目錄
演進架構圖
當一個企業要建立一個產品時,會先以經典架構的方式(麻雀雖小,五臟俱全),隨者用戶數變多量變高會逐漸往(1)高併發架構發展, 一個軟體產品用戶數量變高的時候就代表他是被市場認可的,這時候就會出現很多人複製他,我們就要想辦法發展新功能,為了能快速地導入新工能會開始走(2)DevOps架構 (可以使功能更穩定),當功能越來越多的時候,會把每個應用程式的功能拆出來變成一個個小功能,但外面的訪問用戶還是會有一個集中化的管理介面,這時候就是走入了(3)微服務架構,當有些服務不是這麼經常被使用到的時候我們就會希望他有被使用的時候才會被開啟沒被使用就被關閉,這時候就會走到(4)SeverLess架構,這就是一個主體的架構。
在高併發架構的時候有很多用戶使用我們系統,我們可以發現這些數據其實是有價值的,引此衍伸大數據的架構,常見的就是會做推薦系統,因此接下來會有手機推播的架構。
當雲端用得嚇嚇叫的時候,公司的本地的機房也是資產,不能全部都用雲這時候就會有(5)混和雲的架構。
隨者資訊安全的發展下DevOps得架構下會想再加入資訊安全的管理,因此開始討論有DevSecOps架構。
經典架構:麻雀雖小,五臟俱全
在這裡用初期創業的行為來比喻經典架構,當經營一間餐飲業時,會有消費者並且消費者會需要知道地址才能夠找到餐廳,餐廳裡面會有工作人員,並且會需要帳本來記帳以及冰箱來存放食物,以上這些是基本要素,會有一些而外的事情,譬如人員的權限管理、資產盤點及監視器。
如果要開一間資訊公司試試水溫會有以下的經典架構,我們把消費者看成網路封包,並且外面的使用者要找到你的位置才能進去,所以可以把地址看成網址,餐廳看成公司網路,工作人員看成VM(虛擬機),帳本看成資料庫,冰箱看成NAS,人員管理看成LDAP、資產盤點看成Log搜集器、監視器一樣。 (概念都一樣只是名稱變了)
當我們要把公司的地端架構上架到雲服務時,網路封包依舊是網路封包,網址對應到RouteS3服務,公司網路環境對應到VPC,VM對應到EC2,RDB對應到RDS,NAS對應到S3,LDAP對應到IAM,Log蒐集對應到CloudWatch,監視器對應到CloudTrail
IAM (人員權限管理) : 人員權限管理
CloudWatch (資源監控) : 可以去監控EC2 …等等服務 是否還活者
CloudtTrail (使用紀錄監控) : 誰去操作RDS、EC2都會有紀錄
考試不會考
AWS Config 輸出該帳號的雲端設定值,輸出給大家看
AWS Artifact 自列它們通過的安全標準審核
AWS正常註冊流程
當小明要幫公司註冊一組AWS帳號,第一步應該先跟MIS申請一組以產品為名的Email, 如果小明使用自己的Email來申請AWS帳號,未來離職或轉其他職務時都會有問題, 第二步再透過以產品為名的Email帳號跟AWS申請帳號, 未來有其他員工要使用AWS服務再透過IAM的方始建立User帳號
IAM介紹與練習
IAM的設計思路
人類世界示意圖 VS AWS的世界
通常一個法治的國家會有一個核心的基本法,通常會有一個群體(某國人民)來遵守這個法律,假設有一個叫郭雪芙的人民,今天走在路上的時候,遇到警察搭訕這時候會需要看身分證來表明身份,但當她開車的時候遇到警察搭訕,則是需要出示駕照來表明身份。
基本法是透過法條組成的。
假設有外國人來訪問該國家就會需要有簽證,就會受當地的法律約束管理。
AWS的世界
在AWS也有類似基本法的叫做Permission,會有一個群體來遵守法律就是User Group,而郭雪芙對應到User,並且操作雲服務有兩種方式,一種是透過網頁的方式,而網頁要通過打帳號密碼的方式來驗證身分,另一種是透過寫程式的方式,則是使用Credential的方式,會得到兩串亂數一串是Accsee Key 及Sceret Access Key。
如果有外部的帳號要來讀取我們AWS服務,必須透過Role
法條的概念在AWS就是Policy。
開放兩種撰寫Policy工具讓客戶可以自定義:
- 1.Policy Generator
- 2.Visual Edit
當Policy寫完之後還會需要測試:
- Policy Simulator
Policy 語法結構-EPCAR 對應現實生活
祈使 | 主詞 | 動詞 | 受詞 | 條件 |
允許 | 小明 | 愛 | 雪芙 | 年薪一百萬 |
禁止 | 老王 | 吃 | 泡麵 | 考不及格 |
Effect | Principal | Action | Resource | Condition |
Allow | * | iam:ListPolicies | * | |
Deny | * | iam:GetPolicy | * |
Effect: Allow、Deny
Principal: *是所有人
Resource: 提供的資訊非常的深,只要給一個資深的工程師看很多訊息都出來了
Action: 有很多種行為
Condition:條件
Sample:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToPerformUserActions",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetPolicy",
],
"Resource": "*"
},
{
"Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard",
"Effect": "Allow",
"Action": [
"iam:GetAccount*",
"iam:ListAccount*"
],
"Resource": "*"
}
]
}
Resource
Amazon Resource Name(ARN)代表意義:
Partition:分區,目前為止,僅有Global分區(aws)與中國分區(aws-cn)
Service:AWS提供的服務
Region:表示資源目前所處的地方區域,如:東京(ap-northeast-1)等
Account:用戶的aws帳號Id,一串數字序列號
Resource:用戶自定義的資源名稱
arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id
arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*
透過IAM的方式讓公司同仁們可以操作AWS資源,而外部人員要操作AWS資源則須要透過Role。
Role及IAM 是透過Policy編寫權限。
Role
- 任兩個帳號溝通 (譬如 EC2串接S3)
題目:
Q: A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure mat AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?
