Posts

Showing posts from January, 2023

Understanding End-to-End Machine Learning Process (Part 3 of 5)

Image
  To read part 1, please click  here To read part 2, please click  here To read part 4, please click  here To read part 5, please click  here Excavating Data & Sources When you start an ML project, you might realize the need of additional data points to increase the quality of your result. The following options will give you an overview of acquiring additional data carefully: In-house data sources- If the project is run in or with the company, then, firstly look internally. It's advantageous in the fact that it is free of cost, often standardized, and it is easier to find a person with the knowledge of this data as well as how to obtain it. However, it's very difficult to find whatever you are looking for, as it is poorly documented with questionable quality due to bias in data. Open data sources- You can also use freely available datasets as they are typically gigantic in size (terabytes (TB) of data), can cover different time periods, and generally well structured and doc

Understanding End-to-End Machine Learning Process (Part 2 of 5)

Image
  To read part 1, please click  here To read part 3, please click  here To read part 4, please click  here To read part 5, please click  here Classifying ML Algorithms There are three main types of ML algorithms: Supervised Learning- In this one, models are trained with a so-called labeled dataset i.e. we will also know about the required output along with the required input. It's divided into two groups- classification problems works with discrete results having output as a class or group, for example- identifying fraud in money transactions or doing object detection in images; whereas  regression problems works with continuous results with output as a certain value, for example- forecasting prices for houses or the stock market or predicting population growth. However, this learning requires labeling the whole dataset which is generally a tedious task. Unsupervised Learning- As the name suggests, here, models are trained on unlabeled dataset which refers to self-organized learnin

Understanding End-to-End Machine Learning Process (Part 1 of 5)

Image
  To read part 2, please click  here To read part 3, please click  here To read part 4, please click  here To read part 5, please click  here Grasping the Idea Behind ML Nowadays, everybody is familiar with the term AI (Artificial Intelligence) and ML (Machine Learning). But, whatever is known under the AI is simply a reflection of ML solutions and sometimes, ML is unnecessarily used to solve some extremely simple. Hence, it's essential to understand the type of problems ML can solve and the other things about it. Problems & Scenarios Requiring ML ML can be basically described as an ever evolving algorithm, which can also be seen as a one complex mathematical function. All the computer process follows the simple structure of the input-process-output (IPO) model in which we define allowed inputs, process working with them as well as the output via the type of results the process will show us. All these algorithms and processes have one thing in common, i.e., they were manually w

Creating IAM Identity Providers

Image
  Creating OpenID Connect (OIDC) Identity Providers IAM OIDC Identity Providers are the entities describing an external identity provider (IdP) service that can easily support the OIDC standard and after creating them you must create one or more identity roles that can allow your organization's IdP to request temporary security credentials for access to AWS. To create an IAM OIDC identity provider (Console) Firstly, register your application with the IdP to receive a client ID. Now, open the IAM console at https://console.aws.amazon.com/iam/. After that, select Identity Providers, and then Add provider in the navigation pane. Choose OpenID Connect for Configure provider. Now, you can type the URL of the IdP for Provider URL while complying with these restrictions- The URL must be case-sensitive, begin with https://, shouldn't contain a port number, and each OIDC identity provider must use a unique URL. Select Get thumbprint in order to verify the server certificate of your IdP.

Identity Providers & Federation (Part 2)

Image
  To read part 1, please click  here Using Web Identity Federation API Operations for Mobile Apps Using Amazon Cognito as your identity broker offers best results for almost all identity federation scenarios. But, if you have already created an app that can use web identity federation by manually calling the AsumeRoleWithWebIdentity API, you can use it continuously and your apps will be fine. The process for using web identity federation without Amazon Cognito is as follows: Firstly, you have to sign-up as a developer with the external identity provider and configure your apps with the provider. You can also configure multiple apps with each provider. If you use an IdP other than Google, Facebook or Amazon Cognito compatible with OIDC, then create an IAM identity provider entity for it. In IAM, create one or more roles, and define roles and permissions the app's users have, for each role. After that, you have to authenticate your users with the IdP, in your app. However, how to per

Identity Providers & Federation (Part 1)

Image
  To read part 2, please click  here About Web Identity Federation If you want to create a mobile app that can access AWS resources, then, you have to make requests to their services that must be signed with an AWS access key, which is not recommended. Instead you can ask for temporary AWS security credentials dynamically when needed vie Web Identity Federation. Web Identity Federation allows the users of your app to sign-in with the help of a well-known identity provider (IdP) like Amazon, Google, Facebook, etc. In this process, an authentication token is given, which can be exchanged for temporary security credentials in AWS that can map to an IAM role with permissions to use the resources in your account. Hence, IdP will help you keep your AWS account safe as you don't have to embed and distribute long-term security credentials with your application. It's recommended to use Amazon Cognito, because it acts as an identity broker and does much of the federation work for you. Ot

