AWS ### Potential needed services: * EC2 * Load Balancer * VPC * Security groups * IAM * Lambda ### 32. Users chart  ### 33. Users/group table |Group/Role|Name|Permissions| | -------- | -------- | -------- | | Group | System Administartor | Create and maintain resources across a large variety of AWS services, including AWS CloudTrail, Amazon CloudWatch, AWS CodeCommit, AWS CodeDeploy, AWS Config, AWS Directory Service, Amazon EC2, AWS Identity and Access Management, AWS Key Management Service, AWS Lambda, Amazon RDS, Route 53, Amazon S3, Amazon SES, Amazon SQS, AWS Trusted Advisor, and Amazon VPC. (Full access permission) | | Group | Database Administator | AmazonRDSFullAccess | |Group | Monitoring Group | EC2ReadOnlyAccess, S3ReadOnlyAccess, RDSReadOnlyAccess | |Role| ReadWrite to S3 Bucket Role | s3:PutObject, s3:GetObject, s3:DeleteObject, s3:ListBucket | ### 34. Users authentication |Requirement|Solution| | -------- | -------- | |Should be at least 8 charactes and have 1 uppercase, 1 special character and a number|IAM Password policy| |Change passwords every 90 days and ensure that the prevoius three passwords can't be reused|IAM Password policy| |All administrator require programmatic access|Creating programatic access users or set programmatic acces and access to the AWS Management Console to account using IAM| |Administrator sign-in to the AWS Managment Console requires the use of Virtual MFA|Allow administrators to manage MFA device. Add policy| ### 38 VPC Solution chart |Region|Purpose|Subnets|AZs|CIDR Range| | -------- | -------- |-------- |-------- |-------- | |US West (Oregon)|Production|prod-public-2a, prod-public-2b prod-private-2a, prod-private-2b |us-west-2a, us-west-2b| 172.31.0.0/20 172.31.0.4 - 172.31.15.254| |EU (London)|Dev|dev-public-2a, dev-public-2b, dev-private-2a, dev-private-2b|eu-west-2a, eu-west-2b| 172.32.0.0/20 172.32.0.4 - 172.32.15.254| ### 39 PROD Subnet solution | Subnet name | VPC | Subnet Type | AZ | Subnet Address | | -------- | -------- | -------- |-------- |-------- | | prod-public-2a | #1 | public | us-west-2a |172.31.0.0/24| | prod-public-2b | #1 | public | us-west-2b |172.31.1.0/24 | | prod-private-2a | #1 | private | us-west-2a | 172.31.2.0/24| | prod-private-2b | #1 | private | us-west-2b | 172.31.3.0/24 | ### 41 DEV Subnet solution | Subnet name | VPC | Subnet Type | AZ | Subnet Address | | -------- | -------- | -------- |-------- |-------- | | dev-public-2a | #2 | public |eu-west-2a | 172.32.0.0/24 | | dev-public-2b | #2 | public |eu-west-2b | 172.32.1.0/24 | | dev-private-2a | #2 | private |eu-west-2a | 172.32.2.0/24 | | dev-private-2b | #2 | private |eu-west-2b | 172.32.3.0/24 | ### 43 Web and Application Tier Solution | Tier | Tag | OS | Type | Size | Justification | # of instances | User data | | -------- | -------- | -------- |-------- |-------- |-------- |-------- |-------- | | Web | Key=Name Value=web-tier | Microsoft Windows Server 2019 Base | t3 |medium|up to 5 Gb/s Bandwidth, optimal parameters. Machines can be scaled horizontally|2|30 GB General Purpose SSD for Windows with IIS| | App | Key=Name Value=app-tier | Microsoft Windows Server 2019 Base | m5d |xlarge|up to 10 Gb/s Bandwidth. Machines can be scaled horizontally|2|30 GB General Purpose SSD for Windows with IIS and 150 GB ephemeral for exchanging data between servers| | Db | Key=Name Value=db-tier | RDS | m5 |24xlarge||1|5TB RDS| ### 44 Security group details | Load balancer | Name | External/Internal | Subnets | SG Name | Rule | Source| | -------- | -------- | -------- |-------- |-------- |-------- |-------- | | For Web Tier | web-elb | External |prod-public-2a, prod-public-2b |web-elb-sg|Routing traffic to web tier servers. Inbound traffic from the Internet on port 443|access from Internet| | For App Tier | app-elb | Internal |prod-private-2a, prod-private-2b|app-elb-sg|Routing traffic from web tier instance to one of app tier instances. Inbound traffic from web tier instance|Web Tier instance| | Instance Tier | SG Name | Rule | Source | | -------- | -------- | -------- |-------- | | Web Tier | web-tier-sg | Receive requests from web tier load balancer on port 80 | Web tier load balancer | | App Tier | app-tier-sg | Receive traffic only from app tier load balancer only on port 8080 | App tier load balancer | | Database Tier | db-tier-sg | Receive traffic only from app tier on port 433 | App Tier | ### 46 Auto scaling lunch configuration | Tier | OS | Type | Size | Configuration Name | Role | Security Group | | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | Web | Microsoft Windows Server 2019 Base | t3 | medium|WebTier|Running new web tier instances|web-elb-sg| | App | Microsoft Windows Server 2019 Base | m5d | xlarge |AppTier|Running new app instances|app-elb-sg| ### 47 Auto scaling group configuration | Tier | Launch Configuration | Group Name | Group Size | VPC | Subnets | ELB | Tags | | -------- | -------- | -------- |-------- |-------- |-------- |-------- |-------- | | Web | WebTier | WebTier | 2-4|1|prod-private-2a, prod-private-2b|web-elb|Key=Name Value=web-asg | | App | AppTier | AppTier | 2-4|2|prod-private-2a, prod-private-2b|app-elb|Key=Name Value=app-asg | ### 49 Auditing * AWS Lambda, Cloud Trail - Monitoring account events * CloudWatch - collecting log, events