AWS 讀書會, 在研讀實戰中儲備好考證照之所需, 交流切磋更多實際的落地場景。 第1章: Introducing AWS - 什麼是 Software Architecture? -- is about finding the right balance and the midpoint of every circumstance involving the people, the processes, the organizational culture, the business capabilities, and any external drivers that can influence the success of a project. -- Web Architecture 101: -- https://engineering.videoblocks.com/web-architecture-101-a3224e126947 - 什麼是 Solution Architect? -- to evaluate several trade-offs, manage the essential complexity of things, their technical evolution, and the inherent entropy of complex systems. - 所以嚮往成為一個 Solution Architect, 這章我們學: -- Understanding cloud computing -- Cloud design patterns and principles -- Shared security model -- Identity and access management

1. Study Group: AWS SAA Guide
Chapter 01 - Introducing AWS
William Tai
2020.Apr

2. Book: AWS SAA Guide
● AWS Certified Solutions Architect - Associate Guide
https://www.amazon.com/AWS-Certified-Solutions-Architect-certification/dp/1789130662/
● Google Books 上可讀到前3章:
https://books.google.com.tw/books?id=P-l1DwAAQBAJ
● PacktPub 與 Oreilly 各有 10 Days Free Trial 可看書的完整內容:
https://www.packtpub.com/virtualization-and-cloud/aws-certified-solution-architect-associate-guide
https://www.oreilly.com/library/view/aws-certified-solutions/9781789130669/
● 本書 Github Source Code:
https://github.com/PacktPublishing/AWS-Certified-Solutions-Architect-Associate-Guide
https://github.com/gabanox/Certified-Solution-Architect-Associate-Guide

3. Agenda
6. Shared Security Model
7. IAM
8. Recap
9. Further Reading
1. Cloud Computing
2. Cloud Design Priciples
3. Cloud Design Patterns
4. Cloud Adoption Framework
5. Well-Architected Framework

4. 這章大致在說...
● 什麼是 Software Architecture?
● is about finding the right balance and the midpoint of every circumstance involving the people,
the processes, the organizational culture, the business capabilities, and any external drivers that
can influence the success of a project.
● Web Architecture 101:
● https://engineering.videoblocks.com/web-architecture-101-a3224e126947
● 什麼是 Solution Architect?
● to evaluate several trade-offs, manage the essential complexity of things, their technical
evolution, and the inherent entropy of complex systems.
● 所以嚮往成為一個 Solution Architect, 這章我們學:
● Understanding cloud computing
● Cloud design patterns and principles
● Shared security model
● Identity and access management

5. Agenda
6. Shared Security Model
7. IAM
8. Recap
9. Further Reading
1. Cloud Computing
2. Cloud Design Priciples
3. Cloud Design Patterns
4. Cloud Adoption Framework
5. Well-Architected Framework

6. Cloud Computing and Before
Cloud Computing:
VS.
Multi-Layer Architecture and Conway’s Law:

7. What is Cloud Computing?
AgilityElasticity Cost Saving Deploy globally in
minutes
https://youtu.be/dH0yz-Osy54
https://aws.amazon.com/what-is-cloud-computing/

8. Thress Types of Cloud Computing
● IaaS
● PaaS
● SaaS

9. Agenda
6. Shared Security Model
7. IAM
8. Recap
9. Further Reading
1. Cloud Computing
2. Cloud Design Priciples
3. Cloud Design Patterns
4. Cloud Adoption Framework
5. Well-Architected Framework

10. Cloud Design Priciples
1. Enable scalability
2. Automate your environment
3. Use disposable resources
4. Loosely coupled your components
5. Design services, not servers
6. Choose the right database solutions
7. Avoid single points of failure
8. Optimize for cost
9. Use caching
10. Secure your infrastructure everywhere
General Design Principles from
Well-Architected Framework:
1. Stop guessing your capacity needs
2. Test systems at production scale
3. Automate to make architectural
experimentation easier
4. Allow for evolutionary architectures
5. Drive architectures using data
6. Improve through game days
https://wa.aws.amazon.com/wat.design_principles.wa-dp.en.html