IAM Roles

Image
  Roles Terms & Concepts Role It's an IAM identity created in your account with some specific permissions, and although IAM roles are similar to an IAM user in some aspects, they are always intended to be assumable by anyone who needs it instead of being uniquely associated with one person. Roles can be used by following: An IAM user in the same AWS account as the role. An IAM user in a different AWS account than the role. A web service offered by AWS like Amazon Elastic Compute Cloud (EC2). An external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect, or a custom-built identity broker. AWS Service Role It's a role assumed by any service in order to perform actions in your account on your behalf, hence, you have to always define a role for the service to assume while setting-up some AWS service environments. AWS Service Role for an EC2 Instance This is a special type of role that an application running on a

Managing IAM User Groups (Part 2)

Image
  To Read Part 1, please click  here Attaching a Policy to an IAM User Group If you want to attach a customer managed policy (a policy with custom permissions that you create), you must first create the policy. To attach a policy to a user group (console) Sign-in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. Select the User groups and the group's name in the navigation pane. Choose the Permissions tab. Now you can Add permissions and then Attach policy. The Current permissions policies list shows the attached current policies. You can easily choose the names of the policies you want to attach from the list of Other permissions policies. Choose Attach policies. To attach a policy to a user group (AWS CLI or AWS API) You can do either of the following: AWS CLI: aws iam attach-group-policy. AWS API: AttachGroupPolicy. Renaming an IAM User Group If you change a user group's name or path, then,- Any of the policies attached to the use

Managing IAM User Groups (Part 1)

Image
  To read part 2, please click  here Listing IAM User Groups You can easily list all the user groups in your account, however, if you use AWS API or AWS CLI, then, the user groups will be listed with a particular path prefix. To list all the user groups in your account Do any of the following: AWS Management Console- Choose User groups in the navigation pane. AWS CLI- aws iam list-groups. AWS API- ListGroups. To list the users in a specific user group Do any of the following: AWS Management Console- Choose User groups, the group's name, and then Users tab, in the navigation pane. AWS CLI- aws iam get-group. AWS API- GetGroup. To list all the user groups that a user is in Do any of the following: AWS Management Console- Choose Users, the username, and then the Groups tab, in the navigation pane. AWS CLI- aws iam list-groups-for-user. AWS API- ListGroupsForUser. Adding & Removing Users in an IAM User Group User groups can be utilized to apply same permissions policies across mult

IAM User Groups

Image
  Characteristics Some of the important characteristics of user groups are as follows: A user group may consist of many users and a user can also belong to the multiple user groups. User groups can't be nested; they can contain only users, not other user groups. No default user group containing all the users in the AWS account is automatically available, instead, you have to create it and link each user to it. The number and size of IAM resources in an AWS account is limited. Creating IAM User Groups In order to do that, firstly, you have to create the group, then give it the permissions accordingly, and add users to the group, thus, completing the process. To create an IAM User group & attach policies (console) Similar to the processes discussed before, you have to sign-in to the AWS Management Console and then open the IAM console at https://console.aws.amazon.com/iam/. Now, you can choose the User groups and then Create group in the navigation pane. Type the name of the grou

Managing Server Certificates in IAM

Image
  Uploading a Server Certificate (AWS API) In order to upload a server certificate to IAM, you have to offer the certificate and its matching private key. However, the following criteria must be met before uploading the certificate: The certificate must be valid at the time of upload. The private key must be unencrypted. The certificate, private key, and certificate chain must all be PEM-encoded. Retrieving a Server Certificate (AWS API) If you want to retrieve a certificate via IAM API, send GetServerCertificate request, and if you want to use the AWS Tools for Windows PowerShell to retrieve a certificate, use Get-IAMServerCertificate.  Listing Server Certificates (AWS API) If you want to list your uploaded certificates via IAM API, send a  ListServerCertificates  request, and if you want to use the AWS Tools for Windows PowerShell to list your uploaded server certificates, use  Get-IAMServerCertificates. Tagging & Untagging Server Certificates (AWS API) If you want to tag an exi

Getting Credential Reports for your AWS Account

Image
Understanding the Report Format Credential reports are formatted in Comma-Separated Values (CSV) files and they contain following columns: user- The friendly name of the user. arn- The Amazon Resource Name (ARN) of the user. user_creation_time-  The date and time when a user was created, in ISO 8601 date-time format. password_enabled- This value is True  when a user has a password, otherwise it's False. However, for AWS account root user, the value is n ot_supported. password_last_used- Date and time at which the IAM user's as well as the AWS account root user's password was last used, in ISO 8601 date-time format. password_last_changed- The date and time at which the user's password was last set (in ISO 8601 date-time format). password_next_rotation- This one also shows the date and time at which the user is required to set a new password (in ISO 8601 date-time format). mfa_active- If an MFA device is enabled for a user, then, this value is True otherwise it's Fals

What If an MFA Device is Lost or Stops Working?

