Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

Feature of Identity and Access Management

• Centralize control of your AWS account
• Shared access to your AWS account
• Granular permission
• Identity federation (facebook, linkedin, Active Directory)
• Multifactor Authentication
• Provide temporary access to user/devices/Services
• Allow to set up own password rotation policies.

Different Components Of IAM

User
An IAM user is an entity that you create in AWS. The IAM user represents the person or service who uses the IAM user to interact with AWS. A primary use for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI.

Group
An IAM group is a collection of IAM users. You can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users.

Role
An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. Role does not have any credentials (password or access keys) associated with it.

Policies
A policy is an entity that, when attached to an identity or resource, defines their permissions. Policies are stored in AWS as JSON documents and are attached to principals as identity-based policies in IAM. You can attach an identity-based policy to a principal (or identity), such as an IAM group, user, or role. Identity-based policies include AWS managed policies, customer managed policies, and inline policies.

Different Types of Policies

AWS Managed Policies

An AWS managed policy is a standalone policy that is created and administered by AWS. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name.

• A single manage policy can be attached to multiple user, group or rules within sane AWS count or across different account.
• You cannot change the permission define in a AWS manage policy.

Customer Managed Policies

You can create standalone policies that you administer in your own AWS account, which we refer to as customer managed policies. You can then attach the policies to multiple principal entities in your AWS account.

• You can be attached this policy to multiple user, group or rules within your own account.
• You can copy existing AWS manage policy and customize it and create Customer manage policy.

Inline Policies

An inline policy is a policy that's embedded in a principal entity (a user, group, or role)-that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later.

• When you delete user, group and roles then policy will be deleted.
• Inline policy useful when you want to be sure that the permission in policy are not assigned to other user, group or roles.

Example Of Policy

{
  "Version": "2012-10-17",
  "Id": "S3-Account-Permissions",
  "Statement": [{
    "Sid": "1",
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root"]},
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::mybucket",
      "arn:aws:s3:::mybucket/*"
    ]
  }]
}
Version: Specify the version of the policy language,use the latest 2012-10-17 version.
Statement: Use this main policy element as a container for the following elements. You can include more than one statement in a policy.
Sid: Optional statement ID to differentiate between your statements.
Effect: Use Allow or Deny to indicate whether the policy allows or denies access.
Principal: Indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating a policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
Action: Include a list of actions that the policy allows or denies.
Resource: Specify a list of resources to which the actions apply.
Condition (Optional): Specify the circumstances under which the policy grants permission.

Different ways that IAM authenticates a principal

User Name/Password
When a principal represents a human interacting with the console, the human will provide a user name/password pair to verify their identity. IAM allows you to create a password policy enforcing password complexity and expiration.

Access Key
An access key is a combination of an access key ID (20 characters) and an access secret key (40 characters). When a program is manipulating the AWS infrastructure via the API, it will use these values to sign the underlying REST calls to the services. The AWS SDKs and tools handle all the intricacies of signing the REST calls, so using an access key will almost always be a matter of providing the values to the SDK or tool.

Access Key/Session Token
When a process operates under an assumed role, the temporary security token provides an access key for authentication. In addition to the access key (remember that it consists of two parts), the token also includes a session token. Calls to AWS must include both the two-part access key and the session token to authenticate.

Important Point Of IAM

• IAM is universal, does not apply to region.
• New user have no permission when first created.
• Access key and Secrete access key used to login with command line not AWS consol.
• You can assign a role to an EC2 instance that is already running using command line or AWS consol.
• You can only associate one IAM role with an EC2 instance at this time
• You can create custom policies using the visual editor or JSON.
• Once attached role take effect immediately.
• Any policy change also takes effect immediately.

Multi-Factor Authentication (MFA)

AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor-what they know), as well as for an authentication response from their AWS MFA device (the second factor-what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.

• You can enable MFA using the command line and consol.
• MFA can be enabled on both root and user account.
• You can enforce the used of MFA with the CLI by using the STS token service.
• You can report on who's using MFA on a per user basis using credential report. 

Read More

Amazon Virtual Private Cloud(VPC)

Amazon VPC is the networking layer, which allows you to build your own virtual network within AWS t0 launch AWS resources that you define. VPC allows the user to select IP address range, create subnets, and configure route tables, network gateways, and security settings. Within a region, you can create multiple Amazon VPCs, and each Amazon VPC is logically isolated even if it shares its IP address space.

