IAM
- Identity and Access Management, Global service
- Root account created by default, shouldn’t be used or shared
- Users are people within your organization, and can be grouped
- Groups only contain users, not other groups
- Users don’t have to belong to a group, and user can belong to multiple groups
IAM Policy Structure
Consists of
• Version: policy language version, always include “2012-10-17”
• Id: an identifier for the policy (optional)
• Statement: one or more individual statements (required)
Statements consists of
• Sid: an identifier for the statement (optional)
• Effect: whether the statement allows or denies access (Allow, Deny)
• Principal: account/user/role to which this policy applied to
• Action: list of actions this policy allows or denies
• Resource: list of resources to which the actions applied to
• Condition: conditions for when this policy is in effect
(optional)
MFA
password you know + security device you own
MFA devices options in AWS
- Virtual MFA device
- Universal 2nd Factor (U2F) Security Key
- Hardware Key Fob MFA Device
- Hardware Key Fob MFA Device for AWS GovCloud (US)
How can users access AWS
- AWS Management Console (protected by password + MFA)
- AWS Command Line Interface (CLI): protected by access keys
- AWS Software Developer Kit (SDK) - for code: protected by access keys
AWS CLI
• A tool that enables you to interact with AWS services using commands in
your command-line shell
• Direct access to the public APIs of AWS services
• You can develop scripts to manage your resources
• It’s open-source https://github.com/aws/aws-cli
• Alternative to using AWS Management Console
AWS SDK
- AWS Software Development Kit (AWS SDK)
- Language-specific APIs (set of libraries)
- Enables you to access and manage AWS services programmatically
- Embedded within your application
IAM Roles
• assign permissions to AWS services with IAM Roles
Common roles:
• EC2 Instance Roles
• Lambda Function Roles
• Roles for CloudFormation
IAM Credentials Report (account-level)
a report that lists all your account’s users and the status of their various
credentials
IAM Access Advisor (user-level)
• Access advisor shows the service permissions granted to a user and when those
services were last accessed.
• You can use this information to revise your policies.
-
AWS Architecting & Ecosystem18
-
Advance Identity6
-
Other Services10
-
Account Management, Billing & Support Section27
-
Machine Learning11
-
Security & Compliance Section21
-
VPC Section11
-
Cloud Monitoring Section18
-
Cloud Integration Section4
-
Global Infrastructure Section11
-
Deploying and Managing Infrastructure at Scale Section15
-
Other Compute Section9
-
Databases Section19
-
Amazon S318
-
Elastic Load Balancing & Auto Scaling Groups Section7
-
EC2 Instance Storage Section10
-
EC2 Section15
-
IAM Section10
