The Complete Course from ExamCollection industry leading experts to help you prepare and provides the full 360 solution for self prep including AWS Certified Solutions Architect - Professional: AWS Certified Solutions Architect - Professional (SAP-C01) Certification Video Training Course, Practice Test Questions and Answers, Study Guide & Exam Dumps.

New Domain 2 - Design for New Solutions

9. AWS STS - Architecting IAM user keys the right way

Hey everyone and welcome to the KnowledgePortal video series now. Hopefully this will be the last lecture for Sts. I hope you are not bored, so one question that might arise is that many of you might have this question: like whenever we generated a temporary credential, we had to manually copy the access key. We had to manually copy the secret key, and we had to manually copy the session token inside the AWS credentials file since these are valid for only 1 hour. Developer will have to run this command every 1 hour and manually copy and paste his credentials, so this is not a very ideal way to do it and developer will not follow this if you give this specific approach, so there is a workaround in which we can automate this specific process, so how we can do this is this is a very simple and one of the easiest ways. Let me show you, so I have created a new profile where there are two parameters that are needed: one is the roleARN and the other is the source profile, so the roleARN here will be the one that we generally run in the STS assume role, so you see. When we run this specific command, we give the role Aaron, so this is the role Aaron that we need to give. So I'll copy this. I'll go to AWS credentials and the role Aaron I have to supply the arm of the role that needs to be assumed, and in the source profile, I have to give the name of the default source profile, and now whenever I want to run, I have to do AWS C LS with an automated profile, okay? Ern is invalid. Let's just quickly verify oops.I believe we made a minor error; there is a colonovert here; let me copy this and try again. And now you can see that I can see the three buckets, so what really happened is in the profile we call the automate profile, so we named this specific profile what this profile will do, and the profile has the role in N, and the profile will use the credentials. the access key. So the first thing that will happen is that it will take the access key and secret key associated with the profile name that we have mentioned here, which is default, so it takes the access key. It takes the secret key and it takes the role Aaron, and then it will run the command, something similar to what we had done. It will run the command, something very similar to this, and it will generate the temporary access key. secret key and the token, and it will allow the user to view the contents without having to manually put the access key. secret key and token in the credentials file, so this is an automated way of doing things. Once you do it this way, the only thing that you have to tell the user is to run the command with profile automate, and everything will be working as expected. So after 1 hour, once the credentials expire, you don't really have to regenerate the credentials manually and put them inside the credentials file. So this is the automated way of doing things, and this is something that I would really encourage you to do if you are a solutions architect. You should be implementing this kind of approach or something very similar. So this is it about this lecture, and I hope this has been informative for you.

10. AWS STS - Automate temporary credentials - Part 4

Hey everyone and welcome to the KnowledgePortal video series now. Hopefully this will be the last lecture for Sts. I hope you are not bored, so one question that might arise is that many of you might have this question: like whenever we generated a temporary credential, we had to manually copy the access key. We had to manually copy the secret key, and we had to manually copy the session token inside the AWS credentials file since these are valid for only 1 hour. Developer will have to run this command every 1 hour and manually copy and paste his credentials, so this is not a very ideal way to do it and developer will not follow this if you give this specific approach, so there is a workaround in which we can automate this specific process, so how we can do this is this is a very simple and one of the easiest ways. Let me show you, so I have created a new profile where there are two parameters that are needed: one is the roleARN and the other is the source profile, so the roleARN here will be the one that we generally run in the STS assume role, so you see. When we run this specific command, we give the role Aaron, so this is the role Aaron that we need to give. So I'll copy this. I'll go to AWS credentials and the role Aaron I have to supply the arm of the role that needs to be assumed, and in the source profile, I have to give the name of the default source profile, and now whenever I want to run, I have to do AWS C LS with an automated profile, okay? Ern is invalid. Let's just quickly verify oops.I believe we made a minor error; there is a colonovert here; let me copy this and try again. And now you can see that I can see the three buckets, so what really happened is in the profile we call the automate profile, so we named this specific profile what this profile will do, and the profile has the role in N, and the profile will use the credentials. the access key. So the first thing that will happen is that it will take the access key and secret key associated with the profile name that we have mentioned here, which is default, so it takes the access key. It takes the secret key and it takes the role Aaron, and then it will run the command, something similar to what we had done. It will run the command, something very similar to this, and it will generate the temporary access key. secret key and the token, and it will allow the user to view the contents without having to manually put the access key. secret key and token in the credentials file, so this is an automated way of doing things. Once you do it this way, the only thing that you have to tell the user is to run the command with profile automate, and everything will be working as expected. So after 1 hour, once the credentials expire, you don't really have to regenerate the credentials manually and put them inside the credentials file. So this is the automated way of doing things, and this is something that I would really encourage you to do if you are a solutions architect. You should be implementing this kind of approach or something very similar. So this is it about this lecture, and I hope this has been informative for you.

