How to create a security group in AWS?

In this tutorial we will create a security group which we will use further while creating our Redhshift Cluster.

• Login to your AWS VPC Console .
• In the left Navigation Pane select Security Groups .
• Once in Security groups section click on Create Security Group .
• Enter details as below:

Name tag: redshiftsgGroup name: redshiftsgDescription: resdshift security groupVPC: <Select your VPC or if you are not sure leave it as default>

• Once details are filled Click on Yes, Create .
• Now select the security group you just created.
• In the bottom pane click on inbound rules.

Click Edit
Select Redshift in Type and Source 0.0.0.0/0 . By this we are basically allowing all inbound traffic. You can also mention specific IP range in source.

Leave the outbound rule as “All traffic”

• Finally click save.

Congrats!  You have successfully created a security group.

What is MFA and Why its important? - Security in Cloud

When you talk about cloud you may have heard about MFA.
Why MFA is important? Before I go into that let me tell you a couple of true incidents.
You may have heard about a company called Code Spaces. But for those who don’t know Code Spaces “was” a code repository company like GitHub.
One day a hacker got control  of the AWS Management Console of Code Space.
Hacker sent a mail to company asking for huge ransom to be paid in 12 hours or he will delete all the data in their AWS account. Many of the Code Spaces engineers tried to get access of their company’s AWS account but failed as the hacker created many backdoor users in account. At the end of time limit hacker deleted everything which was in company’s AWS account which includes all servers, databases and even backups. And within a day company almost get wiped out. You can read the full story here .
Now you must be thinking that I am just a developer or sysops guy and not much of value is in my personal AWS account so i can live without MFA. Unfortunately you are wrong my friend.
We have seen many incidents when developers put their Access key ID and Secret Access Key in code so that they don’t have to authenticate manually.  But these developers may want to work with their friend on the code and they upload it on GitHub. Now the problem is that there are hackers who just search the GitHub to get these keys. And, once they get the key they can easily login to your AWS account.  You  may not have anything valuable in your AWS account, but what the hackers do is they spin up huge instances in your account . They use this computing power for Bit Mining. Once they are done with mining they get the money and you get the bill from AWS. (At times we have seen that AWS may waive off your bill in this situation as one time exception but if you are not so lucky, you may have to pay the huge bill in hundreds or thousands of dollars.) You can check Joe’s detailed story here .
In both the cases the hacking could have been avoided if MFA was activated on account.
So what is MFA?
MFA is Multi Factor Authentication. This is like second level of security for your account.

MFA can be activated through multiple ways including SMS(Text message) or an Application like Google Authenticator in you mobile phone.  By enabling this you add an additional authentication to your account. So once you enable MFA you will enter an additional changing code with your normal login ID and password.
For my account I use Google Authenticator. It’s a free App available on iOS and Android app stores.
How can you enable MFA?
It’s simple, Amazon has given clear steps about how to do it. But if you are not sure follow this post  How to enable MFA in AWS for free?
MFA is easiest and quickest way of defense against hackers. You should also follow other security hardening measures to keep yourself safe in cloud. I’ll discuss about them in next post.
For now it’s recommended you should enable MFA in your account ASAP. Even if you are using Azure or any other Cloud you should enable MFA. Remember security in Cloud is shared responsibility.
Be Safe!

Solved: How to enable MFA in AWS for free?

MFA is extremely important to keep your account safe.
Below we will show you how to  enable MFA using Google Authenticator. It’s a free app available on both iOS and Android stores.

1. Login to your IAM console at https://console.aws.amazon.com/iam/
2. In the IAM  Dashboard, below Security Status you will see an option of “Activate MFA on your root account”
3. Click on “Activate MFA on your root account” .
4. Click on “Manage MFA“
5. In the pop-up select “A virtual MFA device” and click on Next.
6. Now download ” Google Authenticator ” on your mobile from iOS or Android app store.
7. Once the app is installed open the App and click on the  + sign in the App.
8. It will give you an option of “Scan a Barcode”. Click on that.
9. Now go back to your AWS console and click next.
10. You will now see a QR code in the AWS. Scan it with your Mobile with the app you opened in step 8.
11. Now you will see a 6 digit code in your phone. Enter the code in AWS in “Authentication Code 1”.
12. After few seconds you will see a new code in phone enter that new code in AWS in “Authentication Code 2” . Ensure that both codes are generated in consecutive sequence.
13. Click on “Activate Virtual MFA“.
14. That’s all! Next time when you will login to AWS console you will need the code of “Google Authenticator” with your user id and password.This small activity will keep you safe.

