Wednesday, July 10, 2019

AWS Solution Architect Associate Exam Study course Notes: IAM (Identity and Access Management) class sri lanka

IAM (Identity and Access Management)

  • Gives you centralised control of an AWS account
  • Is global - there is no concept of regional IAM at this time; all users, groups, policies, etc are available in all regions.
  • Supports Identity Federation which can be used for Single Sign-on i.e. via SAML
  • Can be used to give temporary access
IAM consists of Users, Groups Roles, and Policy Documents

Users

Are the individual accounts.
By default, new users don’t have access to any AWS services.
Always set up MFA (Multifactor Authentication) on your root account.
IAM can be used to create and customise password rotation policies.
There are two ways to access AWS:
  • Username + Password
  • Access Key ID + Secret Access Key

Username and Password

  • Cannot be used to interact with the API
  • Can be used to sign in via a custom sign-in link which you can create via the IAM console i.e.
AWS sample policy document

Access Key ID and Secret Access Key

  • Assigned on user creation
  • Can be used to interact via the AWS command line, SDKs, or APIs.
  • Not the same as Username and Password.
  • Can only be viewed once. If you lose them, they need to be regenerated. Save them in a secure location.

Groups

Are a collection of IAM users, simplifying the assigning of permissions. i.e. you can have groups for different departments such as Sales, Developers, HR, etc, which may all require different levels of AWS access.
  • A user can belong to multiple groups
  • Groups cannot belong to other groups

Roles

You can create roles, then assign them to AWS resources.
i.e. you might have an EC2 instance, and give it a role saying it can access S3. That way the EC2 instance can directly access S3 without having to manage usernames, passwords, etc.
Limited to 500 IAM roles under your AWS account. The acloud.guru course states up to 250.
Role types:
  • AWS Service
  • Another AWS Account (allows entities in other accounts to perform actions in the current account)
  • Web Identity (Amazon, Cognito, Facebook, Google)
  • SAML / OpenID Connect
API Actions for assuming roles:
  • AssumeRole
    • You cannot call AssumeRole by using AWS root account credentials; access is denied. You must use credentials for an IAM user or an IAM role to call AssumeRole.
  • AssumeRoleWithSAML - for when users have been authenticated via a SAML authentication response, i.e. an on-premises VPC
  • AssumeRoleWithWebIdentity (when users have been authenticated in a mobile app or web app with a web identity provider suh as Facebook, Google, or OpenID connect)

Including an IAM access policy with AssumeRole

When assuming a role, you can futher restrict access via passing an IAM access policy on each request.
If you pass a policy to this operation, the temporary security credentials that are returned by the operation have:
  • the permissions that are allowed by both the access policy of the role that is being assumed
  • and the policy that you pass.
… this gives you a way to further restrict the permissions for the resulting temporary security credentials.
You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed.

Policy Documents

An IAM policy is a document which formally defines permissions, and can be attached to users, groups, and roles.
The “ PowerUserAccess” policy provides full access to AWS services and resources, but does not allow management of users and groups.
For example, here’s one of the default AWS policy documents for assigning full access to S3:
AWS sample policy document

STS (Secure Token Service)

STS is used for requesting temporary, limited-privilege credentials for AWS IAM users or for federated users which you authenticate.
The temporary security credentials are valid for the duration that you specified when calling AssumeRole, which can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour. More info
Supports the following sources:
  • Federation (typically Active Directory)
    • Uses SAML
    • Allows you to use credentials from another provider (i.e. Active Directory) - does not need to be IAM credentials
    • Does not need to be a user in IAM, or need any IAM credentials
  • Federation with mobile apps
    • Using Facebook/Amazon/Google or other OpenID provider to log in
  • Cross-account access - allowing users from AWS account to access resources in another
To use STS Federation, you must implement the following steps in the following order:
  1. Develop an Identity Broker to communiate with LDAP (Lightweight Directory Access Protocol, one of the protocols that you can use to talk to Active Directory) and STS
  2. Identity Broker always authenticates with LDAP first, THEN with AWS STS
  3. Application then gets temporary access to AWS resources

Web Identity Federation

Useful for mobile apps which need to access AWS resources, and allows the app to aeceve an auth token, and then use that token for temporary credentials.
It’s strongly recommended to not embed or distribute long-term AWS credentials with apps that are user downloads to a device.
Web Identity Federation supports the following providers:
  • Amazon
  • Facebook
  • Google
  • Any other OpenID Connect (OIDC) compatible id provider


What Is IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks.

