Exam Notes – IAM

  1. Centralised control of your AWS account
  2. Shared Access to your AWS account
  3. Granular permissions
    • so you can say OK I want people to be able to access this service but I don’t want people to be able to access that service

  4. Identity Federation
    • it just means that you can use Active Directory or Facebook or LinkedIn with identity access management. So  potentially your users could log into the AWS console using the same username and password that they use to log into their Windows PCs

  5. Multi factor authentication
    • This means that when you are logging in to the management console you need to use a name a password and then a special code in order to log in.

  6. Provide temporary access for users and devices and services where necessary
  7. Allows you to set up your own password rotation policy
    • So you may want your users to you know rotate their passwords every three months or every three weeks.
  8. Integrates with many differerent AWS services
  9. Supports PCI DSS Compliance
    • PCI DSS compliance just is basically a compliant framework that if you’re taking credit card details you need to be compliant with the framework

 

  1. users
    • end users such as people, employeed of an organisation etc.
  2. groups (a way to group users and apply policies to them collectively)
    • A collection of users. Each user in the group will inherit the permissions of the group
  3. policy documents (JSON and reusable)
    • Policies are made up of documents called Policy Documents. These documents are in a format called JSON and they give permissions as to what a User/Group/Role is able to do
  4.  roles
    • you create roles and then assign them to AWS resources
    • a role is a way of allowing one part of AWS to do something with another part of AWS

 

Go to the landing page (note: region is always global)

Customise the URL to the console

Enable MFA

Create indivual IAM user – CONSOLE ACCESS ONLY

Use groups to assign permissions

  • Adding a user prompts for the group that the user should be part of
  • Create a group, give it a name, attach a policy, create user

Create indivual IAM user – PROGRAMMATIC ACCESS ONLY

Use groups to assign permissions

  • Adding a user prompts for the group that the user should be part of
  • User the same group as previous step, create user
  • Doenload the .csv file so you can keep the secret a

Apply an IAM password policy


It this point we have 2 users, one strictly for the console and another which can be used to access AWS programatically. These users are used to login and authenticate to AWS. They are not used to grant permissions to entities to interact with other entities. For this we need ROLES


IAM roles are a secure way to grant permissions to entities that you trust. Examples of entities include the following:

  • IAM user in another account
  • Application code running on an EC2 instance that needs to perform actions on AWS resources
  • An AWS service that needs to act on resources in your account to provide its features
  • Users from a corporate directory who use identity federation with SAML

IAM roles issue keys that are valid for short durations, making them a more secure way to grant access.

When creating a role, you are prompted for policies to attach to the role to provide permissions.

Accordion Content

  • IAM is universal, no region
  • Root account is the one created on setup and has complete admin access (best to setup MFA for this)
  • New users have no permissions when first created
  • Programmatic users are assigned Access Key ID and Secret Access Keys when first created.
  • These are not the same as passwords. Use the access key + secret access key for machine/programatic users (via SDKs, APIs and command line). Console users need a username and password only.
  • Save these credentials or you will need to regenerate them
  • You canm create and customise password rotation policies.
  • Remember:
    • Users
    • Groups
    • Roles
    • Policies
  • There may be questions relating to users with multiple policies (permissions) attached and you have to figure out which permissions prevail in the end. Its a puzzle with only one right answer.