organization. IAM users are not separate accounts; they are users within your account. Each user can have its own password for access to the AWS Management Console. You can also create an individual access key pair for each user so that the user can make programmatic requests to work with resources in your account.

An IAM user doesn’t have to represent an actual person; you can create an IAM user in order to generate an access key for an application that runs in your corporate network/account and needs AWS access.

Groups

Groups are nothing but collection of users with same theme in the account. You can create a group of users and give them specific permissions to interact with the services.

An example for it is the case of interns and senior developers in an organization. Obviously, interns will have very few permissions compared to senior developers. Senior developers must have more permissions to resources so that they can work effortlessly and make changes to the production environment, whereas the interns do not require much permissions since they only have work which do not probably go into final production. This can be achieved by creating 2 groups and giving them different set of permissions.

Roles

Role is an IAM identity that you can create in your account that has specific permissions. Instead of being uniquely associated with one person, a role can be assumed by a principle. The principal who can assume the role is defined by a policy.

A role does not have long term security credential, i.e., password or security key. Instead, if the user uses a role, temporarily security credentials are created and provided to the user.

We can take the same example of interns and senior developers, but now a intern needs some additional permissions to access a certain service in AWS, so he/she can assume the role with those specific set of permissions and work on the service. In this way we don’t need to change the permission set for the whole group or neither change permissions for the users.

Policies

Policies are low-level permissions to resources in AWS service. They are simply allow/deny permissions of a resource. You can organize IAM users into IAM groups and attach a policy to a group. In that case, individual users still have their own credentials, but all the users in a group have the permissions that are attached to the group.

The following example shows a JSON policy that allows the user to perform all Amazon DynamoDB actions (dynamodb:*) on the Books table in the 123456789012 account within the us-east-2 Region.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "dynamodb:*",
    "Resource": "arn:aws:dynamodb:us-east-2:123456789012:table/Books"
  }
}

These are the types of policies in the AWS:

Identity-based policies: You can attach multiple policies to IAM identities i.e. Users, Groups & Roles.

Resource-based policies: You can attach policies to specific resources like Amazon SQS queues, VPC endpoints, AWS Key Management Service encryption keys, Amazon S3 bucket.

Organizations SCPs: You can use an AWS Organizations service control policy (SCP) to apply a permissions boundary to an AWS Organizations organization or organizational unit (OU). Those permissions are applied to all entities within the member accounts.

Access control lists (ACLs): You can use ACLs to control what principals can access a resource similar to Resource-based policies. Example : S3 buckets and objects.

AWS Services

Here are the most popular services offered by AWS.

Amazon EC2

EC2 is the most popular service offered by AWS. EC2 is a cloud platform provided by Amazon that offers secure, and resizable compute capacity. Its purpose is to enable easy access and usability to developers for web-scale cloud computing, while allowing for total control of your compute resources.

Amazon RDS

Amazon Relational Database Service makes database configuration, management, and scaling easy in the cloud. Automate tedious tasks such as hardware provisioning, database arrangement, patching, and backups — cost-effectively and proportionate to your needs.

Amazon S3

Amazon S3 is a cloud storage service which facilitates object storage. One can even host websites via Amazon S3. It has high scalability, data availability and security for storing notoriously large amounts of data for an organization.

Amazon Lambda

Lambda is a unique service which offers you to run code without owning any infrastructure or servers. It is an example of serverless computing. Users can just write the code, and Lambda will handle the rest. Amazon Lambda uses amazon’s language specific libraries to interact with different AWS services which makes it easier to manage task automation.

Conclusion

To summarize, we went through how to create an AWS account, how to access AWS via different ways and the structure hierarchy of AWS & IAM followed by exploring some most popular services on AWS.

These are just the fundamentals of AWS. There is much more to learn and I hope you will get further understanding of AWS via the links provided in the Further Readings section.