Video Introduction to IAM

AWS Training and Certification provides a 10-minute video introduction to IAM:

IAM Features

IAM gives you the following features:
Shared access to your AWS account
You can grant other people permission to administer and use resources in your AWS account without having to share your password or access key.
Granular permissions
You can grant different permissions to different people for different resources. For example, you might allow some users complete access to Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Amazon DynamoDB, Amazon Redshift, and other AWS services. For other users, you can allow read-only access to just some S3 buckets, or permission to administer just some EC2 instances, or to access your billing information but nothing else.
Secure access to AWS resources for applications that run on Amazon EC2
You can use IAM features to securely provide credentials for applications that run on EC2 instances. These credentials provide permissions for your application to access other AWS resources. Examples include S3 buckets and DynamoDB tables.
Multi-factor authentication (MFA)
You can add two-factor authentication to your account and to individual users for extra security. With MFA you or your users must provide not only a password or access key to work with your account, but also a code from a specially configured device.
Identity federation
You can allow users who already have passwords elsewhere—for example, in your corporate network or with an internet identity provider—to get temporary access to your AWS account.
Identity information for assurance
If you use AWS CloudTrail, you receive log records that include information about those who made requests for resources in your account. That information is based on IAM identities.
PCI DSS Compliance
IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS). For more information about PCI DSS, including how to request a copy of the AWS PCI Compliance Package, see PCI DSS Level 1.
Integrated with many AWS services
For a list of AWS services that work with IAM, see AWS Services That Work with IAM.
Eventually Consistent
IAM, like many other AWS services, is eventually consistent. IAM achieves high availability by replicating data across multiple servers within Amazon's data centers around the world. If a request to change some data is successful, the change is committed and safely stored. However, the change must be replicated across IAM, which can take some time. Such changes include creating or updating users, groups, roles, or policies. We recommend that you do not include such IAM changes in the critical, high-availability code paths of your application. Instead, make IAM changes in a separate initialization or setup routine that you run less frequently. Also, be sure to verify that the changes have been propagated before production workflows depend on them. For more information, see Changes That I Make Are Not Always Immediately Visible.
Free to use
AWS Identity and Access Management (IAM) and AWS Security Token Service (AWS STS) are features of your AWS account offered at no additional charge. You are charged only when you access other AWS services using your IAM users or AWS STS temporary security credentials. For information about the pricing of other AWS products, see the Amazon Web Services pricing page.