11. AWS Key Management Service

Hey everyone and welcome back. In today's video, we will be discussing the AWS Key Management Service. Now, typically, let's say your organisation wants a system to store its secrets. You can already say that if the secrets must be stored, we will use the cloud. However, Cloud HSM is definitely good, but it comes with its own disadvantages. Now, the first disadvantage of CloudHSM is the additional complexity. And also, it is not fault-tolerant by default. So it's not like you can launch a single cloud HSM and store the keys there. You need to have at least two Cloud HSMs for fault tolerance. The second disadvantage of Cloud HSM, as far as the Q of 2019 is concerned, is that they do not really have an SLA for that. So either this does not have a Cloud HSM SLA. And the third thing is the cost. So in the Mumbai region, it costs around $2 per hour. And if you have two Cloud HSMs, that means $4 per hour. And if you compare it to the monthly cost, it becomes expensive. And for smaller startups or medium-sized organisations, it is really not the right choice. So what you can go ahead with is the key management service, which provides similar functionality at a lower cost and a lower level of complexity. Now, in definitive terms, AWS KMS is a managed service, which allows us to create, manage, and control the encryption keys. And it uses HSM to protect the security of the keys behind the scenes. One of the great things about KMS is that there are no upfront costs and it is a pay as you go model. And it is much, much cheaper when you compare it with the typical cloud HSM. Now, there are certain concepts that you need to remember as far as the KMS is concerned. The plaintext is one, and the ciphertext is another. Now, plaintext basically refers to the data in an unencrypted form, and ciphertext basically refers to the data after it is encrypted. Now, also, we need to understand the algorithm and keys. Now, typically, an encryption algorithm is a step-by-step approach that tells how a specific plaintext will be converted to a cypher text. So let's say you have plain text here and you have cypher text here. So the conversion from plain text to ciphertext can differ based on the algorithm. Now, for encryption algorithms, you have various kinds of algorithms, and which algorithm will choose the way in which the plaintext gets converted is different here. Now, as far as the KMS is concerned, the KMS only supports the symmetric key algorithm primarily with the help of AES GCN with 256-bit keys. Now, let's look into how exactly we can configure KMS. So there are three major steps. First, we go ahead and create a CMK. CMK is basically the customer master key. Once we do that, we configure the administrator user and the key user. And the third is the key. The user can reference the key ID to encrypt and decrypt the data. So let's look into this in terms of screenshots. Now, we discussed the first thing, which is basically the creation of the CMK of the KMS key. Now, within this, you must provide an alias, which aids us in referencing keys for ease of use. All right, so this is the first thing. The second thing is the key administrator. So we must decide who will be the key administrators, with complete control over the key. The third option is key usage permission, which allows us to specify who will be able to use the keys, such as who will be able to encrypt or decrypt data using keys. These screenshots in this slide, however, are based on the older console. AWS has recently released the new GUI for KMS. So let's go ahead and look into how we can achieve that in terms of practicality. So I'm in my AWS management console, and let me quickly show you both the ways in which you can configure the key management service. The earlier way was to go to the IAM console and click on encryption keys. So yeah, there are a lot of keys which areavailable and if you click on Create Key, you seethese are the screenshots that we had within