When you create an Amazon VPC, you must specify the IPv4 address range by choosing a Classless Inter-Domain Routing (CIDR) block, such as 10.0.0.0/16. The address range of the Amazon VPC cannot be changed after the Amazon VPC is created. An Amazon VPC address range may be as large as /16 (65,536 available addresses) or as small as /28 (16 availableaddresses) and should not overlap any other network with which they are to be connected.

VPC default limits

• Maximum of 5 VPC per region.
• Each VPC have a max of 1 Internet gateway and 1 Virtual private getaway.
• Each VPC hosting a maximum 200 subnet per VPC (Increase limit by requesting AWS).
• 200 Network ACL per VPC by default
• 200 Route table per VPC by default
• 500 Security Group per VPC by default.
• 50 Active VPC peering connection per VPC by default. (Max 125)
• 10 VPN connections per VPC.

Amazon VPC components

Subnets

A subnet is a segment of an Amazon VPC's IP address range where you can launch the AWS resources like Amazon EC2, Amazon RDS etc.

After creating an Amazon VPC, you can add one or more subnets in each Availability Zone. Subnets reside within one Availability Zone and cannot span zones. One subnet equals one Availability Zone. You can have multiple subnets in one Availability Zone. Default Amazon VPCs contain one public subnet in every Availability Zone within the region. 
Subnet can be classified as below.
Public subnet: A public subnet is one in which the associated route table directs the subnet's traffic to the Amazon VPC's IGW.
Private subnet: A private subnet is one in which the associated route table does not direct the subnet's traffic to the Amazon VPC's IGW.
VPN-only subnet: A VPN-only subnet is one in which the associated route table directs the subnet's traffic to the Amazon VPC's VPG and does not have a route to the IGW.

Route tables

A route table is contains a set of rules (called routes) that are applied to the subnet and used to determine where network traffic is directed. A route table's routes are what permit Amazon EC2 instances within different subnets within an Amazon VPC to communicate with each other. You can modify route tables and add your own custom routes. You can also use route tables to specify which subnets are Public and which subnets are private.

You should remember the following points about route tables:

• Your VPC has an implicit router.
• Your VPC automatically comes with a main route table that you can modify.
• You can create additional custom route tables for your VPC.
• Each subnet must be associated with a route table, which controls the routing for the subnet. If you don't explicitly associate a subnet with a particular route table, the subnet uses the main route table.
• Each Subnet within a VPC must be associated with a single route table at a time, while a route table can have multiple subnets associated with it.
• You can replace the main route table with a custom table that you've created so that each new subnet is automatically associated with it.
• Each route in a table specifies a destination CIDR and a target.

Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. The options field of a DHCP message contains the configuration parameters. AWS automatically creates and associates a DHCP option set for your Amazon VPC upon creation and sets two options: domain-name-servers (defaulted to AmazonProvidedDNS) and domain-name (defaulted to the domain name for your region).

The DHCP option sets element of an Amazon VPC allows you to direct Amazon EC2 host name assignments to your own resources. To assign your own domain name to your instances, create a custom DHCP option set and assign it to your Amazon VPC.

• Domain-name: Specify the desired domain name here (for example, mycompany.com).
• Ntp-servers: The IP addresses of up to four Network Time Protocol (NTP) servers, separated by commas.
• Netbios-name-servers: The IP addresses of up to four NetBIOS name servers, separated by commas.
• Netbios-node-type: Set this value to 2.

Security Groups

security group is a virtual stateful firewall that controls inbound and outbound network traffic to AWS resources and Amazon EC2 instances. All Amazon EC2 instances must be launched into a security group. If a security group is not specified at launch, then the instance will be launched into the default security group for the Amazon VPC. The default security group allows communication between all resources within the security group, allows all outbound traffic, and denies all other traffic. You may change the rules for the default security group, but you may not delete the default security group.

• You can create up to 500 security groups for each Amazon VPC.
• You can add up to 50 inbound and 50 outbound rules to each security group.
• You can specify allow rules, but not deny rules By default, no inbound traffic is allowed until you add inbound rules to the security group.
• By default, new security groups have an outbound rule that allows all outbound traffic.
• Security groups are statefull.

Network Access Control Lists (ACLs)

A network access control list (ACL) is another layer of security that acts as a stateless firewall on a subnet level. A network ACL is a numbered list of rules that AWS evaluates in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL.

