27. Secrets Manager – Hands On
So now let’s look into a service called Secrets Manager. And the name is extremely obvious for one eight of the services that will be easily storing secrets into aws. And so with this you can rotate them, manage them, and you retrieve them with api calls for their lifecycle. So the big difference of Secrets Manager you’ll have with something like parameter Store with an encrypted value like the secure string, is that with Secrets Manager you can set up some rotation and you can link it to a lambda function that will allow you to rotate your credentials on top of it. It has a very tight integration with rds, aura, postgres and so on. And so the idea is that it will be a little bit more easy to use and more secure with this.
But the idea is the same. You are going to store secrets into a store and retrieve them at runtime. So the pricing is that you have forty cents per secrets per month and $0. 05 for 10,000 api calls. And you get a 30 day free trial available for the Secrets Manager. Okay? So it’s all obviously managed by im for access to the secrets. So this is kind of like a similar thing to parameter Store. So let’s go ahead and store a new secrets. And so, as you can see, we get different type of secrets and I’m pretty sure they will add secrets over time to make this even more integrated with other aws services. But we can do a credential for an rds database, a credential for redshift Cluster, for a document db database for another database or another type of secrets.
And this is, for example, an api key. So here this is really important. Whenever you have a database, it will prompt you with a username and a password, and pretty much a username and password for everything here. Okay? But if it’s an other type of secret, then you will have key value pairs that you can place. And you would have secrets placed in here. So you can say, for example, api key. And then you would have the secret value of the api key, right? And this would be your keyed value pair, but you could have multiple ones you can just store, not just one api key. You could store, for example, Secrets key for the api. And you have a second value, a secret secret value, right? So you’re really free to have as many key value pairs.
And that’s also a little bit of a difference versus something like the parameter Store. So you can do this in secret, or you can also do it in plain text in your passing adjacent. So this would be a way to copy and paste a json. If you prefer this to entering things manually in this ui, then you select the encryption key. So do you want a default encryption key or do you want to use the kms key? You have created and so on to encrypt these secrets. So I’ll use my kms key, for example, and then I’ll click on next. Then you need to give your secret a name. So I’ll call it prod my secret api. And then you can have a description, you can have tags, and then you click on next.And then here we can configure automatic or not automatic rotation.
So that means that if you have automatic rotation automatically, your secrets will be rotated. And so that means that, for example, here I can say every 60 days I want you to rotate my secret, but you could have a custom value if you wanted to, the max being one year. And so that means that after 60 days there will be a lambda function that will be invoked. And so you need to create that lambda function. And that lambda function needs to have the role to rotate that secret. So that means for example, generating a new username or refreshing the api key credentials with a third party. And so you’re free to do whatever you want with your lambda functions.
But the idea is that after 60 days it will be invoked automatically by Secrets Manager to rotate the secrets we have just stored. And that makes it a really powerful secret management solution. So right now I’ll disable the automatic rotation and I’ll click on next and so we are good to go. And we can have simple code in any of the languages that we commonly use to retrieve that secret. For example, with python, if we look at it, there’s a get secret function and you pass in the secret name, the region name, and then you just initiate a boto client to do api calls. And then to get the value you do client get secret value, you’re passing the secret ID, which is the secret name, and then you get the response. And in the response then you can just look at the keys that you need.
For example, in the key value pair we had, and here secret string is the value of the key you want to retrieve. And that’s it very fairly simple. And you have this for the language you are. So if you’re more of a good person, here’s go javascript, java and so on, okay? And that’s as easy as it is to use the Secret Manager. And so this is just a normal key value pair secret. And let me just show you how to do an rds database. So I’ll call this admin and then super secret password and then we would encrypt those as well. And similarly you can also link this to an rds database that the secret will access. So the idea is that with these special integration with rds or redshift or document db, you would have to select a database to integrate this with.
So that makes it a little bit more powerful because now the Secrets Manager will hold the value of the username and the password. But on top of it, it will also set these values on the linked rds database automatically. And you can also enable rotation as well to make sure that the secret rotates every so often. So this one is just to show this. But you are not going to create an rds database just for the sake of linking the secret to it. But you get the idea. So that’s it in a nutshell for Secrets Manager. When you’re done, you can just delete that secret and you’ll be good to go. And you can have a waiting period as well, just to make sure that it doesn’t get updated deleted hastily. So that’s it for this lecture. I hope you liked it and I will see you in the next lecture.
28. License Manager – Hands On
So next is a service called aws License Manager, and it will be used as its name, indicating you to manage the licenses in your account. So a very common way of using it is to manage, for example, your Microsoft or oracle or sap licenses directly in this License Manager. And the way it works is that you would define rules for your license software. Then these rules would be be attached to the resources and you would proactively monitor the usage of these licenses on your resources. And then you can track the inventory and then alert the users in case these licenses are being used or overused. And you can increase the number of licenses you have on hand if they’re all being used or whatever.