Assign an IAM role to the Amazon EC2 instance.
錯誤的開發方式是直接使用User的Credential來操作S3,如果Credential被盜會有資安風險。
正確的方式是透過Role來訪問,Role的短期的Credential(可以透過AWS的套件取得)的。
Q:You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment.
You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts.
Identify which option will allow you to achieve this goal.
- A. Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
- B. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
- C. Create IAM users in the Master account. Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access.
- D. Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts
AWS 提供的的soluction Create cross-account roles
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
Step 1: Create a role in the Production Account
First, you use the AWS Management Console to establish trust between the Production account (ID number 999999999999) and the Development account (ID number 111111111111). You start by creating an IAM role named UpdateApp. When you create the role, you define the Development account as a trusted entity and specify a permissions policy that allows trusted users to update the productionapp
bucket
.Step 2: Grant access to the role
In this step of the tutorial, you modify the IAM user group policy to deny Testers access to the UpdateApp
role. Because Testers have PowerUser access in this scenario, and you must explicitly deny the ability to use the role.
Step 3: Test access by switching roles
Finally, as a Developer, you use the UpdateApp
role to update the productionapp
bucket in the Production account. You see how to access the role through the AWS console, the AWS CLI, and the API.
A user has created a mobile application which makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK and root account access/secret access key to connect to DynamoDB from mobile. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?
- A. The user should create a separate IAM user for each mobile application and provide DynamoDB access with it
- B. The user should create an IAM role with DynamoDB and EC2 access. Attach the role with EC2 and route all calls from the mobile through EC2
- C. The application should use an IAM role with web identity federation which validates calls to DynamoDB with identity providers, such as Google, Amazon, and Facebook
- D. Create an IAM Role with DynamoDB access and attach it with the mobile application
當Role越來越龐大的時候AWS有出一個服務iam access analyzer 可以用來監控Policy的使用狀況
IAM的管理方式
RBAC
第一代管理方式:
假設第一個需求是要操作S3 服務,那麼會在Policy上寫上允許操作S3,之後又有新服務需要操作EC2,因此又要去修改Policy,允許可操作EC2,這總方式會導致一直修改Policy
ABAC
第二代管理方式:
以貼標籤的方式進行資源的操作管理,假設有一個服務要操作S3,會先在Policy寫該資源上所有有TagA的都可以操作,之後再把S3貼上Tag A標籤,之後如果又有一個服務需要操作EC2,那麼只需要在EC2上貼上TagA標籤
3 5 6 7 10 11
考題解析
What is web identity federation?
- (A)Use of an identity provider like Google or Facebook to become an AWS IAM User.
- (B)Use of an identity provider like Google or Facebook to exchange for temporary AWS security credentials.
- (C)Use of AWS IAM User tokens to log in as a Google or Facebook user.
- (D)Use of AWS STS Tokens to log in as a Google or Facebook user.
- (A) Allow
- (B)Deny
- (C)Random
- (D)Permit
默認預設都是 Deny
Which of the following are correct statements with policy evaluation logic in AWS Identity and Access Management? (Choose two.)
- A. By default, all requests are denied
- B. An explicit allow overrides an explicit deny
- C. An explicit allow overrides default deny.
- D. An explicit deny does not override an explicit allow
- E. By default, all request are allowed
AC
An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a separate DynamoDB table. All the users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this?
- A. Define the group policy and add a condition which allows the access based on the IAM name
- B. Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
- C. Create a separate DynamoDB database for each user and configure a policy in the group based on the DB variable
- D. It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables
what are the two permission types used by aws
(D) Identity-based and Resource-based
An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?
- A. Create an IAM policy with the security group and use that security group for AWS console login
- B. Create an IAM policy with a condition which denies access when the IP address range is not from the organization
- C. Configure the EC2 instance security group which allows traffic only from the organization’s IP range
- D. Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console
(B)
相關文章
AWS SOLUTION ARCHITECT ASSOCIATE (SAA-C03) 證照課程-VPC