CompTIA Security+ ce Certification for Nathan Acks
Iâll be starting off by watching through the âAWS Essentialsâ YouTube playlist put together by the Linux Academy.
AWS Essentials: Project Omega! (YouTube)
This is apparently the framing device for the entire series. Pretty skippable.
AWS Essentials: AWS Free Tier (YouTube)
Core AWS services:
These all have some kind of free version.
AWS Essentials: Create an AWS Account (YouTube)
Wow, AWS is using voice calls for account authentication! (At least theyâre automatedâŚ)
AWS Essentials: How to Navigate the AWS Console (YouTube)
You can switch between regions in AWS using a simple drop-down in the AWS Consoleâs header.
AWS Essentials: What is IAM? (YouTube)
The first user in an AWS account is the ârootâ user, and has the sort of privileges this name implies.
While the root user gets permission to everything, subsequent users receive no permissions beyond whatâs required to log in - any additional capabilities must be added in the IAM interface.
AWS Essentials: IAM Initial Setup and Configuration (YouTube)
After initially creating the root account, the first thing you should do is work through all of the âSecurity Statusâ items in the IAM console.
Amazon MFA is always TOTP-based (when AWS refers to a âhardware key fobâ, it means an RSA-style device, not a Yubikey).
For obvious reasons, the first thing you should probably do is create an additional (admin) user, and then generally avoid using the root user. Admin users are defined by having the AdministratorAccess
policy attached.
AWS Essentials: IAM Roles (YouTube)
Services (really, objects in a service) in AWS canât be assigned policies directly, but can be assigned roles.
In general, roles are used to package policies for service objects, while groups are used to package policies for users. (That said, roles can be assigned to users as well; theyâre quite flexible.)
AWS Essentials: AWS Global Infrastructure (YouTube)
VPC (Virtual Private Cloud) is the backbone of AWSâs offerings.
âRegionsâ are groupings of AWS resources that are concentrated in a given location (AWS data centers are not spread out uniformly).
âRegionsâ are in turn made up of âavailability zoneâ, which are geographically isolated clusters of resources.
Every data center is assigned to only one availability zone; the purpose of availability zones is to provide redundancy within a region.
AWS Essentials: What is a VPC? (YouTube)
VPC settings can be changed in the AWS console under Networking > VPC.
Basically, this is logical partition of AWS. Importantly, this partitioning includes its own logical network layer. So you can kind of think of a VPC as a virtual network in AWS.
Note that a âdefaultâ VPC is created along with a new AWS account, but additional VPCs can be created as needed.
The VPC âinternet gatewayâ is roughly equivalent to a modem in a home or SMB, while VPC âroute tablesâ function like an actual router. VPC NACLs roughly fill the role of a (very simple, stateless) firewall.
AWS Essentials: Internet Gateways (IGWs) (YouTube)
Basically: The part of a VPC that provides the actual connection to the internet. Itâs automatically scaled by Amazon as needed, so thereâs little that needs to be configured here.
Really, all a IGW is providing is a route from the attached VPC to the internet. There can only be one IGW attached to a VPC at any given time. (Amazon also wonât allow a IGW to be detached if there are any live resources like EC2 or RDS instances in the VPC.)
AWS Essentials: Route Tables (RTs) (YouTube)
The Route Table is presented (almost) as a literal route table (think of the Linux route
command). So, no surprises here.
There can be multiple RTs per VPC. Similar to IGWs, however, RTs can only be deleted if they have no dependencies (active routes).
AWS Essentials: Network Access Control Lists (NACLs) (YouTube)
Think: Stateless firewall.
NACLs can be applied to one or more subnets in a VPC, and multiple NACLs are allowed in a VPC.
All NACLs end with a default DENY. However, the default NACL created with the default VPC has an âALLOW ALLâ rule ahead of this.
NACL rules are evaluated from lowest-to-highest rule number. Fortunately, the AWS console will automatically arrange rules in the order youâd expect (top-to-bottom).
Note that additional network security controls (âsecurity groupsâ) can be applied to AWS resources like EC2 instances, etc. But NACLs are the only subnet level protection thatâs available.
AWS Essentials: Subnets (YouTube)
VPC subnets are limited to particular availability zones; by default, one subnet is created per availability zone for the region a VPC is created in.
Resources must be provisioned within a subnet. Since subnets cannot span availability zones, subnets are the level that AWS resources begin to correspond to physical computing structures in data centers.
Subnets can be âpublicâ (internet routable) or âprivateâ (not internet routable), which is determined by the associated route table. Note that every subnets must be associated with a route table.
AWS Essentials: Availability Zones (VPC Specific) (YouTube)
The point of availability zones within a VPC is to allow redundancy to be engineered via mirrored subnets + resources.
AWS Essentials: S3 Basics (YouTube)
Objects = Files
Buckets are limited to particular regions; data is automatically replicated across availability zones within that region.
AWS Essentials: Buckets & Objects (YouTube)
Bucket names are globally unique.
AWS Essentials: Storage Classes (YouTube)
Storage classes in S3 (standard, glacier, etc.) can be defined per object. Classes:
âDurabilityâ is defined as the probability that a file will not be lost or corrupted in a given year.
âAvailabilityâ is defined as the probability that a file will be (immediately) available when requested in a given year.
Storage class can be set during upload, by using the object lifecycle tool, or just by editing in the AWS console (note that Glacier cannot be chosen in this way). Changing the storage type of a folder will change the storage class of all contained objects but will not effect subsequent uploads.
Reduced Redundancy Storage is actually recommended for backup (!), though Glacier is intended for actual archival usage.