My AWS DevOps and SA associate notes – Part 2 – IAM, Security Groups, EBS, EFS

This post will contain notes about IAM, Security Groups, EBS and EFS.

Links to other sections:

Part 1 – Overview

Part 3 – ELB, CLI commands, EC2, Lambda

Part 4 – VPC, Elastic Beanstalk, S3

Part 5 – SNS, CloudFormation, SQS, DynamoDB

IAM – Security Identity and Compliance

Allows centralized user mgmt and level of access to console.
Granular access.
Identity Federation (AD, LinkedIn, Facebook etc).
Temporary access.
Password rotation.
PCI DSS compliance.

Policies are attached to users, groups, roles.

IAM is global, across the world.

Username > account – to get the account number.

Virtual hardware – google authenticator etc. smartphone.

DNS namespace is spun up for the alias to make the URL user-friendly.

The secret access keys cannot be generated again if lost once. This and the access key id cannot be used to log into the console. It’s only used to programatically access AWS (install the AWS tools on lappy etc)

Secret acccess key id – download as csv or copy to notepad – only once.

Create new id and secret in the Users area.

Role names cannot have spaces.

Identity Brokerage

Gathers users credentials.
communicates with LDAP first.
Then to Amazon STS (could go through as a user or role).
Gets access to AWS resources.

IAM is universal, not by region.

Access Key ID and Secret Access Keys – NO CONSOLE ACCESS. Only via APIs.

Own password rotation policy.

SAML – Security Assertion Markup Language.

TEMPORARY access. Allows for access without punching in actual AWS credentials.

Google, LinkedIn, FB etc. Remember this for the exam.

Develop your own Identity Broker.

The Broker talks to LDAP, then with Amazon STS.

Then when all’s good, application gets temp access to AWS resources.

Amazon resource name – ARN. This is what appears in the federation access approval.

AssumeRolewithWebIdentity – to obtain security credentials with Web Identity Federation.

Security Groups

Rule changes apply right away.

ANything allowed in is allowed out automatically even without the rule explicitly being in there.

Cannot put in a deny rule in to security groups. that’s done via network ACLs.

Multiple security groups can be associated with an EC2 instance.

Security groups are stateful, ACLs are stateless.


EBS and EC2 instances have to be in the same availability zones.

Volumes can be modifid on the fly, no downtime – apart from the magnetic storage disk. Changing the type too.

An EBS volume that’s already provisioned can be snapped, and attached as a volume to another machine or the same machine in a DIFFERENT availability zone if required.

Snapshots once taken can be moved (copied) to anywhere in the world.

Images can be create from a snapshot to create new EC2 instances. OR from running EC2 instances and lets you customize the disks required for the new instance.

Snapshots exist on S3.

Snapshots are increemtnal – meaning only blocks that have changed since the last snapshot are moved to the next snapshot

AMI can be taken from volumes and snapshots.

Snapshots can be made public unless encrypted.
Snapshots of encrypted volumes are encrypted automatically.
Volumes restores from encrypted snapshots are encrypted automatically.

Elastic Compute Cloud – where machines live.


EFS – storage capacity is elastic, grows AND shrinks automatically when the machines need. EFS – not much can be done

– add tags (use tag to give it a name)
– choose performance mode – General purpose or max IO
– enable encryption
– IP address can be specified
– default security group by default

General – for most common things
Max IO – for thousands of EC2 instances are accessing the file system.

Create once, provisioned to multiple instances. Just appears automagically.

EC2-user is the default username required to connect to EC2 instance.

Leave a Comment

Your email address will not be published.