Security and Identity
This course is an introduction to AWS security. During this course, we will get started on the most important topics by covering the AWS Shared Responsibility model, the AWS Acceptable Use policy, and penetration testing rules. We will then explore each of the services in the security and identity category. Besides the most obvious of those, Identity and Access Management (IAM), we will also learn about AWS Directory Service, the brand new Inspector service (which is still in preview mode), the recently announced Web Application Firewall (WAF) and Microsoft AD, an Enterprise-level domain hosted in the cloud. Also, we will take a quick look at the most basic security best practices that we need to be aware of when working with AWS.
There are no big pre-requisites for this course, you just need to have general IT knowledge and some basic understanding of AWS. If you don't yet feel confident enough on AWS to tackle this, you should take a look at the AWS Fundamentals Learning Path prior to getting started.
After taking this course you should be able to identify who is responsible for what in the AWS cloud and describe all the services in the security and identity category.
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
- [Instructor] Hello. In this lecture, we introduce and explore the directory services available in Amazon Web Services. Following this lecture, you'll be able to recognize and explain the directory services available to you in Amazon Web Services, and be able to recognize which use cases match the various directory services available in Amazon Web Services. The AWS Directory Services allows you to manage directories in the cloud. Let's first just ensure we understand what me mean by a directory. A directory is, in essence, a database, or, in other words, a collection of records organized and grouped by unique identifiers. This database is used to store data that does not change much. So, the data is described as static. The data in the directory is read more than it's written to. The most common use case for a directory service is a company directory. Not only are employee names, user account, and password information stored, but also key attributes, such as what department they're in, their email address, their phone extension, and so on. A directory service is often used to identify resources. These resources are called objects, and they can be anything in a network, like users, groups, computers, or printers. The greatest advantage of a directory service is that you have a single point of management, meaning that you can, for example, store the password of a user in the directory, and this user will be able to be authenticated in all connected systems in a given network. Also, you can add attributes to your objects, like an email user, what building they reside in, the location of a computer, and so on. A directory generally needs to be available to different devices in many different places on a network. To ensure any read of a record, a directory is as fast as possible. Directory data is usually replicated across a network to reduce the read time or latency. Amazon currently offers two flavors of directory services for AWS customers, the Amazon Cloud Directory and the AWS Directory Service. They sound familiar, don't they? So, let's explore each and understand the difference. The Amazon Cloud Directory is a highly available, multi-tenant, directory-based store in AWS. The Amazon Cloud Directory is cloud native and can scale quickly and store millions of records. So it's a good choice when you need to build application directories, such as device registries, catalogs, social networks, organization structures, and network topologies. You should consider Amazon Cloud Directory if you're building social networks, device registries, or Internet of Things, IoT, applications. Amazon Cloud Directory would be a good way to manage vehicle registration for fleet management systems, for example. In that use case, we might want to track the number and type of vehicles assigned to a location. It could also suit managing users for a file-sharing application, or creating organizational charts for a human resources application. Amazon Cloud Directory suits these use cases because it enables you to create hierarchies along multiple dimensions to store arrays of data within a single directory. Each of these use cases typically needs to organize data hierarchically to be able to perform high-volume and low-latency lookups and scale quickly to millions of objects that can be accessed globally. As a cloud native service, the Amazon Cloud Directory meets these requirements well. So, generally, if you're building cloud native services, think Amazon Cloud Directory. The Amazon Cloud Directory is not, however, going to be a good directory service for an IT administrator who wants to manage or migrate their directory infrastructure. That use case is better suited to the AWS Directory Service. The AWS Directory Service is a good match for user management in Windows. Built on the Microsoft Active Directory product in Office free services, Microsoft AD, Simple AD, and the AD Connector. Microsoft AD runs the Enterprise Edition of the Microsoft Active Directory product. It enables your directory-aware workloads and AWS resources to use managed active directory in the AWS cloud. The Microsoft AD service doesn't require you to synchronize or replicate data from your existing active directory to the cloud. That means, by using a virtual private network, VPN, or AWS Direct Connect from your Amazon virtual private cloud, VPC, to your network, you can use the cloud-based AWS Microsoft AD as the active directory for your on-premises environments. You can join computers to your domain, administer users, groups, and manage policies without the usual effort required to implement a highly available active directory. Microsoft AD is a good choice if you have more than 5,000 users and you need a trust relationship set up between your AWS-hosted directory and your on-premises directories. The Simple AD directory is a simple directory powered by a Samba for active directory-compatible server. It provides a subset of the functionality offered by Microsoft AD and supports common-used features, such as Kerberos-based single sign on, user accounts, group memberships, and policies. Simple AD is generally your best choice if you have 5,000 or less users and don't need all the Microsoft Active Directory features. Both Microsoft AD and Simple AD provide directory services, but what if we just want to connect to an existing directory? That can be achieved by using the AD Connector. The AD Connector is a directory gateway, which can be set up to redirect directory requests from your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes: small and large. A small AD Connector is designed for smaller organizations up to 500 users. A large AD Connector can support larger organizations of up to 5,000 