How to create an IAM role in AWS?

In this tutorial we will be creating an IAM role which we will use to launch an Amazon Redshift cluster.

  • Login to your IAM Console .
  • In the left Navigation Pane Click on “Roles”
  • Click on “Create New Role”
  • In the AWS Service Role Select “Amazon Redshift” .
  • In the Policy Type Select “AmazonS3FullAccess” and click on “Next Step” .
  • Enter details as below:-
Role Name as :-  redshiftrole
Role description: - Amazon Redshift Role
  • Finally Click on Create Role . 

How to create a security group in AWS?

In this tutorial we will create a security group which we will use further while creating our Redhshift Cluster.

  • Login to your AWS VPC Console .
  • In the left Navigation Pane select Security Groups .
  • Once in Security groups section click on Create Security Group .
  • Enter details as below:
Name tag: redshiftsg
Group name: redshiftsg
Description: resdshift security group
VPC: <Select your VPC or if you are not sure leave it as default>
  • Once details are filled Click on Yes, Create .
  • Now select the security group you just created.
  • In the bottom pane click on inbound rules.

Click Edit

Select Redshift in Type and Source 0.0.0.0/0 . By this we are basically allowing all inbound traffic. You can also mention specific IP range in source.

Leave the outbound rule as “All traffic”

  • Finally click save.

Congrats!  You have successfully created a security group.

What is MFA and Why it’s important? – Security in Cloud

When you talk about cloud you may have heard about MFA.

Why MFA is important? Before I go into that let me tell you a couple of true incidents.

You may have heard about a company called Code Spaces. But for those who don’t know Code Spaces “was” a code repository company like GitHub.

One day a hacker got control  of the AWS Management Console of Code Space.

Hacker sent a mail to company asking for huge ransom to be paid in 12 hours or he will delete all the data in their AWS account. Many of the Code Spaces engineers tried to get access of their company’s AWS account but failed as the hacker created many backdoor users in account. At the end of time limit hacker deleted everything which was in company’s AWS account which includes all servers, databases and even backups. And within a day company almost get wiped out. You can read the full story here .

Now you must be thinking that I am just a developer or sysops guy and not much of value is in my personal AWS account so i can live without MFA. Unfortunately you are wrong my friend.

We have seen many incidents when developers put their Access key ID and Secret Access Key in code so that they don’t have to authenticate manually.  But these developers may want to work with their friend on the code and they upload it on GitHub. Now the problem is that there are hackers who just search the GitHub to get these keys. And, once they get the key they can easily login to your AWS account.  You  may not have anything valuable in your AWS account, but what the hackers do is they spin up huge instances in your account . They use this computing power for Bit Mining. Once they are done with mining they get the money and you get the bill from AWS. (At times we have seen that AWS may waive off your bill in this situation as one time exception but if you are not so lucky, you may have to pay the huge bill in hundreds or thousands of dollars.) You can check Joe’s detailed story here .

In both the cases the hacking could have been avoided if MFA was activated on account.

So what is MFA?

MFA is Multi Factor Authentication. This is like second level of security for your account.

MFA can be activated through multiple ways including SMS(Text message) or an Application like Google Authenticator in you mobile phone.  By enabling this you add an additional authentication to your account. So once you enable MFA you will enter an additional changing code with your normal login ID and password.

For my account I use Google Authenticator. It’s a free App available on iOS and Android app stores.

How can you enable MFA?

It’s simple, Amazon has given clear steps about how to do it. But if you are not sure follow this post  How to enable MFA in AWS for free?

MFA is easiest and quickest way of defense against hackers. You should also follow other security hardening measures to keep yourself safe in cloud. I’ll discuss about them in next post.

For now it’s recommended you should enable MFA in your account ASAP. Even if you are using Azure or any other Cloud you should enable MFA. Remember security in Cloud is shared responsibility.

Be Safe!

AWS Crash Course – SQS

Today we will discuss about an AWS messaging service called SQS.

  • SQS is Simple Queue Service.
  • It’s a messaging queue service which acts like a buffer between message producing and message receiving components.
  • Using SQS you can decouple the components of an application.
  • Messages can contain upto 256 KB of text in any format.
  • Any component can later retrieve the messages programmatically using the SQS API.
  • SQS queues are dynamically created and scale automatically so you can build and grow applications quickly – and efficiently.
  • You can combine SQS with auto scaling of EC2 instances as per warm up and cool down.
  • Used by companies like Vodafone, BMW, RedBus, Netflix etc.
  • You can use Amazon SQS to exchange sensitive data between applications using server-side encryption (SSE) to encrypt each message body.
  • SQS is pull(or poll) based system. So messages are pulled from SQS queues.
  •  Multiple copies of every message is stored redundantly across multiple availability zones.
  • Amazon SQS is deeply integrated with other AWS services such as EC2, ECS, RDS, Lambda etc.

Two types of SQS queues:-

  • Standard Queue
  • FIFO Queue

Standard Queue :-

  • Standard Queue is the default type offered by SQS
  • Allows nearly unlimited transactions per second.
  • Guarantees that a message will be delivered at least once.
  • But it can deliver the message more than once also.
  • It provides best effort ordering.
  • Messages can be kept from 1 minute to 14 days. Default is 4 days.
  • It has a visibility time out window. And if order is not processed till that time, it will become visible again and processed by another reader.

FIFO Queue :-

  • FIFO queue complements the standard queue.
  • It has First in First Out delivery mechanism.
  • Messages are processed only once.
  • Order of the message is strictly preserved.
  • Duplicates are not introduced in the queue.
  • Supports message groups.
  • Limited to 300 transactions per second.

Hope the above snapshot give you a decent understanding of SQS. If you want to try some handson check this tutorial .

This series is created to give you a quick snapshot of AWS technologies.  You can check about other AWS services in this series over here .