• Default network ACL associated with every subnet that allows all inbound and outbound traffic.
• Custom network ACL, its initial configuration will deny all inbound and outbound traffic.
• A network ACL associate with multiple subnet but subnet can be associate with only one network ACL at a time.

Amazon VPC optional components

Internet Gateways (IGWs)

An Internet Gateway (IGW) is a VPC component that allows communication between instances in your Amazon VPC and the Internet. An IGW provides a target in your Amazon VPC route tables for Internet-routable traffic, and it performs network address translation for instances that have been assigned public IP addresses.

Amazon EC2 instances within an Amazon VPC are only aware of their private IP addresses. When traffic is sent from the instance to the Internet, the IGW translates the reply address to the instance's public IP address (or EIP address, covered later) and maintains the one-to-one map of the instance private IP address and public IP address.

When an instance receives traffic from the Internet, the IGW translates the destination address (public IP address) to the instance's private IP address and forwards the traffic to the Amazon VPC.

• You must do the following to create a public subnet with Internet access:Attach an IGW to your Amazon VPC.
• Create a subnet route table rule to send all non-local traffic (0.0.0.0/0) to the IGW.
• Configure your network ACLs and security group rules to allow relevant traffic to flow to and from your instance.

Elastic IP (EIP) addresses

An Elastic IP Addresses (EIP) is a static, public IP address in the pool for the region that you can allocate to your account (pull from the pool) and release (return to the pool). AWS maintains a pool of public IP addresses in each region and makes them available for you to associate to resources within your Amazon VPCs.

You must first allocate an EIP for use within a VPC and then assign it to an instance. EIPs are specific to a region (that is, an EIP in one region cannot be assigned to an instance within an Amazon VPC in a different region).

• There is a one-to-one relationship between network interfaces and EIPs.
• You can move EIPs from one instance to another, either in the same Amazon VPC or a different Amazon VPC within the same region.
• EIPs remain associated with your AWS account until you explicitly release them. There are charges for EIPs allocated to your account, even when they are not associated with a resource.

Elastic Network Interfaces (ENIs)

An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance in an Amazon VPC. ENIs are only available within an Amazon VPC, and they are associated with a subnet upon creation. They can have one public IP address and multiple private IP addresses. If there are multiple private IP addresses, one of them is primary. Assigning a second network interface to an instance via an ENI allows it to be dual-homed.

• ENI can be attached to an instance, detached from that instance.
• Primary ENIs (eth0) are created automatically when an EC2 instance is launched and also deleted when the instance is terminated 
• An instance in a VPC always has a default primary ENI attached (eth0) with a private ip address assigned from vpc range and cannot be detached.
• ENI can be attached to an instance when it’s running (hot attach), when it’s stopped (warm attach), or when the instance is being launched (cold attach).
• ENI in one subnet can be attached to an instance in another subnet, but the same AZ and same VPC
• Primary (eth0) interface can’t be detached.
• Secondary (ethN) ENI can be detached when the instance is running or stopped.

Network Address Translation (NATs) instances and NAT gateways

By default, any instance that you launch into a private subnet in VPC is not able to communicate with the Internet through the IGW. This is problematic if the instances within private subnets need direct access to the Internet from the VPCin toapply security updates, download patches, or update application software. AWS provides NAT instances and NAT gateways to allow instances deployed in private subnets to access Internet.

NAT Instance
A network address translation (NAT) instance is an Amazon Linux Amazon Machine Image (AMI) that is designed to accept traffic from instances within a private subnet, translate the source IP address to the public IP address of the NAT instance, and forward the traffic to the IGW.

• NAT instance allow in private subnet to send outbound internet communication, but it prevent the instance from receiving inbound traffic initiate by someone to the internet.
• When creating a NAT Instance, Disable Source/Destination check on the instance.
• NAT instance must be in public subnet.
• There must be a route out of the private subnet to the NAT instance, in order for this work.
• The amount of traffic that NAT instance can support depend on the instance size.

NAT Gateway
A NAT gateway is an Amazon managed resource that is designed to operate just like a NAT instance, but it is simpler to manage and highly available within an Availability Zone.