our slide. However, AWS has also released a new console for key management services. So if you just type "key," you'll have a key management service option, and this is what the new console looks like. So this is pretty good. If you go to the AWS management console, these are the managed keys, which are available anyway. So here we are more interested in the customer-managed keys. Generally, there are two keys that you will see. One is the AWS-managed one. So these are the ones that are used by the various AWS services. And second is the customer-management key. So currently, these are the keys that you generally create for your custom application. So here, let's click on "Create Key." So the first thing that you need togive is you have to add an alias. So let me give an alias, asKpops," and let's click on Next. So I'll avoid the tag. Let's click on "next." Now, in the next screen, you can specify the key administrator. Key administrators basically have full control over the key. So you can add a key administrator here or skip it. So in my case, I'll add one id user. So these are basically the "im user" and the "im role." I have a IMU user called Zeal, and I'll add Zill as the key administrator over here. Now, let's click on "next." So here you have to specify the key usage permission. You do not really have to do it right now. You can do it at a later stage as well. Let me show you that as well. So I'll just skip the key usage permission. I'll click on Next, and this is the key policy that really gets created. So if you look into the key policy over here, this is the principle of root, and it has full access. And then you have the Z user over here. Now, since the Z user is defined as an administrator, These are all the permissions that the Z user has. All right, so we'll click on Finish. Great. So it says your customer management key was created, with the aliases kpisf and key. So this alias allows us to distinguish the keys in a much easier way because if the keys are distinguished by the key idea, it really becomes confusing. So an alias is something that is useful for us. So if you go inside the key, this is what things would really look like. Now you're in the key policy area. You have switched to a policy view. So if you click on the policyview, this is the exact policy. All right, let's go back to the key, and let's go back down. So here you have the key administrator, and you can define multiple administrators. Over here, you also have the key user. Now, let me quickly show you that, in fact, I already have it open in another tab. So if you click on the users that I have multiple users for, if required, you can go ahead and add a user as well. Let me add a KMS user. For the timing, I'll just give it as a programmatic access. I'll click on review, and I'll go ahead and create a user. Great. So a KMS user has been created. So let's quickly refresh the screen. And now let's go back down under the key user. We can go ahead and add the KMS user here. Great. So the KMS user has been added. So that's a high-level view of the kilometers. Now again, since the key user has been added here, ks user So with the access and secret keys, this user can encrypt or decrypt his or her own data. Now, one important thing to remember is that KMS will not give you the CMK. So the master key is something that KMS will not give you. You can reference the key ID. So this is the key idea. Let's say you have the data. You can tell the KMS to use this specific keyID to encrypt or decrypt your data. Now, the great thing about this is that since you do not get the key, there is no chance that the key will be stolen from your side. So this is one of the great things anyway. This is the high-level overview of the CMK. In the next video, we'll look into how we can make use of the KMS user to encrypt and decrypt the data in KMS. With this, we'll conclude this video. I hope this video has been informative for you, and I look forward to seeing you in the next video.

