Section 3: Identity Access Management

  Amazon Web Services (AWS)

 

IAM 101

https://www.udemy.com/aws-certified-solutions-architect-associate/learn/v4/t/lecture/4237064?start=0

Description:

IAM allows you to manage users and their level of access to the AWS Console.

  • IAM settings are Global (World Wide) and not Regional.  Know this for the test!

What does it do

  • Centralized control of your AWS account
  • Shared access to your AWS account
  • Granular Permissions
  • Identity Federation (including AD, Facebook, LinkedIn, etc.)
  • Multifactor Authentication
  • Provide temporary access for users/devices and services where necessary.
  • Allows you to setup your word password rotation policy
  • Integrates with many different AWS services
  • Supports PCI DSS Compliance

Critical Terms

Users=End Users (People)

  • Root user has full permissions by default
  • New users have no permissions by default
  • Power Users have full access to all AWS services, but cannot manage users and groups within IAM

Groups=A collection of users under one set of permissions
Roles=You create roles and then assign them to AWS resources
Policies=A document that defines one or more permissions

Policies are documents that are

  • JSON (JavaScript Object Notation)
  • Key->Value pairs (An attribute followed by a value)
    • “Effect”: “Allow”
    • “Action”: “*”
    • “Resource”: “*”
    • Good idea to read these policies to get a feel for them.

IAM Lab

https://www.udemy.com/aws-certified-solutions-architect-associate/learn/v4/t/lecture/4237066?start=0

  • Log in: https://aws.amazon.com/
    • Select a Region (Not all regions offer all services)
  • All Services > Security, Identity & Compliance > IAM
  • Sign in link:
    • https://123456789012.signin.aws.amazon.com/console where 123456789012 is your account #
    • Click ‘Customize’ to create an alias for your account # (‘thomasandsofia’)
    • Activate MFA (Multifactor Authentication) on your root account
      • Only for Root account.  Best to create additional users for day to day usage.
      • Virtual Device (Smart Phone)
    • Add User
      • Create individual IAM users > [Manage Users] > [Add User]
      • Enter User(s) names (lower case?)
      • Check How they can access
        • [ ] Programmatic (API tools, etc.)
        • [ ] Console (as currently logged in)
      • Create Group
        • Add Policies
        • Administrative Access=Everything!
        • Review
      • Success!
        • view
          • User (Username for Console)
          • Access Key ID (Programmatic Token [Command Line, SDK, APIs])
          • Secret access key (Programmatic Token)
          • Password (Console)
          • Send authentication emails
          • Download .csv of the details
          • Once you leave this screen, you cannot view this information again! If you lose them, you’ll need to regenerate them.
      • Permissions
        • Can be added by applying them to a user’s group
        • or added specifically to that user. (Attach existing policies directly)
      • Access Keys
        • Can be Active or made Inactive (disabled)
        • Regenerate by clicking [Create access key]
    • Password Policies
      • Upper/lower case letters, numbers, etc.
      • Min. number of characters
      • Expiration period, etc.
  • Roles
    • System for AWS services to interact with each other
    • Name, select the service, then apply the permissions.

 

Creating a Billing Alarm Lab

This will help prevent unnecessary charges while you’re learning AWS.  Generally not part of the IAM section, but a good fit at this time in the course.

  • User Name in Top Menu > My Billing Dashboard > Preferences
    • [x] Receive Billing Alerts
    • [Save preferences]
    • Once this is enabled, you cannot turn it off!
  • Dashboard > Management Tools > CloudWatch > Billing > [Create Alarm]
    • Set the threshold: exceed: $[  10] USD
    • Send a notification to: [your@email.address]
    • [Create Alarm]
      • You’ll then have 72 hours to verify the email address.

LEAVE A COMMENT