+1 123-456-7890

IAM (Identity Access Management) Section 3

IAM-Identity Access Management

 

IAM

It allows to manage users and their level of access to the AWS console. It is important to understand IAM and how it works, both for the exam and for administrating a company’s AWS account in real life. It gives us:

  • Centralized control of AWS account.
  • Shared access to AWS account.
  • Granular Permission.
  • Identity Federation (including Active Directory, Facebook, linkedin)
  • Multifactor authentication.
  • Provide temporary access for users/devices and services where necessary.
  • Allows to setup password rotation policy.
  • Integrates with many different AWS services.
  • Supports PSI/DSS compliance.

User: End users

Group: A collection of users under one set of permission.

Roles: You create roles and can then assign them to AWS resource. We might have and EC2 instance which is a virtual machine and we might give it the role in order to access S3. And that EC2 can directly write files to S3 and we don’t need to set username and password for that EC2 instance.

Policies: A document that defines one (or more) permission. We can attach a policy to a USER, GROUP or ROLE.

Root account is simply the email address that we use to sign in to AWS account. We only use root account to sign in once in a while. MFA-Multi Factor Authentication.

After creating user and groups, we will get various params, “Access Key ID” and “Secret Access Key” is to sign in programmatically (from command prompt) “user” and “password” for logging into console through browser.

Summary:

  1. IAM is universal It does not apply to regions at this time.
  2. The root account is simply the account created when first set up AWS account. It has complete Admin access.
  3. New users have no Permission when first created. They are assigned “Access Key ID” and “Secret Access Key” when created. This are used to login through API and command line.
  4. Always setup MFA and create and customize password rotation policies.
  5. Power user access: Access to all AWS services except for management of groups and users within IAM.
  6. Read only access:
  7. Administrator access:

 

Section 3 lab work steps:

  1. When we go to IAM, it become global.
  2. Alias customize
  3. Add two user ryan, john, prog access & aws management access

Create a system-admins group and add policy “adminaccess”

  1. Create HR group and add policy amazons3readonlyaccess
  2. From system-admin remove john
  3. Add amazonGlacierROAccess for John. He now has one policy from group another is individual privilege.
  4. Password policy
  5. Roles EC2-AZS3FullAccess “Full access to S3 for EC2”
  6. BILLING ALARM profile-billing dashboard
  7. –monitor ur estimated charges-enable now
  8. Management tools-cloudwatch

Leave a Reply

Your email address will not be published. Required fields are marked *