IAM: Users and Groups

 IAM

  • IAM - Identity and Access Management, Global Service
  • Root account created by default, shouldn't be used or shared
  • Users are people within your organization, and can be grouped
  • Groups only contain users, not other groups
  • Users don't have to belong to a group, and user can belong to multiple groups

IAM: Permissions

  • Users or Groups can be assigned JSON documents called policies for accessing AWS
  • These policies define the permissions of the users
  • In AWS you apply the least privilege principle: don't give more permissions than a user needs
So we can create the user in IAM and can assign the policy to it while creating the group for it and providing desired policy to the group as it will help to take of users at a time.
We can even provide alias name to account and even use tags for groups.


AWS even provide multiple session in an account to access side by side. Account will make difference to resource usage one account resources can't be used by other until shared.

IAM Policies inheritance


IAM Policies Structure

  • Consists of:
    • Version: policy language version, always include "2012-10-17"
    • id: an identifier for the policy (optional)
    • Statement: one or more individual statements (required)
  • Statements consists of
    • Sid: an identifier for the statement (optional)
    • Effect: whether the statement allows or denies access (Allow, Deny)
    • Principal: account/user/role to which this policy applied to
    • Action: list of actions this policy allows or denies
    • Resource: list of resources to which the actions applied to
    • Condition: conditions for when this policy is in effect (optional)

IAM - Password Policy

  • Strong passwords - higher security for your account
  • In AWS, we can setup a password policy:
    • Set a minimum password length
    • Require specific character types:
      • including uppercase letters
      • lowercase letters
      • numbers
      • non-alphanumeric characters
    • Allow all IAM users to change their own passwords
    • Require users to change their password after some time (password expiration)
    • Prevent password re-use

Multi Factor Authentication - MFA

  • Users have access to your account and can possibly change configurations or delete resources in your AWS account
  • You want to protect your Root Accounts and IAM users
  • MFA = password you know + security device you own
  • Benefit:
    • if a password is stolen or hacked, the account is not compromised

MFA devices options in AWS

  • Virtual MFA device - will support multiple account and users to login from one device with multiple tokens. Each account and user has it's own token.
    • Google Authenticator (phone only) - working on one phone at a time.
    • Authy (phone only) - Support multiple tokens on a single device.
  • Universal 2nd Factor (U2F) Security Key
    • Yubikey by Yubico (3rd party) - it is a physical device like pendrive.
    • Support for multiple root and IAM users using a single security key.
  • Hardware key Fob MFA Device
    • Provided by Gemalto (3rd party)
  • Hardware Key Fob MFA Device for AWS GovCloud (US)
    • Provided by SurePassID (3rd party)

Ways to access AWS:

  • To access AWS, you have three options:
    • AWS Management Console (protected by password + MFA)
    • AWS Command Line Interface (CLI): protected by access keys
    • AWS Software Developer Kit (SDK) - for code: protected by access keys
  • Access Keys are generated through the AWS Console
  • Users manage their own access keys
  • Access Keys are secret, just like a password. Don't share them
  • Access Key ID ~= username
  • Secret Access Key ~= password

What's the AWS CLI?

  • A tool that enables you to interact with AWS services using commands in your command-line shell
  • Direct access to the public APIs of AWS services
  • You can develop scripts to manage your resources
  • It's open-source https://github.com/aws/aws-cli
  • Alternative to using AWS Management Console

What's the AWS SDK?

  • AWS Software Development Kit (AWS SDK)
  • Language-specific APIs (set of libraries)
  • Enables you to access and manage AWS Services programmatically
  • Embedded within your application
  • Supports
    • SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++)
    • Mobile SDKs (Android, iOS,...)
    • IoT Device SDKs (Embedded C, Arduino, ....)
  • Example: AWS CLI is built on AWS SDK for Python
Directly download the AWS CLI from google install it.

Assigning AWS access key to AWS CLI:
aws configure
It will ask for :
AWS Access Key ID [None] :
AWS Secret Access Key [None] :
Default region name [None] : eu-east-1 (you can provide any listed in AWS console for login)
Default output format [None] :

Command to check all users:
aws iam list-users

AWS CloudShell:

It is a CLI available in browser what ever you will create files in it will stay there forever until you delete it.
You can download and upload files as well in this browser CLI.
It is a Unix Terminal on browser for using AWS with pre-installed software and package for usage.


Comments

Post a Comment

Popular posts from this blog

Machine Learning

Image
 Machine Learning Amazon Rekognition Find objects, people, text, scenes in images and videos using ML Facial analysis and facial search to do user verification, people counting Create a database of "familiar faces" or compare against celebrities Use cases: Labeling Content Moderation Text Detection Face Detection and Analysis (gender, age ranges, emotions...) Face Search and Verification Celebrity Recognition Pathing (ex: for sports game analysis) Amazon Transcribe Automatically convert speech to text Uses a deep learning process called automatic speech recognition (ASR) to convert speech to text quickly and accurately Automatically remove Personally Identifiable Information (PII) using Redaction Supports Automatic Language Identification for multi-lingual audio Use cases: transcribe customer service calls automate closed captioning and subtitling generate metadata for medis assets to create a fully searchable archive Amazon Polly Turn text into lifelike speech using deep lea...
Read more

Cloud Computing and IT

Image
Cloud Computing and IT How Website work?   Server composed of: Compute, memory, storage(file or database), network - Routers, switch, DNS server. IT terminology: Network: cables, routers and servers connected with each other. Router: A networking device that forwards data packets between computer networks. They know where to send your packets on the internet. Switch: takes a packet and send it to the correct server/client on your network. Problems: Pay rent for datacenter Pay for power, cooling and maintenance Adding and replacing hardware takes time Scaling is limited Hire 24/7 team to monitor the infrastructure Plan for taking care of disasters. eg: Earth-Quake, Power-Supply issue etc... Demand: How to externalize all above task? Solution: Cloud Cloud Computing: (on-demand/pay-as-you-go/) Cloud computing is the on-demand delivery of compute power, database storage, applications and other IT resources. Cloud services are pay-as-you-go pricing. Provision exactly the right type and ...
Read more

Cloud Monitoring

Image
 Cloud Monitoring Amazon CloudWatch Metrics CloudWatch provides metrics for every services in AWS Metric is a variable to monitor ( CPUUtilization, Networking...) Metrics have timestamps Can create CloudWatch dashboards of metrics Important Metrics EC2 instances: CPU Utilization, Status Checks, Network (not RAM) Default metrics every 5 minutes Option for Detailed Monitoring ($$$): metrics every 1 minute EBS volumes: Disk Read/Writes S3 buckets: BucketSizeBytes, NumberOfObjects, AllRequests Billing: Total Estimated Charge (only in us-east-1) Service Limits: how many you've been using a service API Custom mertics: push your own metrics Amazon CloudWatch Alarms Alarms are used to trigger notifications for any metric Alarms actions Auto Scaling: increase or decrease EC2 instances "desired" count EC2 Actions: stop, terminate, reboot or recover an EC2 instance SNS notifications: send a notification into an SNS topic Various options (sampling, %, max, min, etc...) Can choose the...
Read more