So to start using License Manager, you need to grant related permissions. And then we go and create a license configuration. For example, it would be called Windows Server 2016. Okay? And for example, say I have a license type that’s based on instances. So this is you have four types of instance types. So either they’re built by cpu, by cores, by sockets, or by instances. But let’s make it simple. We’ll choose instances and we’re saying, okay, we have enough licenses for 20 instances. I’ll say 20 and then I’ll click on Submit. So we have our license configuration name being here, and currently zero out of 20 licenses are consumed. And so what I’m going to do is click on this license configuration and I can associate it with the resources or I can associate it with amis or and so on.
So this is really helpful because I can associate this with an ami. For example, this ami right here that I’ve created. This was like the custom ami that I’ve created and will associate it. And so that means that every time an instance is created and running with this ami, then one license will be consumed. And so we can track how many licenses are consumed directly from License Manager, and we can have alerts and we can have limits and so on if we want to stop it. So this is just what License Manager does. It really allows you to map licenses to either resources so easy to instances or amis and track the usage.
And that’s about it going into the exams. It’s really about understanding that anytime you need to manage licenses, whether it be for Windows or oracle or whatever, then License Manager is probably a really great way of doing so. And this is where I’ve just created a license just to show you how that works and how you can associate it with easy two instances that are running or amis if you wanted to. So when you’re ready, just delete this association. We’ll just need to remove this associated ami first we’ll disassociate it, and then finally we can delete this license configuration and that’s it for License Manager. I hope you like this lecture. I will see you in the next lecture.
29. Cost Allocation Tags
Okay, so finally, for cost tracking, let’s talk about cost allocation tags. So, we all know tags, tags are used to track resources that relate to one another. So we can tag our easy two instances, our S three buckets, we can tag pretty much everything. But for tags to show up in a cost report, we have to say that these tags are named cost allocation tags. So we’ll see how to create this in a second. But so, just like tags, tags, they are just normal. But the difference is they will show up as columns in the reports. So you have two types of cost allocation tags. The first one is created by AWS. They’re AWS generated cost allocation tags and they’re automatically applied to the resource you will create.
And they will start with a prefix AWS. For example, if you create a resource, there will be a cost allocation tag, AWS created by, automatically by AWS for you. And these cost allocation tags, when we enable them, they won’t be applied to resources that were created before the activation. Now, for user tags, they are the tags that are defined by the user. So the tags that we add manually or automatically using the cli in the console, okay? And so all these tags will start with the prefix user. And the cost allocation tags will just appear in the billing console. Now, just note, it can take up to 24 hours for the tags to show up in the reports. So let’s go and have a play with it. Okay? So for cost allocation tags, it’s on the left hand side.
And as we can see, we have two different kind of tags. As I said, AWS generated tags and user defined. For AWS generated tags, to just activate them, we click on activate. And if you read this, basically they are applied any time you create a resource. And this feature is only available in this console, the billing and cost Management console, they will not appear in the Ms console, including the tag editor. So we won’t see them directly attached to our resources. They will only be seen through this console right here. And then we have user defined cost allocation tags. And these are all the tags that we basically defined over time. And we can say that one of these tags should be a cost allocation tag as well. So, for example, environment is quite a good tag because maybe we want to separate our cost by dev, test and prod.
So we will say Environment is a cost allocation tag as well. So it can take up to 24 hours. So we’ll activate this one as this tag. And now the tag environment is active as a cost allocation tag. So what this means now is that if I create an EC two instance and basically tag it with Environment, I’m going to be able to filter this in my reports. Now, the reports can take a bit of time to get updated. But basically I’m just going to show you what I mean. So I’ll take an instance that’s not free tier, so I’ll take maybe a T too small and I’ll configure the instance details at storage, at tags and here on these tags I’m going to add some tags and I’m going to say the tag environment is going to be equal to the value dev. And basically this instance is tagged with dev.
Then I’ll click on review and launch, launch it and launch instances. And so now basically, if you’re really good with tagging in your environment, you start tagging every resource for the corresponding environment. Eventually, thanks to cost allocation tags, when I go to my reports, my cost exploring my budget, I can basically filter and get some information sliced by environment. So I’m not going to show you this because it takes a little bit of time sometimes for Budget and Cost Explorer to get updated, but you get the idea. So the exam will ask you, hey, how do we basically make sure that we can slice and dice our cost by tags or environment or whatever? The answer is use cost allocation tags. So that’s it. That’s a very practical way of basically controlling your budgets and basically allocating your cost to different costs. I hope you liked it and I will see you in the next lecture.