Image
  Recovering a Root User MFA Device If you have lost, damage, or unresponsive MFA device for AWS account root user, then, you can sign-in via alternative methods of authentication by verifying your identity with the help of the email and the primary contact number registered with your account. To Sign-in Using Alternative Factors of Authentication As An AWS Account Root User Firstly, sign-in to the AWS Management Console as the account owner by choosing Root user, and entering your AWS account email address as well as password on the next case. Now, select Having problems with your authentication device? Click here; on the Amazon Web Services Sign-in With Authentication Device page. You can also type your password again and Sign-in, if required. After that, you have to select Sign-in using alternative factors in the section with same name. Click on Send Verification email if you want to authenticate your account via email address. You have to check the email linked with your AWS accoun

Deactivating MFA Devices

Image
  To Deactivate an MFA Device for Another IAM User (Console) Just like before, sign-in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com.iam/. Select users in the navigation pane. Now choose a username you want to remove, in order to deactivate the MFA device. Select the Security Credentials tab and then choose Manage next to the Assigned MFA device. Now you can finally choose Remove in the Manage MFA device wizard and remove it. To Deactivate an MFA Device for Your AWS Account Root User (Console) For this one, you have to sign-in to the IAM console as the account owner by selecting Root User and entering your AWS account email address and password. Now, choose your account name on the right side of of the navigation bar and then Continue to Security Credentials. Expand the MFA section. Now you can finally choose Deactivate, in the row for the MFA device you want to deactivate. To Deactivate an MFA Device for an IAM User (AWS CLI) In order to perf

Enabling a FIDO Security Key (Console)

Image
  To Enable a FIDO Security Key for Your Own IAM User (Console) In order to sign-in to your IAM console, you can use your AWS account ID or account alias, your account IAM username, and your password. You can choose your username and then My Security Credentials, in the navigation bar on the upper right. Select Manage MFA Device in the MFA section on the AWS IAM Credentials tab. Choose FIDO Security Key and then Continue in the Manage MFA device wizard, Now insert the FIDO security key into your computer's USB port. Tap the FIDO2 security key, and then choose Close when the setup is complete. To Enable a FIDO Security Key for Another IAM User (Console) You have to sign-in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. Choose Users in the navigation pane. Now select the username to enable an MFA, and then the Security Credentials tab. Choose Manage near the Assigned MFA device. After that select the FIDO Security Key, and then Continue

Enable a Virtual MFA Device for an IAM User (Console)

Image
  To Enable a Virtual MFA Device for an IAM User (Console) Firstly, just like the others, you have to sign-in to the AWS Management Console and open the IAM console at https:// console.aws.amazon.com/iam/. Then, choose Users in the navigation pane. You have to select a username for the intended MFA user in the User Name list. Select the Security Credentials tab and then Manage next to the Assigned MFA Device.  Choose Virtual MFA Device and then Continue, in the Manage MFA Device Wizard. Now open your virtual MFA app.  Determine whether the MFA app supports QR codes or not and then perform the following actions- Choose Show QR code from the wizard, and then use the app to scan it. Now, choose Show Secret key in the Manage MFA Device wizard, and the type it into your MFA app.      8.  Now, inside the MFA Code 1 box in the Manage MFA Device wizard, type the OTP occurred in              the virtual MFA device. After that you can type the second OTP (after waiting for at least 30           

Using Multi-Factor Authentication (MFA) AWS

Image
  What's MFA? It's a tool to add extra security by providing unique authentication system via an AWS supported MFA mechanism along with their regular sign-in credentials for accessing AWS websites or services. They are as follows: Virtual MFA Devices- It's a software app that runs on mobiles or other devices, and can generate a six-digit numeric code according to a time-synchronized one-time password algorithm.  FIDO Security Key- It's a device that can be plugged-in to a computer's USB port. The enabled FIDO2 security key allows you to sign-in via your security credentials and then simply tapping it not manually entering the code. Hardware MFA Device- Similar to the virtual MFA devices, this one also generates a six-digit numeric code according to a time synchronized one-time password algorithm. Each MFA device assigned to a user should be unique. NOTE- SMS text message-based MFA- The support to enable an SMS MFA has ended by AWS and it's recommended that custo