• Less administrative effort than NAT instances.
• Scale automatically up to 10Gbps and Not associated with security group.
• Automatically assign a public Ip address.
• No need to disable Source/Destination check.
• Configure the route table associate with the private subnet to direct internet-bound traffic to the NAT gateway.
• Amazon VPC offer two way to connect a corporate network to a VPC.
• Virtual Private Gateway (VPG): VPG is the virtual private Network concentrator on the AWS side of the VPN connection between the two network.
• Customer Gateways (CGWs): Represent a physical device or a software application on the customer side of VPN connection.

Peering

An Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are within the same network. You can create an Amazon VPC peering connection between your own Amazon VPCs or with an Amazon VPC in another AWS account within a single region. 

A peering connection is neither a gateway nor an Amazon VPN connection and does not introduce a single point of failure for communication.

• You cannot create a peering connection between Amazon VPC that have matching or overlapping CIDR block.
• You cannot create a peering connection between Amazon VPC in different region.
• You cannot have more than one peering connection between the same two Amazon VPC at the same time.

Endpoints

An Amazon VPC endpoint create a connection between your Amazon VPC and another AWS service via private network without requiring access over the Internet or through a NAT instance, VPN connection, or AWS Direct Connect.

• In VPC do not require public IP addresses for the Instance to communicate with other services.
• Ensure that the endpoint is created in the same region as your bucket created. Endpoints currently do not support cross-region requests.
• AWS currently supports endpoints for S3 service and DynamoDB services.
• Multiple endpoint routes to different services can be specified in a route table.
• Multiple endpoint routes to the same service can be specified in different route tables.
• You cannot have multiple endpoints to the same service in a single route table.
• Security groups needs to be modified to allow Outbound traffic from the VPC to the service that’s specified in the endpoint.
• A route is automatically added to the Route table

Read More

Amazon Web Services (AWS)

Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow. Explore how millions of customers are currently leveraging AWS cloud products and solutions to build sophisticated applications with increased flexibility, scalability and reliability.

In November 2004, the first AWS service launched for public usage is Simple Queue Service (SQS). Thereafter Pinkham and lead developer Christopher Brown developed the Amazon EC2 service, with a team in Cape Town, South Africa. Amazon Web Services was officially re-launched on March 14, 2006, combining the three initial service offerings of Amazon S3 cloud storage, SQS, and EC2.

AWS Global Infrastructure

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the region, Availability Zone and Edge Location geographical components.

The AWS Cloud Operates 61 Availability Zones within 20 geographic regions around the world, with announced plans for 12 more Availability Zones and four more AWS Regions in Bahrain, Cape Town, Hong Kong SAR, and Milan.

Region: An AWS Region is a geographical location with a collection of availability zones mapped to physical data centers in that region. Each Amazon Region is designed to be completely isolated from the other Amazon Regions. This achieves the greatest possible fault tolerance and stability.

Availability Zone: An Availability Zone is an isolated location inside a region.  This is the place where actual compute, Storage, network and database resources are hosted. Each Availability Zones belong to a single region. Each Availability Zones is isolated, but the AZs in a region are connected through low-latency links.

Edge Location: An edge location is where end users access services located at AWS. They are located in most of the major cities around the world and are specifically used by CloudFront (CDN) to distribute content to end user to reduce latency. It is like frontend for the service we access which are located in AWS cloud.

Type Of Amazon Web Services

Each type of AWS service is categorized under a domain, the few domains which are widely used.

• Compute
• Storage
• Database
• Migration
• Network and Content Delivery
• Management Tools
• Security & Identity Compliance
• Messaging
• Analytics

Compute

The Compute domain includes services related to compute workloads, it includes the following services:

1. EC2 (Elastic Compute Cloud)
2. Lambda
3. Elastic Beanstalk
4. Auto Scaling
5. Elastic Load Balancing

Storage
The Storage domain includes services related data storage, it includes the following services:

1. S3 (Simple Storage Service)
2. EBS (Amazon Elastic Block Store)
3. Amazon Glacier
4. AWS Snowball

Database

The Database domain is used for database related workloads, it includes the following services:

1. Amazon Aurora
2. Amazon RDS (Relational Database Service)
3. Amazon DynamoDB
4. Amazon RedShift

Migration

The Migration domain is used for transferring data to or from the AWS Infrastructure, it includes the following services:

1. AWS database Migration Service
2. AWS SnowBall

Networking and Content Delivery
The Networking and Content Delivery domain is used for isolating your network infrastructure, and content delivery is used for faster delivery of content. It includes the following services:

1. Amazon Route 53
2. VPC (Virtual Private Cloud)
3. AWS CloudFront
4. AWS Direct Connect

Management 
The Management Tools domain consists of services which are used to manage other services in AWS, it includes the following services:

1. AWS CloudWatch
2. AWS CloudFomation
3. AWS CloudTrail

Security
The Security & Identity, Compliance domain consist of services which are used to manage to authenticate and provide security to your AWS resources. It consists of the following services:

1. AWS IAM
2. Amazon Cognito

Messaging
The Messaging domain consists of services which are used for queuing, notifying or emailing messages. It consists of the following services:

1. Amazon SQS (Simple Queue Service)
2. Amazon SNS (Simple Notification Service)
3. Amazon SES (Simple Email Service)

Analytics 
The Analytics domain consists of services, which are used for quickly and easily build and manage a data lake for analytics. It consists of the following Services:

1. EMR (Amazon Elastic Map-Reduce)
2. Amazon Kinesis Streams
3. AWS Data Pipeline

How to Become AWS Certified

AWS Certified Cloud Practitioner: This certification provides individuals in a larger variety of cloud and technology roles with a way to validate their AWS Cloud knowledge and enhance their professional credibility. This exam covers four domains, including cloud concepts, security, technology, and billing and pricing.

AWS Certified Solutions Architect-Associate: This certification validates your ability to effectively demonstrate knowledge of how to architect and deploy secure and robust applications on AWS technologies. This exam is for anyone with at least one year of hands-on experience designing available, cost-efficient, fault-tolerant, and scalable and distributed systems on AWS.

AWS Certified Developer-Associate: This certification validates proficiency in developing, deploying, and debugging cloud-based applications using AWS. This exam is for anyone with one or more years of hands-on experience developing and maintaining an AWS-based application, plus in-depth knowledge of at least one high-level programming language.

AWS Certified SysOps Administrator-Associate: This certification validates your technical expertise in deployment, management, and operations on the AWS platform. This exam is for anyone with one or more years of hands-on experience operating AWS-based applications.

AWS Certified Solutions Architect-Professional: This certification validates your advanced technical skills and experience in designing distributed applications and systems on the AWS platform. This exam is anyone two or more years of hands-on experience designing and deploying cloud architecture on AWS.

AWS Certified DevOps Engineer-Professional: This certification validates your technical expertise in provisioning, operating, and managing distributed application systems on the AWS platform. This exam is for anyone with two or more years of hands-on experience provisioning, operating, and managing AWS environments.

AWS Certified Security-Specialty: This certification validates your technical expertise in securing the AWS platform. This exam is for anyone in an experienced security role.

AWS Certified Big Data-Specialty: This certification validates your technical expertise in designing and implementing AWS services to derive value from data. This exam is for anyone who performs complex Big Data analyses.

AWS Certified Advanced Networking-Specialty: This certification validates your technical expertise in designing and implementing AWS and hybrid IT architectures at scale. This exam is for anyone who performs complex networking tasks.

AWS Certified Machine Learning-Specialty: This certification validates your technical expertise in building, training, tuning, and deploying machine learning (ML) models using AWS Cloud. This exam is for anyone who performs a development or data science role.

Prerequisite and Validity for Certification.

1. You will be required to update your certification (or recertify) every three years.
2. Candidates are no longer required to have an Associate-level certification before pursuing Professional-level certification, and they are no longer required to have Foundational or Associate certification before pursuing Specialty certification.
3. You can renew your certification by using your 50% off voucher code to take the current, full exam at 50% off.

Read More

Cloud Computing

Cloud is a term referring to accessing computer, information technology (IT), and software applications through a network connection. The term Cloud refers to a Network or Internet. In other words, we can say that Cloud is something, which is present at remote location

What is Cloud Computing?

Cloud Computing is the on-demand delivery of computer Power,Database store,Application and other IT-resources through a cloud services platform via the internet with pay-as-you-go pricing.

Benefit of Cloud Computing

Trade Capital expense for variable Expense

Instead of having to invest heavily in data center and server before you know how your going to use them, you can only pay when you consume computing resources and only pay for how much you consume.

Stop Guessing Capacity

Eliminate guessing on your infrastructure capacity needs.When you make a capacity decision prior to deploying an application either sitting with expensive resources or dealing with limited capacity. Using cloud you can access as much or as little as you need.

Increase speed & agility

In a cloud Computing environment ,reduce the time it takes to make IT resources available to your developer from weeks to just minutes.

