1 00:00:14,930 --> 00:00:20,670 Welcome back to BackSpace Academy. In this lecture and follow-up lab 2 00:00:20,670 --> 00:00:25,230 we're going to be looking at how we can connect to our AWS services and 3 00:00:25,230 --> 00:00:31,860 resources using a command-line interface. So instead of having to use the AWS 4 00:00:31,860 --> 00:00:38,040 management console as we've done before, we can use text commands to achieve a 5 00:00:38,040 --> 00:00:42,900 lot of what we would normally do with that graphical user interface 6 00:00:42,900 --> 00:00:47,610 we'll start off by looking at the backend service that makes this happen and 7 00:00:47,610 --> 00:00:53,550 that is the AWS application programming interface or API for short 8 00:00:53,550 --> 00:00:57,600 then we'll look at the number of different command-line interface applications 9 00:00:57,600 --> 00:01:03,810 that we can install on our computer that will allow remote access to those services 10 00:01:03,810 --> 00:01:10,619 and resources. We'll also look at the AWS Cloud 9 service and we'll discuss why I 11 00:01:10,619 --> 00:01:16,110 primarily use this for anything to do with the command line interface and 12 00:01:16,110 --> 00:01:22,470 the security concerns around not using AWS Cloud 9, and finally we'll finish up by 13 00:01:22,470 --> 00:01:30,920 having a lab on using the Cloud 9 service with the command line interface 14 00:01:31,880 --> 00:01:38,659 When you're using the AWS management console like we've done in the past 15 00:01:38,659 --> 00:01:45,570 AWS uses an application programming interface to enable that communication 16 00:01:45,570 --> 00:01:49,970 between your remote computer and the AWS services and resources. 17 00:01:49,970 --> 00:01:57,390 How that works is that the AWS management console that you have been using is simply an 18 00:01:57,390 --> 00:02:03,409 application that is running on your browser and it is sending HTTP calls 19 00:02:03,409 --> 00:02:08,519 backwards and forwards to this application programming interface 20 00:02:08,519 --> 00:02:17,250 back-end on AWS. Now the documentation is available for the AWS API for many services 21 00:02:17,250 --> 00:02:24,840 for example for the s3 API or the EC2 query API but not for everything 22 00:02:24,840 --> 00:02:30,420 So if you wanted to create your own application and there wasn't a software 23 00:02:30,420 --> 00:02:35,610 development kit for that language you're using, I can't imagine what language that would be 24 00:02:35,610 --> 00:02:40,590 because there's certainly a very broad range of software development kits 25 00:02:40,590 --> 00:02:47,430 that are available but it is possible for you to send HTTP calls to 26 00:02:47,430 --> 00:02:52,980 the API provided you have that authentication done beforehand to 27 00:02:52,980 --> 00:02:58,830 actually do that. So it provides that back end mechanism for that communication 28 00:02:58,830 --> 00:03:04,380 and it's utilized again by the AWS management console and we will also use it 29 00:03:04,380 --> 00:03:08,820 with the AWS command line interface. So that again is an application that's 30 00:03:08,820 --> 00:03:15,450 running on your remote computer that will be sending HTTP calls to this API 31 00:03:15,450 --> 00:03:22,770 back-end. Also there are a number of software development kits that wrap the 32 00:03:22,770 --> 00:03:29,700 API up into libraries that can be used with for example JavaScript for PHP and Python 33 00:03:29,700 --> 00:03:34,160 and the like and so you don't have to actually know how to do these 34 00:03:34,160 --> 00:03:39,000 HTTP calls you just need to know how to use that software development kit and 35 00:03:39,000 --> 00:03:45,450 the documentation for that is of course brilliant and, many other AWS services 36 00:03:45,450 --> 00:03:54,810 also use the API for communication within the AWS cloud. API calls to AWS 37 00:03:54,810 --> 00:04:01,410 can only be made by authenticated users with valid security credentials for 38 00:04:01,410 --> 00:04:04,950 example if