Section 4 : IAM & AWS CLI

IAM : Users & Groups
- Users are people within your organization and can be grouped
- Groups only contain users, not other groups
- Users don’t have to belong to a group and user can belong to multiple groups

 

IAM : Permissions
- Users or groups can be assigned JSON documents called policies
- These policies define the permissions of the users and you apply the least privilege principle : don’t give more permission than a user needs.

 

Making IAM User :
AWS site -> IAM -> Create User -> I want to create IAM user -> Create Group -> Admin access -> create group -> User group to check users and groups, may check the users information.
You can login as an IAM user using the IAM ID information however must login in a different browser or incognito mode.

 

IAM Policies inheritance

 

IAM Policies Structure :
- Consists of Version
- Id : an identifier for the policy
- Statement : one or more individual statements
Statements consists of :
- Sid : identifier for the statement
- Effect : whether the statement allows or denies access
- Principal : account / user / role to which this policy applied to
- Action : list of actions this policy allows or denies
- Resources : list of resources to which the actions applied to
- Condition : Conditions for when this policy is in effect (optional)

 

IAM Policies Hands on:
- You can remove policies or add them individually
- You can add existing policies or inline policies. You can attach existing polices directly (Such as IAM readOnlyAccess)
- Without admin permissions you cannot create or delete new groups / edit policies
- You can check the JSON code policies or create new policies. You can create new policies through JSON or Visual editor.

 

IAM – Password Policy
Set up a password policy by :
- setting a minimum password length
- Require specific character types
 - upper/lower case letters
 - numbers
 - non alphanumeric characters
- Allow all IAM users to change their passwords
- Require users to change passwords after specific time
- Prevent users from using the same password

 

Multifactor Authentication – MFA (Need to know for exam)
MFA = Password you know + security device you own
- Protect your root accounts and IAM user
- Main benefit : If a password is stolen or hacked, the account is not compromised

 

MFA device options  (Need to know for Exam) :
- Virtual MFA device : Google authenticator (phone), Authy (multi device)
- Universal 2nd factor (U2F) security key : YubiKey by Yubico (3rd party)
- Hardware key fob MFA device : Provided by Gemalto (3rd party)
- Hardware key fob MFA device for AWS GovCloud (US) : Provided by SurePassID (3rd party)

 

IAM MFA hands on
- IAM dashboard -> account setting -> change password policy
- MFA -> Account settings -> Security Credentials -> select MFA

 

AWS Access Keys, CLI and SDK
To access AWS, you have 3 options :
1. AWS management console (Protected by password + MFA)
2. AWS Command Line Interface (CLI) : Protected by access keys
3. AWS Software Developer Kit (SDK) : For code : Protected by access keys
Access keys are generated through the AWS console and users manage their keys.

 

What’s the AWS CLI?
- A tool that enables you to interact with AWS services using commands in your command-line shell
- Direct access to the public API of AWS services
- You can develop scripts to manage your resources and can get sources from github

 

What’s the AWS SDK?
- AWS software development kit
- Enables you to access and manage AWS services programmatically
- Embedded within your application
- Supports different programming languages, mobile SDKs, iot device SDKs

 

AWS CLI Hands On
1. Setup aws configure to input all the details
2. Aws iam list-users : to show the user information

 

IAM Roles for Services
- Some AWS services will need to perform actions on your behalf
- Assign permissions to AWS services with IAM roles
- Common Roles : EC2 Instance roles, Lambda Function Roles, Roles for CloudFormation

 

IAM Security Tools
- IAM credentials Report (account level) : A report that lists all your account’s users and the status of their various credentials
- IAM Access Advisor (user level) : Access advisor shows the service permissions granted to a user when those services were last accessed.

 

IAM Guidelines & Best Practices
- Don’t’ use the root account except for AWS account setup
- one physical user = one AWS user
- Assign users to groups and assign permissions to groups
- Create a strong password policy
- Use and enforce MFA
- Create and use roles for giving permissions to AWS services
- Use access keys for programmatic access (CLI / SDK)
- Audit permissions of your account with the IAM credentials Report

 

IAM Summary
- Users : Mapped to physical user, has a password for AWS console
- Groups : contains users only
- Policies : JSON documents that outlines permissions for users or groups
- Roles : For EC2 instances or AWS services
- Security : MFA + Password Policy
- Access Keys : Access AWS using the CLI or SDK
- Audit : IAM credential reports & IAM Access Advisor