30. Data Protection & Network Protection in AWS
Okay, so now let’s talk about data protection and network protection in aws. So we know about intransit encryption. So that means when data is being transmitted from one place to another, we can use tls certificates to encrypt data. So to manage these certificates, they can be called ssl or tls certificates. Then we can have acm or Amazon Certificate Manager to manage those. Okay, next we have our load balancer. So we can assign ssl certificates directly to them through acm. And that means that our elb, our Alb, or even our Network Load balancer can provide ssl termination. That means that it will receive an ssl connection and terminate it, and then pass on the payload directly to our EC two instances. It is definitely possible to have multiple ssl certificates per alb using server name indication or sni.
And it is optional to have ssl or tls encryption between your Alb and your EC, two instances. Otherwise, if you don’t do this, then for your Alb, for example, you can have Http. So it’s up to you to choose if you want full encryption of all traffic out of aws and also in aws, or if you just want ssl termination happening at the Alb and then Http traffic. So unencrypted traffic to reach your EC. Two instances from your Alb, it’s up to you. Then you have cloud fronts and classroom distributions can also have ssl certificates onto them. And actually, all aws services expose Https endpoints. So when you do use an api from aws, you can use an Https endpoint by default. It’s the one you use, actually.
And there is one service that could use an Http endpoint, but I don’t think you should use it. I don’t think you could use it, but you shouldn’t use it. And that’s s three. So it is possible to send data into S three using a simple Http endpoint. But by default, all the services in aws will expose some kind of Https endpoints for their api. Okay, that’s for intransit encryption. And now what about at Rest encryption? Well, we have S Three, and for S Three encryption, we have sse S Three, where we encrypt doing server side encryption using amazon’s own key, then Ssekms to have server side encryption. But this time we will use our own kms key and ssec when we do service that encryption.
But this time we provide our own key as part of the payload, then aws won’t keep it, but aws will do some encryption with it. And so if we want to decrypt our data, then we have to provide the same key to do some server side decryption. And then finally you have client side encryption where you send directly the encrypted content to aws. And aws does not have any knowledge of the key itself. So it’s up to you when you download that encrypted content to decrypt it yourself. Hence the name client side encryption. And you can also set default encryption on your S three buckets through a setting. It’s just one setting you have to take.
Or you can enforce encryption using an S three bucket policy and using that little flag in it’s called Xamz server side Encryption to define the kind of encryption you want to enforce through your S three bucket policy. Also good to know. S Three glitch here is encrypted by default. So any file that is stored English here will be encrypted, okay, for other technologies such as efs, ebs, rds, elasticache dynamodb and so on, to perform encryption and have your data being encrypted at rest. It’s just one quick setting, so you just tick a box and you’re done. And the way it works is that it will use either the service encryption key, so aws, ebs, efs, or whatever, or you can provide your own kms key that you create in advance. Then finally, something to be aware of in the exam.
They may ask you some information about phi or pii data. And so I just wanted to give you the name that is underlying for this data. So Phi means Protected health information and Pii means personally identifying information. And these two kind of data are usually very, very sensitive, okay, about the health of a person or about information that allows them to be identified. And so usually around these two kind of data categories, you have very, very strong encryption and security requirements that goes alongside. So if you see in the question phi or pii, just remember it means protected health information or personally identifying information, okay? And then you also want to protect your network itself.
So you can use Direct Connect to privately connect your onsite premise to aws that will be using a private connection. So this is quite secure. But if you wanted to have a direct connection into aws using the public Internet, you could use a vpn or Suicide vpn, and that supports this kind of security called ipsec. And that means that you’ll have encryption of your connection directly from your on premise over the public internet into areas using tls. So that means that it’s all encrypted and then the instance protection itself. So your vpc, first you have network acl at the vpc level and that provides you a stateless firewall at the vpc level. Then you have Waf or Web application firewall.
If you have a web application, then you can have some kind of firewalls managed by aws to have protection against the common exploits that 1 may try to run on you, for example, sql injections and so on. And then you can have your security group. So they are running on the instance underlying hypervisor. So you don’t have access to the hypervisor, but the aws does. And so when you do configure a security group, then this is where the traffic is being protected. So this time it’s not a stateless group, it’s a state full group. So that means that if the traffic is allowed in, it will also be allowed back out. And then finally, if it reaches your easy to instance your own VM that you manage, you are even able to set up your own firewall on your system if you wanted to.
So this is quite common. For Windows instances, for example, they have their own little firewall and for linux you can have some third party software as well to install. Your own firewall on easy to instances. So it does provide you a lot of information and layers around how you can be protected at each level. And so just something to remember at a high level, because it does. Provide you some good insights if the question does ask you some questions about network SEL versus security group versus network waf versus system firewalls. Okay, well, that’s it for this lecture. I hope that was helpful, and I will see you in the next lecture.