Aws - Reference

AWS cli commands

# findout who am I?
aws sts get-caller-identity

# also findout out who am I with more details
aws iam get-user

# get secret
aws secretsmanager get-secret-value --secret-id foo

# change secret
aws secretsmanager update-secret \
    --secret-id foo \
    --secret-string "{\"json\":\"string\",\"foo\":\"bar\"}"

serverless architecture

Serverless means

• No servers to provision or to manage
• Scales with usage
• Never pay for idle
• Availbility and fault tolerance built-in

P.S. similar to use a third party service/APIs

DynamoDB best practice

• for GetItem, consider if ConsistentRead needs to be set

Data Modelling in different in NoSQL

1. understand the user case
2. identify the access pattern
3. data modelling
4. review -> repeat -> review

P.S. NoSQL seems less flexible on change of access pattern compared to SQL DBs

AWS events videos

Lambda

Three under the hood presentations in series

• 1
• 2
• 3

IAM

• AWS re:Inforce 2023 - A first-principles approach: AWS Identity and Access Management (IAM) (IAM201)
  • Link
  • talks about the basic of IAM concepts and IAM policies
• AWS re:Invent 2022 - A day in the life of a billion requests (SEC404)
  • Link
  • deep dive into how the SigV4 and sts works

S3

• Get Started

EC2

• Get Started

API Gateway

• Get Started

Aws - How To

What is IAM?

IAM is authentication + authorisation for resources

Feature: Add users to AWS account, set groups and permissions for these users, enable user to call AWS services APIs

IAM Principal: An identity in the IAM System

IAM Roles: IAM Principals that authenticate with temporary credentials

Use Cases For IAM Roles

• AWS compute environments (EC2 instances, lambda functions, etc …)
• credentials for federated identities (e.g. users in a directory)

IAM Users (less used): IAM Principle with long term credentials

STS: AWS Security Token Service: produce short term credentials for use by an IAM Role

AWS Accounts:

• not means customers or humans, more like a box of resouces that goes together in a workload.
• IAM is local to AWS Account.
• Any IAM Principal can assume IAM role across AWS accounts as long as policies allowed.

IAM Policy

There are two types of policies, one for principal, one for resources.

Example: Reading an object from an S3 bucket in another account.

Principal IAM policy for AWS Account 123456

{
  "Effect": "Allow",
  "Action": "S3: GetObject",
  "Resource": "arn:aws:s3:::example-bucket/*"
}

Resource-based IAM policy

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "123456"
  }
  "Action": "S3: GetObject",
  "Resource": "arn:aws:s3:::example-bucket/*"
}

Integration between Lambda and AWS IAM enables developers and administrators to explicit control the data and service accessible to an application by assigning it a security code. This approach ensures that credentials can be constrainted to the minimum necessary and that they posses limited lifespans.

Aws - Explanation

how cognito login works

1. User logins with with Microsoft Active Directory Federation Services Single Sign On (SSO), under the hood, the React FE uses aws Cognito Login UI in AppAuth.jsx
2. After the SSO success, the FE cognito knows that this is user logged in and cognito gives JWT Tokens to FE in reactapp/src/App.jsx
3. Then the Apollo JS Framework adds the JWT Token to the header in requests to the backend in reactapp/src/apollo.js
4. backend validates this token in access_token_authentication.py

See also

• Cognito With Federations