If you want to enable MFA for a specific user. Check this post MFA device for a user .
Next Step should be to set billing alert which will let you know if you are going above your billing limits. Check this post AWS Billing Alert .

AWS Crash Course - SQS

Today we will discuss about an AWS messaging service called SQS.

• SQS is Simple Queue Service.
• It’s a messaging queue service which acts like a buffer between message producing and message receiving components.

• Using SQS you can decouple the components of an application.
• Messages can contain upto 256 KB of text in any format.
• Any component can later retrieve the messages programmatically using the SQS API.
• SQS queues are dynamically created and scale automatically so you can build and grow applications quickly – and efficiently.
• You can combine SQS with auto scaling of EC2 instances as per warm up and cool down.
• Used by companies like Vodafone, BMW, RedBus, Netflix etc.
• You can use Amazon SQS to exchange sensitive data between applications using server-side encryption (SSE) to encrypt each message body.
• SQS is pull(or poll) based system. So messages are pulled from SQS queues.
•  Multiple copies of every message is stored redundantly across multiple availability zones.
• Amazon SQS is deeply integrated with other AWS services such as EC2, ECS, RDS, Lambda etc.

Two types of SQS queues:-

• Standard Queue
• FIFO Queue

Standard Queue :-

• Standard Queue is the default type offered by SQS
• Allows nearly unlimited transactions per second.
• Guarantees that a message will be delivered at least once.
• But it can deliver the message more than once also.
• It provides best effort ordering.
• Messages can be kept from 1 minute to 14 days. Default is 4 days.
• It has a visibility time out window. And if order is not processed till that time, it will become visible again and processed by another reader.

FIFO Queue :-

• FIFO queue complements the standard queue.
• It has First in First Out delivery mechanism.
• Messages are processed only once.
• Order of the message is strictly preserved.
• Duplicates are not introduced in the queue.
• Supports message groups.
• Limited to 300 transactions per second.

Hope the above snapshot give you a decent understanding of SQS. If you want to try some handson check this tutorial .
This series is created to give you a quick snapshot of AWS technologies.  You can check about other AWS services in this series over here .

Which AWS certification is suitable for me?

Many people have asked me which AWS certification should they do that can help in their career in near future.
AWS provides below certifications
Beginner
AWS Certified Cloud Practitioner
Associate level
AWS Certified Developer – Associate
AWS Certified SysOps Administrator – Associate
AWS Certified Solutions Architect – Associate
Professional level
AWS Certified DevOps Engineer – Professional
AWS Certified Solutions Architect – Professional
Specialty Certifications
AWS Certified Big Data – Specialty
AWS Certified Advanced Networking – Specialty
Now coming to the point which AWS certification is best for you.
If you are a fresher you should go for either AWS Certified Cloud Practitioner or  AWS Certified Developer – Associate . These are easiest of all AWS exams and will give you a good base.
If you have less than 5 to 6 years of experience in IT industry and you are from development background in that case you should go for AWS Certified Developer – Associate certification.
Similarly, if you have less than 5 to 6 years of experience in IT industry and you are from system admin background you should go for AWS Certified SysOps Administrator – Associate certification.
If you have 8 to 9+ years of experience in IT industry you can go for AWS Certified Solutions Architect – Associate certification. Reason for more experience in Architect certification is that generally you can’t send a 2-3 years experience person in front of the client as an Architect. Because client may not accept such a young person to be given responsibility of designing their environment. However, exceptions are always there but this is generally the trend we have seen.
Also, if you are from pre-sales and sales background you can go for AWS Certified Cloud Practitioner and later to Architect exam.
If you are from Database Admin background then going for AWS Certified Big Data – Specialty certification will be a natural progression and a big plus in your resume.
If you are from networking background then AWS Certified Advanced Networking – Specialty certification will be a good choice and natural progression for you.
Once you have gained approximately 2 years of experience with AWS you can go for professional certifications. Dev and SysOps guys can go for AWS Certified DevOps Engineer – Professional and Architects can naturally move to AWS Certified Solutions Architect – Professional.
Learning about all of the above certification will be a huge advantage but to start with above approach should be a good beginning.
We have recently seen a trend where jobs are being posted only for Redshift Architect or IAM Architect so things may change in future when people will look for specialists in only one or two AWS services.
If you want to have a quick snapshot of AWS services you can refer to our free AWS Crash Course.
Do let me know what you think about this and if you have any query or suggestions ask in comments section.