IAM & AWS CLI

 I. IAM introduction: Users. Groups, Policies

1. IAM: Users & Groups

  • IAM = indentity and Access Management, Global service.
  • Root account create by default, shouldn't be used or shared (not best practice to use the root account)
  • Users are people within organization, and can be grouped.
  • Groups only contain users, not other groups.
  • Users don't have to belong to a group, and user can belong to mutiple groups
2. IAM: Permissions
  • Users or Groups can be assigned JSON ducuments called policies.
  • These policies define the permissions of the users
  • In AWS you apply the least privilege principle: don't give more permissions than a user needs.
II. IAM Users & Groups Hands On
create User 



create or select one Group existed

III. IAM Policies
A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. Permissions in the policies determine whether the request is allowed or denied.

1. IAM policies inhertance
2. IAM Policies Structure
  • Consists of:
    • Version: policy language version, always include "2012-10-17"
    • Id: identifier for the policy (optinal)
    • Statement: one or more individual statements (required)
  • Statements consists of:
    • Sid: an identifier for the statement (optinal)
    • Effect: whether statement allows or denies access ( Allow, Deny)
    • Principle: account/user/role to which this policy applied to.
    • Action: list of actions this policy allows or denies
    • Resource: list of resources to which the actions applied to.
IV. IAM Poicies Hands On
You can Attach policies direcly or add user to Group to manage user's permission (best practice)

V. IAM MFA Overview
IAM - Password policy:
  • Strong passwords = highter security for your account.
  • In AWS, you can setup a password policy:
    • set a minimun password length
    • Require specific character types: 
      • Include uppercase letters
      • Lowcase letters
      • numbers
      • non-alphanumeric characters
    • Allow all users to change their own password.
    • Require users to change their password before some time (password expiration)
    • Prevent password re-use.
Multi Factor Authentication - MFA:
  • Users have access to your account and can possibly change configurations or delete resources in your AWS account.
  • You want to protect your Root Account and IAM users.
  • MFA = password you know +security device you own.
  • Main benefit of MFA:
    • if password is stolen or hacked, the account is not compromised
MFA devices options in AWS
VI. IAM MFA Hands on

VII. AWS access keys. CLI and SDK
How can users access AWS?
  • To access AWS, you have three options:
    • AWS Management Console ( protected by password + MFA)
    • AWS Command line interface (CLI): protected by Access keys.
    • AWS Software Developer Kit (SDK) - for code: Protected by Access keys.
  • Access keys are generated through AWS Console
  • Users manage their own access keys
  • Access keys are secret, just like a password. Dont share them.
  • Access key ID ~= Username
  • Secret Access Key ~= Password
what is the AWS CLI ?
  • A tool that enables you to interact with AWS services using commands in your command-line shell.
  • Direct access to the public APIs of AWS services.
  • You can develop script to manage your resource.
  • It's open source https://github.com/aws/aws-cli
  • Alternative to using AWS Management Console
What's the AWS SDK?
  • AWS Software Development Kit (AWS SDK)
  • Language-specific APIs (set of libraies)
  • Enables you to acess and manage AWS services programmatically.
  • Embedded within your Application.
  • Supports:
    • SDKs ( JavaScript, Python, PHP, Go, Nodejs, ...)
    • Mobile SDKs
    • IoT device SDKs
  • Example: AWS CLI is buit on AWS SDK for Python.
VIII. AWS CLI Setup on Mac/Window/Linux

IX. AWS CLI Hands On



Let command in your cli tool: aws configure
and then verify (for example: aws iam list-users)
{
    "Users": [
        {
            "Path": "/",
            "UserName": "test-create",
            "UserId": "AIDAR3ZWYQOW5LHMG3JK6",
            "Arn": "arn:aws:iam::128427000749:user/test-create",
            "CreateDate": "2023-12-26T17:34:54+00:00"
        }
    ]
}
X.  IAM Roles for Services
AWS Document: IAM service roles
  • Some AWS services will need to perform action on your behalf 
  • To do so, we will assign permissions to AWS services with IAM Roles. 
  • Common Roles: 
    • EC2 instance Roles
    • Lamda function Roles
    • Roles for CloudFormation
XI. IAM Roles Hand on
XII. IAM Security tools
  • IAM Credentials Report (account-level)
    • a report that lists all your account's users and status of their various credentials
  • IAM Access Advisor (user-level)
    • Access Advisor shows the services permission granted to a user and and when those services were last accessed
    • you can use this information to revise your policies
XIII. IAM Guidelines & Best Practices.
  • Don't use the root account except for AWS account setup.
  • One Physical user = One AWS user.
  • Assign users to groups and assign permissions to groups.
  • Create a strong password policies.
  • Use and enforce the use of Multi Factor Authencation (MFA)
  • Create and use Roles for giving permission to AWS services.
  • Use the Access Keys for Programmatic Access (CLI/SDk)
  • Audit permissions of your account using IAM Credentials Report & IAM Access Advisor.
  • Never share IAM users & Access Keys.
IAM Section - Summary
  • Users: mapped to a physical user, has a password for AWS console
  • Groups: Container users only.
  • Policies: JSON Document tha outlines permissions for users or groups
  • roles: for EC2 instances or AWS services
  • Security: MFA + Password Policy
  • AWS CLI: Manage your AWS services using the command-line.
  • AWS SDK: Manage your AWS services using a programming language.
  • Access Keys: access AWS using the CLI or SDK.
  • Audit: IAM Credential Reports & IAM Access Advisor.


Reference: Content based on "Ultimate AWS Certified Developer Associate 2023 NEW DVA-C02."

Comments

Post a Comment

Popular posts from this blog

EC2 Fundamentals

Image
  I. AWS Budget Setup Bills Free tier To get alerts about your upcomming costs, the best thing to do is to go into creating an AWS Budget. II. EC2 basics. 1. Amazon EC2. EC2 is one of the most popular of AWS's offering. EC2 = Elastic Compute Cloud = infrastructure as a service it mainly consists in the capbility of: Renting Virtual machines (EC2) Storing data on virtual drives (EBS) Distributing load across machines (ELB) Scaling the services using an auto-scaling group (ASG) Knowing EC2 is fundamental to understand how to Cloud works 2. EC2 rizing & and configuration options. Operation System (OS): Linux, MacOS, Window. How much compute power & cores (CPU)? How much ramdom-access memory(RAM) How much storage space: Network-attached (EBS &EFS) hardware  (EC2 instance storage) Network card: speed of the card, Public IP address. Firewall rules: security group Bootstrap script ( configure at the first launch): UC2 User Data 3. EC2 User Data it's possible to bootstrap ...
Read more

AWS Fundamentals: ELB + ASG

Image
I. Elastic Load Balacing overview 1. What is load balacing? Load Balances are servers that forward traffic to multiple servers(e.g., EC2 instances) downstream 2. Why use a load balacer? Spread load across multiple downstream instances Expose of single point of access (DNS) to your application Seamlessly hanle failures of downstream instances Do regular health checks to your instances Provide SSL termination (HTTPS) for your websites Enforce stickiness with cookies High availability across zones Separate public traffic from private traffic 3. Why use an Elastic load balancer? An Elastic load balancer is a managed load balancer AWS guarantees that it will be working AWS takes care of upgrades, maintenance, hight availability AWS provides only a few configuration knobs It costs less to setup your own load balancer but it will be a lot more effort on your end It's intergrated with many AWS offerings/ services EC2, EC2 Auto Scaling Groups, Amazon ECS AWS Certificate Manager (ACM), Cloud...
Read more