11. 1. Enable scalability
Antipattern: Best Practice:

12. 2. Automate your environment
Antipattern: Best Practice:

13. 3. Use disposable resources
Antipattern: Best Practice:

14. 4. Loosely coupled your components
Antipattern: Best Practice:

15. 5. Design services, not servers
Antipattern: Best Practice:

16. 6. Choose the right database solutions
Antipattern: Best Practice:

17. 7. Avoid single points of failure
Antipattern:
Best Practice:

18. 8. Optimize for cost
Antipattern: Best Practice:

19. 9. Use caching
Antipattern:
Best Practice:

20. 10. Secure your infrastructure everywhere
Antipattern: Best Practice:
The CIA triad is a commonly used model to achieve information security.

21. The Twelve Factors
https://12factor.net/

22. Agenda
6. Shared Security Model
7. IAM
8. Recap
9. Further Reading
1. Cloud Computing
2. Cloud Design Priciples
3. Cloud Design Patterns
4. Cloud Adoption Framework
5. Well-Architected Framework

23. Cloud Design Patterns
http://en.clouddesignpattern.org/index.php/Main_Page

25. AWS Architecture Center
https://aws.amazon.com/architecture/
如何善用AWS Reference Architectures:
Web Application篇
http://bit.ly/2I90D74

26. https://docs.microsoft.com/en-us/azure/architecture/patterns/
MS Azure Cloud Design Patterns

27. Agenda
6. Shared Security Model
7. IAM
8. Recap
9. Further Reading
1. Cloud Computing
2. Cloud Design Priciples
3. Cloud Design Patterns
4. Cloud Adoption Framework
5. Well-Architected Framework

28. AWS Cloud Adoption Framework
● The Cloud Adoption Framework offers six perspectives to help business and organizations to create
an actionable plan for the change management associated with their cloud strategies.
● It is a way to align businesses and technology to produce successful results.
https://aws.amazon.com/professional-services/CAF/
https://d1.awsstatic.com/professional-services/caf/AWS_CAF_Creating_an_Action_Plan_Nov2017.pdf

29. 如何規劃與執行大型資料中心遷移和案例分享
https://www.slideshare.net/AmazonWebServices/tag/2017tpesummit
https://www.slideshare.net/AmazonWebServices/ss-76989091

30. Microsoft Cloud Adoption Framework
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/

31. Agenda
6. Shared Security Model
7. IAM
8. Recap
9. Further Reading
1. Cloud Computing
2. Cloud Design Priciples
3. Cloud Design Patterns
4. Cloud Adoption Framework
5. Well-Architected Framework

32. AWS Well-Architected: WhitePaper & Training
https://aws.amazon.com/architecture/well-architected/
https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf (Jul, 2019)
https://www.aws.training/Details/Curriculum?id=42037

33. Agenda
1. Cloud Computing
2. Cloud Design Priciples
3. Cloud Design Patterns
4. Cloud Adoption Framework
5. Well-Architected Framework
6. Shared Security Model
7. IAM
8. Recap
9. Further Reading

34. AWS Shared Responsibility Model
https://aws.amazon.com/compliance/shared-responsibility-model/
AWS
Security “of” the Cloud
Cusomter
Security “in” the Cloud

35. AWS
Security “of” the Cloud

36. AWS
Security “of” the Cloud

37. EBS
AWS
Security “of” the Cloud

38. AWS
Security “of” the Cloud

39. AWS
Security “of” the Cloud

40. Agenda
1. Cloud Computing
2. Cloud Design Priciples
3. Cloud Design Patterns
4. Cloud Adoption Framework
5. Well-Architected Framework
6. Shared Security Model
7. IAM
8. Recap
9. Further Reading

41. What is IAM?
● AWS Identity and Access Management (IAM) enables you to manage access to
AWS services and resources securely.
● Using IAM, you can create and manage AWS users, groups, roles, and use
permissions to allow and deny their access to AWS resources.
○ User (End User)
○ Group (A collection of users)
○ Permission/Policy
(A document that defines one/more permissions)
○ Role (For AWS resources to access AWS resources)
○ Resource

