{"id":419,"date":"2017-07-12T18:25:40","date_gmt":"2017-07-12T18:25:40","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=419"},"modified":"2017-07-14T18:31:21","modified_gmt":"2017-07-14T18:31:21","slug":"section-3-identity-access-management","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=419","title":{"rendered":"Section 3: Identity Access Management"},"content":{"rendered":"<p>&nbsp;<\/p>\n<h2>IAM 101<\/h2>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-associate\/learn\/v4\/t\/lecture\/4237064?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-associate\/learn\/v4\/t\/lecture\/4237064?start=0<\/a><\/p>\n<h3>Description:<\/h3>\n<p>IAM allows you to manage users and their level of access to the AWS Console.<\/p>\n<ul>\n<li><span style=\"color: #008000;\">IAM settings are Global (World Wide) and not Regional.\u00a0 Know this for the test!<\/span><\/li>\n<\/ul>\n<h3>What does it do<\/h3>\n<ul>\n<li>Centralized control of your AWS account<\/li>\n<li>Shared access to your AWS account<\/li>\n<li>Granular Permissions<\/li>\n<li>Identity Federation (including AD, Facebook, LinkedIn, etc.)<\/li>\n<li>Multifactor Authentication<\/li>\n<li>Provide temporary access for users\/devices and services where necessary.<\/li>\n<li>Allows you to setup your word password rotation policy<\/li>\n<li>Integrates with many different AWS services<\/li>\n<li>Supports PCI DSS Compliance<\/li>\n<\/ul>\n<h3>Critical Terms<\/h3>\n<p>Users=End Users (People)<\/p>\n<ul>\n<li>Root user has full permissions by default<\/li>\n<li>New users have no permissions by default<\/li>\n<li>Power Users have full access to all AWS services, but cannot manage users and groups within IAM<\/li>\n<\/ul>\n<p>Groups=A collection of users under one set of permissions<br \/>\nRoles=You create roles and then assign them to AWS resources<br \/>\nPolicies=A document that defines one or more permissions<\/p>\n<p>Policies are documents that are<\/p>\n<ul>\n<li>JSON (JavaScript Object Notation)<\/li>\n<li>Key-&gt;Value pairs (An attribute followed by a value)\n<ul>\n<li>&#8220;Effect&#8221;: &#8220;Allow&#8221;<\/li>\n<li>&#8220;Action&#8221;: &#8220;*&#8221;<\/li>\n<li>&#8220;Resource&#8221;: &#8220;*&#8221;<\/li>\n<li>Good idea to read these policies to get a feel for them.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>IAM Lab<\/h2>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-associate\/learn\/v4\/t\/lecture\/4237066?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-associate\/learn\/v4\/t\/lecture\/4237066?start=0<\/a><\/p>\n<ul>\n<li>Log in: <a href=\"https:\/\/aws.amazon.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/aws.amazon.com\/<\/a>\n<ul>\n<li>Select a Region (Not all regions offer all services)<\/li>\n<\/ul>\n<\/li>\n<li>All Services &gt; Security, Identity &amp; Compliance &gt; IAM<\/li>\n<li>Sign in link:\n<ul>\n<li>https:\/\/123456789012.signin.aws.amazon.com\/console where 123456789012 is your account #<\/li>\n<li>Click &#8216;Customize&#8217; to create an alias for your account # (&#8216;thomasandsofia&#8217;)<\/li>\n<li>Activate MFA (Multifactor Authentication) on your root account\n<ul>\n<li>Only for Root account.\u00a0 Best to create additional users for day to day usage.<\/li>\n<li>Virtual Device (Smart Phone)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Add User\n<ul>\n<li>Create individual IAM users &gt; [Manage Users] &gt; [Add User]<\/li>\n<li>Enter User(s) names (lower case?)<\/li>\n<li>Check How they can access\n<ul>\n<li>[ ] Programmatic (API tools, etc.)<\/li>\n<li>[ ] Console (as currently logged in)<\/li>\n<\/ul>\n<\/li>\n<li>Create Group\n<ul>\n<li>Add Policies<\/li>\n<li>Administrative Access=Everything!<\/li>\n<li>Review<\/li>\n<\/ul>\n<\/li>\n<li>Success!\n<ul>\n<li>view\n<ul>\n<li>User (Username for Console)<\/li>\n<li>Access Key ID (Programmatic Token [Command Line, SDK, APIs])<\/li>\n<li>Secret access key (Programmatic Token)<\/li>\n<li>Password (Console)<\/li>\n<li>Send authentication emails<\/li>\n<li>Download .csv of the details<\/li>\n<li><strong><span style=\"color: #ff0000;\">Once you leave this screen, you cannot view this information again! If you lose them, you&#8217;ll need to regenerate them.<br \/>\n<\/span><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Permissions\n<ul>\n<li>Can be added by applying them to a user&#8217;s group<\/li>\n<li>or added specifically to that user. (Attach existing policies directly)<\/li>\n<\/ul>\n<\/li>\n<li>Access Keys\n<ul>\n<li>Can be Active or made Inactive (disabled)<\/li>\n<li>Regenerate by clicking [Create access key]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Password Policies\n<ul>\n<li>Upper\/lower case letters, numbers, etc.<\/li>\n<li>Min. number of characters<\/li>\n<li>Expiration period, etc.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Roles\n<ul>\n<li>System for AWS services to interact with each other<\/li>\n<li>Name, select the service, then apply the permissions.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Creating a Billing Alarm Lab<\/h2>\n<p>This will help prevent unnecessary charges while you&#8217;re learning AWS.\u00a0 Generally not part of the IAM section, but a good fit at this time in the course.<\/p>\n<ul>\n<li>User Name in Top Menu &gt; My Billing Dashboard &gt; Preferences\n<ul>\n<li>[x] Receive Billing Alerts<\/li>\n<li>[Save preferences]<\/li>\n<li><strong><span style=\"color: #ff0000;\">Once this is enabled, you cannot turn it off!<\/span><\/strong><\/li>\n<\/ul>\n<\/li>\n<li>Dashboard &gt; Management Tools &gt; CloudWatch &gt; Billing &gt; [Create Alarm]\n<ul>\n<li>Set the threshold: exceed: $[\u00a0 10] USD<\/li>\n<li>Send a notification to: [your@email.address]<\/li>\n<li>[Create Alarm]\n<ul>\n<li>You&#8217;ll then have 72 hours to verify the email address.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; IAM 101 https:\/\/www.udemy.com\/aws-certified-solutions-architect-associate\/learn\/v4\/t\/lecture\/4237064?start=0 Description: IAM allows you to manage users and their level of access to the AWS Console. IAM settings are Global (World Wide) and not Regional.\u00a0 Know this for the test! What does it do Centralized control of your AWS account Shared access to your AWS account Granular Permissions Identity Federation (including ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=419\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[],"class_list":["post-419","post","type-post","status-publish","format-standard","hentry","category-amazon-web-services-aws"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=419"}],"version-history":[{"count":10,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/419\/revisions"}],"predecessor-version":[{"id":429,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/419\/revisions\/429"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}