Overview
This section will cover general AWS terms and concepts, in addition to a brief overview of AWS cloud service categories and offerings.
Subsections of Overview
Accounts
After initially signing up for AWS, a default root account is created. AWS accounts function as containers for organizing and isolating cloud resources. For example, deployment environments, such as development, staging, and production, often utilize distinct AWS accounts. In addition, accounts act as a security boundary, ensuring only authorized users and systems can access particular cloud resources. 1
An AWS account has the following unique identifiers:2
- AWS Account ID: 12-digit unique ID
- Canonical User ID: Obfuscated form of the account ID. Used when granting cross-account access to cloud resources.
The active account ID can be fetched from the Security Token Service (STS) with the following CLI command:
Command
aws sts get-caller-identity --query Account --output text
Output
123456789012
The command aws sts get-caller-identity fetches the active user information leveraged by the CLI, which includes the user ID, the account ID, and the user access resource number (ARN). The --query flag enables users to target a particular field to output in the response and --output specifies the desired format (yaml, josn, text, etc.) 3 4
The simplest way to fetch the canonical ID is via the Simple Storage Service (S3) API CLI command.
Command
aws s3api list-buckets --query Owner.ID --output text
Output
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
-
https://docs.aws.amazon.com/accounts/latest/reference/accounts-welcome.html ↩︎
-
https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html ↩︎
-
https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html ↩︎
-
https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html ↩︎
Subsections of Accounts
Account Alias
Account aliases are public-facing, globally unique labels to simplify the console sign-in URL.
https://<account_alias>.signin.aws.amazon.com/console/
While the original sign-in URL https://<account_id>.signin.aws.amazon.com/console/ remains active, the account alias may provide a more user-friendly identifier. A single account may have multiple account aliases associated with it.
CLI Overview
Account aliases are managed through the Identity and Access Management (IAM) service and may be provisioned, listed, and deleted using the AWS CLI.
Example 1: Creating an Account Alias
Command
aws iam create-account-alias --account-alias techsquawks
Example 2: Listing Account Aliases
Command
aws iam list-account-aliases
Output
{
"AccountAliases": [
"techsquawks"
]
}
Example 3: Deleting an Account Alias
Command
aws iam delete-account-alias --account-alias techsquawks
Password Policy
Accounts may optionally be associated with a single password policy which dictates the minimum password complexity for account users, to avoid potentially weak password. Password policies consist of the following components1:
- AllowUsersToChangePassword: Boolean allowing users to change their own passwords from the AWS console. (Default value: false)
- HardExpiry: Boolean indicating that users will be unable to reset their password via the AWS Console after their current password has expired. (Default value: false)
- MaxPasswordAge: The number of days that a password is valid for, no less than 0 but not exceeding 1095 (with 0 indicating that the password never expires). (Default value: 0)
- MinimumPasswordLength: The minimum number of password characters, no less than 6 but not exceeding 128. (Default value: 6)
- PasswordReusePrevention: The number of previous passwords that account users are prevented from reusing.
- RequireLowercaseCharacters: Boolean indicating that passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z). (Default value: false)
- RequireNumbers: Boolean indicating that passwords must contain at least one numeric character (0 to 9). (Default value: false)
- RequireSymbols: Boolean indicating passwords must contain at least one of the following non-alphanumeric characters:
! @ # $ % ^ & * ( ) _ + - = [ ] { } | '(Default value: false) - RequireUppercaseCharacters: Boolean indicating passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). (Default value: false)
CLI Overview
Example 1: Creating/Updating Password Policy
See here for additional CLI arguments. Fields not specified in the arguments are set to their default values.
Command
aws iam update-account-password-policy
Example 2: Fetch Account Password Policy
Command
aws iam get-account-password-policy
Output
{
"PasswordPolicy": {
"MinimumPasswordLength": 6,
"RequireSymbols": false,
"RequireNumbers": false,
"RequireUppercaseCharacters": false,
"RequireLowercaseCharacters": false,
"AllowUsersToChangePassword": false,
"ExpirePasswords": false
}
}
Example 3: Deleting Account Password Policy
Command
aws iam delete-account-password-policy
Regions and Availability Zones
Regions
An AWS region is a geographic area that contains interconnected AWS data centers used for provisioning cloud resources. Available regions can be listed with the following CLI command:
Command
aws ec2 describe-regions --all-regions --query Regions[*].RegionName
Output
[
"af-south-1",
"eu-north-1",
"ap-south-1",
...
]
Regions are isolated from one another for additional fault tolerance and stability.1 AWS cloud service offerings may differ between regions. Therefore, cloud engineers should verify that any required cloud services are available in the desired regions before beginning development.
Availability Zones
An availabiilty zone (commonly abreviated as AZ) is one or more discrete AWS data centers that have redundant connectivity, networking, and power within a given AWS region. AZs are interconnected through low-latency networking and data replication. It is considered best practice to deploy cloud applications across multiple AZs for increased fault tolerance, in the event that one or more AZs experience technical outages.2
AZ names are of the following format \<region-name\>\<letter[a-z]\>. For example:.