users. AD Connector is your best choice when you want to use your existing on-premises directory with AWS Services. Both the Amazon Cloud Directory and the AWS Directory Services have their own merits and use cases. One thing to keep in mind is both the Amazon Cloud Directory and the AWS Directory Services are managed services, which means you don't need to worry about the platform or where the service is running. Another common point is that you only pay for what you use. There's no upfront investment required, and you can cancel either service any time. For the AWS Directory Service, you're billed on an hourly basis, depending on the size of your directory. For Amazon Cloud Directory, you're billed based on storage and access. AWS has passed on over 50 price cuts to customers since launching in 2006, so always check the product websites for the latest service price and innovatability. You can find those addresses in the course notes. Now let's take a quick look at how directory services can be accessed and set up in the AWS management console. We need to click on Get Started and then select the directory type that we want. I'll choose Simple AD. Now I need to type the specifics of my directory. I'll use ds.cloudacademy.com as my directory DNS. My NetBIOS name will be cloudacademy. NetBIOS stands for network basic input output system and is a way for computers to address each other on network. Next, I'll set an administrator password. Now I need to set the details for my virtual private cloud. The Amazon virtual private cloud is our own private internet address range within Amazon's cloud. This virtual private cloud, or VPC, is automatically created for us within our selected region when we create our AWS account. I'll use my default VPC and the existing subnets that are provisioned as part of the default VPC. To increase the availability of our services, it's best practice to run subnets in different availability zones. So, here we have the subnets, each in different availability zones. Click on Next and then Create Simple AD. The directory was requested. Let's wait until it's created. Okay, here we can see it's been created. At this point, AWS has created a domain controller and DNS service for us. We now need to get the IP addresses from the DNS servers in order to do something with this domain. We can do this by clicking on the domain name, and, in the details, we can see the DNS addresses. Now, I'll use a Windows machine to show you the domain was created and that computers can join it. In order to save time, I have already launched a Windows 2008 R2 instance on EC2 and installed the AD tools to manage the domain. I've also already configured our domain's DNS servers in the network configurations. Now let's simply join this computer to the domain. I'll need the domain's DNS name and the credentials of the administrator account of the domain to do so. The username will always be administrator, and the password is the same that we configured during the directory creation. Now that we've successfully joined this computer to the domain, we're ready to start creating things on our brand new directory. Now that we're logged in, let's go to the active directory users and computers to manage our domain. Here, we can see that we have a couple of domain controllers created by AWS, and a few standard users. Among them, we have the administrator user that we use to log in, and this AWS admin user, which is a domain admin account created by AWS for management tasks. We should definitely not modify that account. So, let's create a new user. Just click here. Type a first name, last name, and login name. Now we can define a password and finish the creation. Our user is ready and available to use. So, that provides us with a simple walkthrough of how to set up the AWS Directory Service. Now let's take an introductory tour of the Amazon Cloud Directory. In the AWS Directory Service console navigation pane, I'll select Directories and choose Set up directory. Next, I'll choose Amazon Cloud Directory. I'll type a name for our directory. I'm going to use the sample organization schema from the Choose or add a new schema option. We can upload our own schema at this point if we want, it just needs to be in JSON format. These samples are a great place to start any directory. Before a schema can be applied to a directory, it must be converted into the published state. To publish an AWS sample schema using the console, we need the correct permissions. The sample schemas are read-only templates. So, the console creates a temporary copy of the sample schema you selected and places it in the in-development state. It then creates a copy of that development schema and places it in the published state. Once published, the development schema is deleted, which is why we need delete schema permissions when publishing a sample schema. Everything looks correct, so I'll click launch. From here, we can create directory objects and begin populating our directory. Okay, that concludes our introduction to the Amazon Directory Services. Let's summarize what we've learned. AWS provides two suites of directory services. First, we have the Amazon Cloud Directory. The Amazon Cloud Directory is a highly available, multi-tenant, directory-based store in AWS. It suits applications, such as Internet of Things applications, device registries, social networks, network configurations, and user directories. Second, we have the AWS Directory Service. The AWS Directory Service is built around the Microsoft Directory Service and suits users looking to run and connect to Microsoft-based directories. The AWS Directory Service offers three services: Microsoft AD, Simple AD, and the AD Connector. A few things to keep in mind. Choosing the right directory service is important. So, always consider your future use cases as well as the current requirements and that your user numbers won't exceed the service limits. If you need to set up trust relationships, you'll need the Microsoft AD Service. If you need to implement federated identity, also consider Amazon Cognito user pools as a possible identity solution. Having your network, VPC, and subnetting set up correctly is a prerequisite for success with all directory services. Ensure you don't have conflicting CIDR blocks. Simple AD domains do not currently support dynamic DNS updates. Okay, that concludes this lecture. Thank you for your attention. Please contact us at email@example.com with any questions or feedback.
About the Author
Head of Content
Andrew is an AWS certified professional who is passionate about helping others learn how to use and gain benefit from AWS technologies. Andrew has worked for AWS and for AWS technology partners Ooyala and Adobe. His favorite Amazon leadership principle is "Customer Obsession" as everything AWS starts with the customer. Passions around work are cycling and surfing, and having a laugh about the lessons learnt trying to launch two daughters and a few start ups.