you're using the management console you would have been 39 00:04:04,950 --> 00:04:10,500 authenticated through your username and password. If you're using the command 40 00:04:10,500 --> 00:04:15,240 line interface application on a remote computer then you would need to download 41 00:04:15,240 --> 00:04:19,800 an access key ID and secret and use that for authentication with AWS. 42 00:04:19,800 --> 00:04:28,980 If you're using an application on your browser that has been developed using one of the 43 00:04:28,980 --> 00:04:35,960 many AWS software development kits then normally you would be issued with IAM 44 00:04:35,960 --> 00:04:41,380 temporary credentials. What that means is that this 45 00:04:41,380 --> 00:04:46,960 application that you have may use login for Google, may use it login for Facebook 46 00:04:46,960 --> 00:04:52,710 or whatever and it might use your Google account or your Facebook account to 47 00:04:52,710 --> 00:04:58,870 authenticate you and then that will be issuing temporary credentials for you to 48 00:04:58,870 --> 00:05:06,100 access the AWS resources through that browser-based application, and finally we 49 00:05:06,100 --> 00:05:13,660 can actually log all of these API calls using the AWS CloudTrail service 50 00:05:13,660 --> 00:05:18,580 that's great if we have any security issues or any performance issues 51 00:05:18,580 --> 00:05:23,580 we can go back through those CloudTrail logs and make sure that there's nothing 52 00:05:23,580 --> 00:05:32,130 untoward going on there. A picture tells a thousand words. So how does this all work? 53 00:05:32,130 --> 00:05:37,900 down the bottom there we've got our AWS cloud that we want to connect to using 54 00:05:37,900 --> 00:05:45,580 our remote computer and so that remote computer will be sending HTTP API calls 55 00:05:45,580 --> 00:05:51,370 to the AWS cloud to get information from the AWS cloud and to issue instructions 56 00:05:51,370 --> 00:05:57,730 to the AWS services. So the first way we can do it there is we could have an IAM user 57 00:05:57,730 --> 00:06:03,610 and that user will have an username and password and they can use that 58 00:06:03,610 --> 00:06:08,950 username and password to login to the AWS management console that is running 59 00:06:08,950 --> 00:06:13,510 inside of their browser and the AWS management console running on that 60 00:06:13,510 --> 00:06:19,780 remote computer will then issue those API calls to the AWS cloud 61 00:06:19,780 --> 00:06:26,410 the second option there is that we could have an IAM user download IAM 62 00:06:26,410 --> 00:06:33,190 credentials in the form of an access key and a secret to go with that access key 63 00:06:33,190 --> 00:06:40,630 and so if that is presented to the AWS command line interface application that 64 00:06:40,630 --> 00:06:45,300 is running on that remote computer that will authenticate that IAM user and that 65 00:06:45,300 --> 00:06:50,770 IAM user will then be able to issue command line interface commands to the 66 00:06:50,770 --> 00:06:56,560 AWS Cloud, and finally if we've got an external user, so this user 67 00:06:56,560 --> 00:07:02,919 doesn't have an AWS account for example you might have an application 68 00:07:02,919 --> 00:07:08,319 like Dropbox for example and you have millions of users and it's not practical 69 00:07:08,319 --> 00:07:14,800 it's actually not even possible to create a million IAM users so you need 70 00:07:14,800 --> 00:07:21,909 to be able to somehow authenticate those users and to allow those users to 71 00:07:21,909 --> 00:07:29,490 temporarily access the AWS cloud, so you would use an application that is running 72 00:07:29,490 --> 00:07:35,830 using the software development kits and that application could authenticate you 73 00:07:35,830 --> 00:07:42,009 using an OAuth authentication service for example it could use the AWS Cognito 74 00:07:42,009 --> 00:07:47,139 service it could use Google login with Google or login with Facebook to 75 00:07:47,139 --> 00:07:53,590 authenticate you and from that authentication