12. AWS Key Management Service - Part 02

Hey everyone and welcome back. Now, in the earlier video, we had created our first KMS key, and this is basically the same idea. So in today's video we will look into how we can go ahead and perform the encrypt and decrypt operation using this specific KMS key. Now, if you remember, within the key user, we had added a user called the KMS user over here. And within the Im console, I am inside the KMS user. So let's do one thing. Let's go to the security credentials, and let's generate an access and secret key. So I'll copy this access key, and I'll run the AWS configure command. Let me put the access key here and I'll copy the secret key as well. I'll put the secret key now. The region here will be selected as the southeast region because our KMS key was created in the southeast region, which is Singapore. So I'll just leave this at "default" and I'll press Enter. Great. Now our KMS key has been created. So let's try and do a simple KMS list keys operation here, and here it says that access is denied exception.And basically, it does not really have access to list the keys. The ARN specifies who does not have access. So this is the ARN here, and basically this is associated with the KMS user. So let's do one thing. I'll go to the console, and let's go to the permission. I'll add a new inline policy over here. The visual editor is something that we'll use. I'll select the service of "KMs," the actions. Let's go ahead and select the list keys over here. This action does not support a specific resource. So this basically supports all the resources. I'll go ahead and review the policy. I'll call it KMS list keys, and I'll go ahead and create the policy here. Great. So our policy is now in place. So let's go back to the CLI. I will clear the screen and let's type the same command again, and you are able to see that these are the keys that are available. Now, if you just want to see which of these is our key ID, So as we already discussed, every key has a key ID. So this is the key idea here. It ends with FD. Eleven. So if you just want to verify, this is the specific key ID that we are dealing with. Great. So the next step is to determine how we can perform the encryption operation. So in order to do that, let's do one thing. I'll type AWS Kms CLI over here, and let's look into some of the command-line arguments associated with the Kms. So if you go a bit down, we are more interested in the encrypting as well as the decrypting operations. Now, for the AWS KMS encryption, if you go a bit down, there are certain things that are required. One is the key ID. So key ID is the mandatory one, and the second is the plain text over here. So these are the mandatory fields if you want to encrypt data. So let's do one thing: I'll put AWSkms encryption, I'll say key ID, and let's copy this specific key ID completely. And the next available command was the hyphen in plain text. So here, you have to use this. Let's quickly do this, and I'll say this is Z. All right. And let's press Enter. And right now, you can see that it gave the key ID and the cypher text block. So this specific value that you see over here—this is the base 64 encode of the encrypted form of this specific text that we had specified. Now you can, let's say, specify the query in the cypher text block because now what is happening is you are getting a huge amount of value. You are not interested in key ID, all right? So you might only be interested in this specific part. So now let's do a query on the ciphertext block. It is giving a null error. I made a simple type of only be interSo now it gives the specific value. So within this value, you do have double quotes over here. Again, these double quotes are not really required. So now what you can do here is specify the output as text. And now you see that you just have this specific data. Now again, this is completely in base 64. So if you quickly do a base 64 decode, you'll see this is all the binary data. So let's do one thing: I'll do a base 64 decode and I'll store it in a file called encrypteddemo TXT. All right. And if you do a lesson on encrypteddemo.txt, you see that it says that it is a binary file. So anyways, we will not be able to read it because the entire data is encrypted over here. So far as the encryption is concerned, So coming back to the CLI for AWS game decryption: So let's look into the synopsis aspect. So you have a s came as decrypt. You have to specify the ciphertext blob file. So if you see the ciphertext blob, it is basically a ciphertext to be decrypted. Now let's do one thing. Let's try it out. I'll type AWS kms decrypt, then you can use the ciphertext block file here and specify the fileover here, encrypted demo TXT, and press Enter. And, as you can see, it has now returned the plain text to us. But again, the problem is that this specific value is the entire value. So if you just want to have this specific value, you can make use of a query and you can specify the field, which is plain text. All right, so now you have this specific value, but again there is a double quote, which we do not really need here. So I'll just specify the output as text. Great. So now you have the output as text. And this is the worth. So now we'll make use of base 64. Again, this is the base 64 value, and this does not really make sense to us. So let's do a base 64 decode once again. And now you see you have the plain text value, which is the deal that is present over here. So this is a high-level overview of how you can perform the encryption and decryption operations. Now, throughout this entire operation, we never received the master key. Master key always and always is stored in the Kms. And here we do not have the master key. That means we don't have to worry about the master key getting lost because it's stored on the AWS site and managed by AWS. So this is the high-level overview of the KMS as far as encryption and decryption are concerned. Again, if you would have noticed, we were just going through the CLI and using the CLI's commands, which are present now. This is the best way because, generally, if you give the Red Hat certification, it becomes difficult to remember so many commands over there. So it's always recommended to go through the documentation and look at some of the synopsis. Or if you go a bit down, you also have the examples over here. So if you have this habit, it willreally help you in the longer term. This is why I try to use this type of setup throughout the videos. So with this, we'll continue this video. I hope this has been informative for you, and I look forward to seeing you in the next video.