42. Business Case - IAM Lab

43. Function IAM Group Name/
(Role Name)
IAM Policy for Group/
IAM Policy for Role
IAM User Purpose
IAM User Administration arn:aws:iam::aws:policy/
AdministratorAccess
Administrator AWS Console access.
IAM User DatabaseAdministrator DatabaseAdministrator Alan AWS Console access.
DBA, and performing full database backups
on S3.
IAM User NetworkAdministrator NetworkAdministrator Ada, Alan (as
backup)
AWS Console access.
Provisioning of infrastructure and network
resources.
IAM User Development RoleCreatorPolicy
(Customer managed)
AmazonEC2FullAccess
(AWS Managed)
Dennis AWS Console access.
Be able to create EC2 and IAM Role needed
for EC2.
IAM Role EC2ToS3InstanceRole AmazonS3FullAccess
(AWS Managed)
IAM User X inline policy s3-user Programmatic access.
IAM Cross
Account
Auditors SecurityAudit
AWSCloudTrailReadOnlyAccess.
https://github.com/gabanox`/Certified-Solution-Architect-Associate-Guide/blob/master/chapter00/checkpoint1.sh

44. Customer Managed Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:PassRole",
"iam:List*",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:AddRoleToInstanceProfile"
],
"Resource": "*"
}
]
}

45. Inline Policy

46. IAM Cross-account Roles
需求方 提供資源方
External auditors will also have read-only
access to CloudTrail:
External auditors

47. 提供資源方
授權給來自此 AWS Account 的
External auditors

48. IAM User login to AWS console w/ inline policy.
Allow to assume role to another AWS Account w/ “Action”:“sts:AssumeRole”
需求方

49. 需求方

50. 需求方

51. IAM Best Practices (1)
❖ Identity & Credential Management
1. Users - Create individual users
2. Password - Configure a strong password policy
3. Rotate - Rotate security credentials regularly
4. MFA - Enable MFA for privileged users
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

52. IAM Best Practices (2)
❖ Identity & Credential Management
1. Users - Create individual users
2. Password - Configure a strong password policy
3. Rotate - Rotate security credentials regularly
4. MFA - Enable MFA for privileged users
❖ Access Permission Management
5. Groups - Manage permissions with groups
6. Permissions - Grant least privilege
7. Conditions – Restrict privileged access further with conditions.

53. IAM Best Practices (3)
❖ Identity & Credential Management
1. Users - Create individual users
2. Password - Configure a strong password policy
3. Rotate - Rotate security credentials regularly
4. MFA - Enable MFA for privileged users
❖ Access Permission Management
5. Groups - Manage permissions with groups
6. Permissions - Grant least privilege
7. Conditions – Restrict privileged access further with conditions.
❖ Delegate & Audit
8. Sharing - Use IAM roles to share access
9. Roles - Use IAM roles for Amazon EC2 instances
10. Auditing - Enable AWS CloudTrail to get logs of API calls
11. Root - Reduce or remove use of root

54. Recap - Agenda
6. Shared Security Model
7. IAM
8. Recap
9. Further Reading
1. Cloud Computing
2. Cloud Design Priciples
3. Cloud Design Patterns
4. Cloud Adoption Framework
5. Well-Architected Framework

55. Further Reading
● Understanding Cloud Design Patterns:
○ http://en.clouddesignpattern.org/index.php/Main_Page
● The AWS Cloud Adoption Framework:
○ https://aws. amazon. com/es/professional- services/CAF/
● AWS architecture well framework:
○ https://aws. amazon. com/es/architecture/well- architected/
● Architecting for the Cloud (AWS Best Practices):
○ https://d1.awsstatic. com/whitepapers/AWS_ Cloud_ Best_Practices.pdf
● AWS - Overview of Security Processes:
○ https://d1. awsstatic. com/whitepapers/Security/AWS_ Security_ Whitepaper. pdf