Stop Spending Money on running and maintaining data center.

Focus on project that differentiate your business, not the infrastructure.

Go global in minutes

Easily deploy your application in multiple region around the world.This means you can provide a lower latency and better experience for your costumers.

Essential Cloud Computing Characteristics

On-demand self-service

Cloud services are expected to be available on-demand. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Broad network access

Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).

Resource pooling

The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state or data center). Examples of resources include storage, processing, memory and network bandwidth.

Rapid elasticity

Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured service

Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth and active user accounts). Resource usage can be monitored, controlled and reported, providing transparency for the provider and consumer.

Cloud Deployment Models

Private Cloud: The Private Cloud allows systems and services to be accessible within an organization. It may be owned, managed and operated by organization or third party and it may exist on or off  premises.

Benefits

• Private cloud operations are not available to general public so its provide high security and privacy.
• It provide more control on its resources because it is accessed only within an organization.
• Private cloud resources are not as cost effective as public clouds but they offer more efficiency.

Disadvantage

• Private cloud is only accessible locally and is very difficult to deploy globally
• Private cloud can be scaled only within capacity of internal hosted resources.
• To maintain the cloud, Organization requires more skilled and expertise.

Community Cloud: The Community Cloud allows systems and services to be accessible by group of organizations.It may be owned, manage and operated by one or more organizations. It may exist on or off premises.

Benefits

• Community cloud provides an infrastructure to share cloud resources and capabilities among several organizations.
• Community cloud is comparatively more secure than the public cloud.

Disadvantages

• Data might be accessible by others.
• Challenging to allocate responsibilities of governance, security and cost.

Public Cloud: The Public Cloud allows systems and services to be easily accessible to the general public. It may be owned, managed and operated by business or government organization. It exist on the premises of cloud provider.

Benefits

• Public cloud share same resources with large number of consumer, it has low cost.
• Easy to integrate public cloud with private cloud, hence gives consumers a flexible approach.
• Public cloud services are delivered through Internet, therefore ensures location independence.
• Public cloud is also based on pay-per-use model.
• Resources can be scaled up or down according the requirement.

Disadvantages

• Public cloud model, Resources are shared publicly, therefore low level of security.
• It is comparatively less customizable than private cloud.

Hybrid Cloud: The Hybrid Cloud is composition of public and private cloud. However, the critical activities are performed using private cloud while the non-critical activities are performed using public cloud.

Benefits

• It offers both features of public cloud scalability and private cloud scalability.
• Private cloud in hybrid cloud ensures higher degree of security.
• Public cloud are more cost effective than private, therefore hybrid cloud can have this saving.

Disadvantages

• Networking becomes complex due to presence of private and public cloud.
• It is necessary to ensure that cloud services are compliant with organization's security policies.
• Hybrid cloud model is dependent on internal IT infrastructure.

Cloud Service Models

Infrastructure as a Service (IaaS): Infrastructure as a Service (IaaS) IaaS is the delivery of technology infrastructure as an on demand scalable service. IaaS provides access to fundamental resources such as physical machines, virtual machines, virtual storage, etc

Advantages

• Consumer gets access to the Infrastructure to deploy their stuff.
• Manage OS, Storage, Network Component and deployed Application.
• Does not manage or control core Infrastructure.

Examle of Iaas: EC2

Platform as a Service (PaaS): Platform as a Service (PaaS) PaaS provides the runtime environment for applications, development & deployment tools, etc. PaaS provides all of the facilities required to support the complete life cycle of building and delivering web applications and services entirely from the Internet. Typically applications must be developed with a particular platform in mind.

Advantages

• Consumer control over deployed application on a cloud
• No need  to bother about the administration because it's the responsibility of cloud provider.
• No need to manage or control OS, Storage, Network Component .
• Very easy to scale up or down automatically based on application resource demands.

Example of Paas: Elastic Beanstalk

Software as a Service (SaaS): Software as a Service (SaaS) SaaS model allows to use software applications as a service to end users. SaaS is a software delivery methodology that provides licensed multi-tenant access to software and its functions remotely as a Web-based service.

Advantages

• No need to manage or control cloud infrastructure, OS, Storage, Network Component and individual application. 
• They can be scaled up or down on demand.
• They are automatically upgraded and updated.
• Application make it available over a network.

Example of Saas: Microsoft Office 365, DropBox.

Read More