Accessing IAM

You can work with AWS Identity and Access Management in any of the following ways.
AWS Management Console
The console is a browser-based interface to manage IAM and AWS resources. For more information about accessing IAM through the console, see The IAM Console and Sign-in Page. For a tutorial that guides you through using the console, see Creating Your First IAM Admin User and Group.
AWS Command Line Tools
You can use the AWS command line tools to issue commands at your system's command line to perform IAM and AWS tasks. Using the command line can be faster and more convenient than the console. The command line tools are also useful if you want to build scripts that perform AWS tasks.
AWS provides two sets of command line tools: the AWS Command Line Interface (AWS CLI) and the AWS Tools for Windows PowerShell. For information about installing and using the AWS CLI, see the AWS Command Line Interface User Guide. For information about installing and using the Tools for Windows PowerShell, see the AWS Tools for Windows PowerShell User Guide.
AWS SDKs
AWS provides SDKs (software development kits) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to IAM and AWS. For example, the SDKs take care of tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For information about the AWS SDKs, including how to download and install them, see the Tools for Amazon Web Services page.
IAM HTTPS API
You can access IAM and AWS programmatically by using the IAM HTTPS API, which lets you issue HTTPS requests directly to the service. When you use the HTTPS API, you must include code to digitally sign requests using your credentials. For more information, see Calling the API by Making HTTP Query Requests and the IAM API Reference.
  1. What is IAM? • IAM Concepts – to help you get started • Common use cases – cover the building blocks • Demos – “Show and Tell”
  2. 3. AWS Identity and Access Management (IAM) 
  3. • Enables you to control who can do what in your AWS account 
  4. • IAM uses access control concepts that you are already familiar with User Group Permissions (IAM Policies) Role AWS Services and Resources
  5. 4. AWS Identity and Access Management (IAM) 
  6. • Control – Centralized – Fine-grained - APIs, resources, and AWS Management Console
  7.  • Security – Secure (deny) by default – Multiple users, individual security credentials and permissions
  8. 5. IAM Users What 
  9. • Entity that represents the person or service that uses it to interact with AWS
  10.  • Consists of a name and unique set of credentials 
  11. • Console password 
  12. • Access Key 
  13. • MFA device (SMS, Virtual, or Hardware) 
  14. • Each IAM user is associated with one and only one AWS account; does not require a separate payment method. When 
  15. • Enable human or programmatic access to AWS resources and services 
  16. • E.g. New employee, Rob, requires access to Amazon EC2 and Amazon S3 services 
  17. • E.g. Rob has created an application that stores data in Amazon DynamoDB
  18. 6. IAM Users Why (Benefits) 
  19. • Unique set of credentials • Individual permissions 
  20. • Granular control 
  21. • Easy to revoke access Do 
  22. • Create IAM user for yourself 
  23. • Create individual IAM users for others Don’t 
  24. • Distribute your AWS root credentials 
  25. • Use your root account user 
  26. • Share your IAM user credentials
  27. 7. IAM Users and Permissions 
  28. • No permissions by default 
  29. • Permissions specify who has access to AWS resources, and what actions they can perform on those resources 
  30. • Assign permissions individually to each user (or use Groups) 
  31. • Rob (UX Designer) > access to Amazon S3 
  32. • Samantha (Database Administrator) > access to select Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS Lambda, and AWS Data Pipeline APIs 
  33. • Use IAM Policies to assign permissions
  34. 8. IAM Policies 
  35. • Contain a statement (permissions) which specify a combination of : 
  36. • Who • What actions • Which AWS resources 
  37. • When • Where 
  38. • How Rob Can GET/PUT objects in S3 Bucket = “*” Until Dec 31, 2017 From IP range 123.456.789.012 If using MFA
  39. 9. IAM Policies 
  40. • JSON-formatted documents Example of an Amazon S3 Read-Only Access Template { "Statement": [ { "Effect": "Allow", "Action": ["s3:Get*", "s3:List*"], "Resource": "*" } ] } 
  41. • Attach policy to a user, group, or role (identity-based permissions) 
  42. • Attach policy to select resources e.g. Amazon S3 buckets (resource-based permissions) Example of identity-based permission Example of resource-based permission Rob Can Read, Write, List On Resource : icon-designs icon-designs Rob: Read, Write, List Samantha: List Zoe: Read, List
  43. 10. IAM Policies Two types of identity-based policies in IAM 
  44. • Managed policies (newer way) 