you will have limited and 76 00:07:53,590 --> 00:08:02,169 temporary access through that remote computer to the AWS cloud. Now to start using 77 00:08:02,169 --> 00:08:06,669 the command-line interface the first thing that you need to do is that 78 00:08:06,669 --> 00:08:12,099 you need to have an application running on your computer that can allow that to 79 00:08:12,099 --> 00:08:16,990 happen. So the AWS standard CLI application it's available for download 80 00:08:16,990 --> 00:08:24,819 for Windows Mac and Linux and it allows those API commands to be sent to AWS 81 00:08:24,819 --> 00:08:31,750 using the Windows command line or a Linux or Mac terminal application 82 00:08:31,750 --> 00:08:37,199 there is also the AWS Shell application which is a cross-platform stand-alone 83 00:08:37,199 --> 00:08:41,709 integrated shell environment that is written in Python that can provide even 84 00:08:41,709 --> 00:08:47,769 more features and more automation features to the CLI application and 85 00:08:47,769 --> 00:08:52,750 finally we've also got the AWS tools for Windows PowerShell 86 00:08:52,750 --> 00:08:57,579 so you can run CLI commands within Windows PowerShell and at the same time 87 00:08:57,579 --> 00:09:03,880 use all of those automation tools that are available within PowerShell 88 00:09:03,880 --> 00:09:07,930 If you want to have a look at all of those CLI tools that are available just 89 00:09:07,930 --> 00:09:14,700 go to the AWS website aws.amazon.com/CLI 90 00:09:14,700 --> 00:09:22,000 the AWS Cloud9 service is an integrated development environment or IDE for short 91 00:09:22,000 --> 00:09:28,870 that is running on an ec2 instance inside one of your VPCs and you access 92 00:09:28,870 --> 00:09:35,140 it through the AWS management console the Cloud9 service has a lot of tools 93 00:09:35,140 --> 00:09:43,950 already installed, so it also has the AWS CLI application pre-installed now I 94 00:09:43,950 --> 00:09:50,920 predominantly use the AWS Cloud9 service for anything that requires CLI 95 00:09:50,920 --> 00:09:56,470 commands to be sent to AWS cloud, the reason being is that it provides 96 00:09:56,470 --> 00:10:02,140 increased security because I don't have to download IAM credentials and have 97 00:10:02,140 --> 00:10:07,899 them sitting on a computer to be able to access that service and that's very 98 00:10:07,899 --> 00:10:12,279 important because if those credentials are compromised someone can not only use it 99 00:10:12,279 --> 00:10:18,790 with the CLI application they could create their own application using a 100 00:10:18,790 --> 00:10:24,040 software development kit, use those IAM credentials and could run bad malicious 101 00:10:24,040 --> 00:10:27,970 scripts that could cause a massive amount of damage and a massive amount of 102 00:10:27,970 --> 00:10:34,540 financial impact to your AWS infrastructure. Now you may well ask but 103 00:10:34,540 --> 00:10:38,589 what about the username and password that were used to connect to the 104 00:10:38,589 --> 00:10:42,880 management console? What if that gets compromised? Doesn't it have the same effect? 105 00:10:42,880 --> 00:10:49,870 and yes you are correct but coming up in the IAM section of this course 106 00:10:49,870 --> 00:10:55,930 we'll be talking about how to implement multi-factor authentication on IAM 107 00:10:55,930 --> 00:11:00,670 accounts. So what that means is that if these username and passwords are 108 00:11:00,670 --> 00:11:05,470 compromised they cannot be used to log into your account because there is a 109 00:11:05,470 --> 00:11:10,570 secondary a multiple factor authentication process that also needs 110 00:11:10,570 --> 00:11:13,050 to be followed 111 00:11:13,079 --> 00:11:18,900 Ok so that brings us to the end of our discussion on the command line interface 112 00:11:18,900 --> 00:11:21,760 coming up next we're going to be getting our 113 00:11:21,760 --> 00:11:27,130 hands-on with the command-line interface so I look forward to seeing you in the 114 00:11:27,130 --> 00:11:29,310 lab.