Command
aws ec2 describe-availability-zones --query AvailabilityZones[*].ZoneName --region us-east-2
Output
[
"us-east-2a",
"us-east-2b",
"us-east-2c"
]
Resources
A resource is a broad term for any cloud entity that can be provisioned in AWS. For instance, servers, virtual private networks, networking policies, and account users are considered AWS resources. Every resource is associated with an Amazon Resource Number (ARN), which uniquely identifies it. ARNs have the following format1:
arn:aws:[service]:[region]:[account-id]:[resource-id]
arn:aws:[service]:[region]:[account-id]:[resource-type]:[resource-id]
arn:aws:[service]:[region]:[account-id]:[resource-type]/[resource-id]
A breakdown of the above fields is provided below:
- service: The AWS service which the resource is associated with
- region: Region in which the resource is located.
- account-id: The account which contains the resource
- resource-type: The type of service resource (i.e. users, compute servers, managed databases, etc.)
- resource-id: The unique resource identifier
Info
Certain resources may omit either or both the region, account-id from the ARN.
For instance, the following fetches the ARN of the active AWS user associated with the local developers AWS credentials.
Command
aws sts get-caller-identity --query Arn --output text --region us-east1
Output
arn:aws:iam::012345678910:user/username
For the above output, iam refers to the AWS Identity Access Management service. This is followed by the account number which owns
the user entity and the IAM resource is of type user.
Tags
Tags are user-defined metadata that can be attached to resources. This can be used to distinguish and group resources.
For instance, to add a tag to your active user.
Command
export USERNAME=$(aws iam get-user --query User.UserName)
aws iam tag-user --user-name $USERNAME --tags '{"Tag": "You are it!"}'
aws iam list-user-tags --user-name $USERNAME
Output
{
"Tags": [
{
"Tag": "You are it!"
}
]
}
Services
AWS cloud resources are available through services, APIs accessible through the AWS console or programtically. As an introduction, common service categories and offerings are briefly explored here.1 2
Info
Service offerings and pricing may differ between regions. This should be taken into account when designing cloud applications. A complete listing of AWS services by region is available here
Compute
Compute services enable users to run and host programs and applications.
| Name | Logo | Description |
|---|---|---|
| EC2 | 
|
Elastic Cloud Compute: Provisioning and managing of virtual and private physical servers |
| ECS | 
|
Elastic Container Service: Executing containerized applications on custom infrastructure |
| EKS | 
|
Elastic Kubernetes Service: Managed Kubernetes clusters |
| Lambda | 
|
Code execution in ephemeral environments without need for provisioning/managing underlying infrastructure |
Storage
AWS offers various data storage services of the following types:
- Object Storage: Stores objects, composed of data and user metadata.
- Block Storage: Data is stored within a block of memory3
- File Storage: Storage provided via a file system.
| Name | Logo | Description |
|---|---|---|
| S3 | 
|
Simple Storage Service. Object storage where data can be uploaded to uniquely named data buckets under a unique key |
| EBS | 
|
Elastic Block Storage. Provides SSD and HDD block storage for EC2 servers |
| EFS | 
|
Elastic File Storage. Serverless remote storage via the NFSv4 protocol |
Database
While databases can be configured by leveraging both compute and storage services, AWS offers database services to facilitate proviioning, managing, and monitoring such systems. These offerings include the following database types:
- In-Memory: Intended to store frequently accessed values for increased read-performance.
- Relational: Tabular row data, similar to data stored in spreadsheets. Data typically well-defined.
- NoSQL: Data stored in documents (key-value pairs) that may not necessarily have a well-defined schema.
- Time Series: Data is indexed in such a manner so that is easy to query and analyze within a given date range.
| Name | Logo | Description |
|---|---|---|
| Elasticache | 
|
Managed Redis and Memcached in-memory databases |
| RDS | 
|
Relational Database Service: For provisioning relational database systems (MySQL, Postgres, etc.) |
| DynamoDB | 
|
Key-value NoSQL database |
| DocumentDB | 
|
MongoDB-esque NoSQL database |
| Timestream | 
|
Enables querying for data within a certain date range. |
Info
While listed under the analytics category, AWS offers Redshift, a Postgres-esque columnar database, for querying larger datasets. It is intended as a data warehousing solution rather than a general-use database.
Networking & Content Delivery
Networking & Content Delivery services allow cloud developers to define virtual networks, firewall rules, and CDNs to improve latency.
| Name | Logo | Description |
|---|---|---|
| VPC | 
|
Define virtual private networks within a given IP range |
| Cloudfront | 
|
Managed CDN network for content delivery in different regions of the globe |
| Route53 | 
|
Amazon’s DNS service |
Security, Identity, & Compliance
Security, Identity, & Compliance services assist with securing and auditing access to both AWS account resources and cloud applications.
| Name | Logo | Description |
|---|---|---|
| IAM | 
|
Ensures authorized access to AWS cloud resources |
| Cognito | 
|
Provides identity and login managmenet for cloud applications |
| Secret Manager | 
|
Manages storage and access of private application values (i.e. database credentials, private application keys, etc.) |
Management and Governance
Management and Governance services are responsible for providing visibility into finacial, application, and user activity in the AWS cloud.
| Name | Logo | Description |
|---|---|---|
| Cloudwatch |
|
Application and service logging |
| Cloudtrail |
|
Audit trail of cloud account activities |