  45. • Can be attached to multiple users, groups, and roles 
  46. • AWS managed policies (created and managed by AWS) 
  47. • Customer managed policies (created and managed by you) o Up to 5K per policy o Up to 5 versions • You can limit who can attach managed policies 
  48. • Inline policies (the older way)
  49.  • You create and embed directly in a single user, group, or role • Variable policy size (2K per user, 5K per group, 10K per role)
  50. 11. Live Demo 1. 
  51. Create a new IAM user called Rob 2. Assign Rob a password 3. Enable MFA for Rob (Authy 2FA app: https://www.authy.com/app/mobile/) 4. Require password reset at next sign-in 5. Grant Rob administrative permissions over Amazon S3 by attaching an AWS managed policy i. Replace with a less permissive AWS managed policy ii. Replace with a customer managed policy Demo Time
  52. 12. Side bar SSH Keys: you can associate an SSH key with your IAM user and then use the SSH key to authenticate with AWS CodeCommit (a managed source control service) Credential Reports: You can generate and download a credential report that lists all IAM users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. For passwords and access keys, the credential report shows how recently the password or access key has been used Example of retrieving Credential Report Example of associating SSH keys to IAM user
  53. 13. Side bar Trusted Advisor: your customized cloud expert! It helps you to observe best practices for the use of AWS by inspecting your AWS environment with an eye toward closing security gaps, saving money, and improving system performance and reliability. Example of identifying security gaps by using Trusted Advisor
  54. 14. IAM Groups What 
  55. • Collection of IAM users 
  56. • Specify and manage permissions for multiple users, centrally 
  57. • E.g. group for all UX Designers 
  58. • A group can contain many users, and a user can belong to multiple groups When 
  59. • Easily manage permissions for multiple users AWS Account IAM Group: Administrators Akshay Andrea Arvind IAM Group: UX Designers Rob Rachel IAM Group: DevOps Akshay Andrew Lin Zoe Example of managing permission using groups
  60. 15. IAM Groups Why (Benefits) 
  61. • Reduces the complexity of access management as number of users grow 
  62. • Easy way to reassign permissions based on change in responsibility 
  63. • Easy way to update permissions for multiple users 
  64. • Reduces the opportunity for a user to accidently get excessive access Do 
  65. • Create groups that relate to job functions 
  66. • Attach policies to groups 
  67. • Use managed policies to logically manage permissions 
  68. • Manage group membership to assign permissions
  69. 16. Live Demo 1. 
  70. Create a new IAM group called UXDesigners 2. Assign permissions to the IAM group 3. Create a new IAM user called Rachel 4. Add Rob and Rachel to the IAM group Demo Time
  71. 17. IAM Roles What 
  72. • Another identity with permission policies that determine what the identity can and cannot do in AWS • Can be assumed by anyone who needs it; not uniquely associated with one person or application • Does not have credentials; access keys are created and provided dynamically When • Give cross-account access • Give access within an account • E.g. access for application running on Amazon EC2 • [Federation] Give access to identities defined outside AWS • E.g. access for identities maintained in your corporate IdP
  73. 18. Use IAM roles to share access Why (Benefits) 
  74. • No need to share security credentials 
  75. • No need to store long-term credentials 
  76. • Control who has access Do 
  77. • Use roles to delegate cross-account access 
  78. • Use roles to delegate access within an account • Use roles to provide access for federated users
  79. 19. prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 Authenticate with Rob’ access keys Get temporary security credentials for ddb-role Call AWS APIs using temporary security credentials of ddb-role { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to Rob granting him permission to assume ddb- role in account B IAM user: Rob Permissions assigned to ddb-role STS Use IAM roles for cross-account access
  80. 20. Use IAM roles for Amazon EC2 instances Why (Benefits)
  81. • Easy to manage access keys on EC2 instances 
  82. • Automatic key rotation 
  83. • AWS SDKs fully integrated 
  84. • AWS CLI fully integrated Do 
  85. • Use roles instead of long term credentials 
  86. • Assign least privilege to the application
  87. 21. 1. Use Switch Role between two accounts 2. Launch an EC2 instance with a role Demo Time
  88. 22. Pop-up Loft Questions?
  89. 23. Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS
sourec

call +94 777337279
email itclasssl@gmail.com
individual and group classes
english / sinhala / tamil




No comments:

Post a Comment