AWS IAM - Crash Course (Learn IAM in 1 hour!) | AWS Certification Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
okay welcome to my channel and welcome to this video named Doug Lewis identity and access management oh hey Douglas I am for sure now we have used a double use I am throughout all our videos right but we really couldn't focus I am solely in depth so that's why I thought of doing this video because I am is one of the integral part of AWS ecosystem now we both know why double use is rapidly innovating now if you look at Tremont key nodes they are launching so many services within a year so when we are managing access to these resources there's only one services that is really important there is nothing but it W is ia so that's why we need to have some solid understanding about AWS I am and in this video and trying to touch upon most important concept of AWS idea so here's the agenda first of all we are going to look at what AWS I am is so we are going to look at who are the users groups I am roars you know long term credential temporal pressures and you know what a vocation those temporal relations comes into handy and then we are going to look at different AWS I am policy types now there are multiple policy types like SCP service control policies identity based policies resource based policies we are going to use different examples hands-on experience as well when we are distinguished between these policy types and also a resource in AWS or service in eight of us can have multiple policies applied so when an entity by entity I mean a you sign a table base or it could be an anonymous user or it could be somebody who just downloaded an app from the app store and who's trying to upload his profile picture whoever it is trying to look in or access that particular AWS service there are multiple policies that needs to be evaluated so the rostra shows itself could have my policies so there's this logic behind evaluating these policies so we are going to look at that as well and after that we are moving on to another very important topic that is identity Federation now when we are using aw waste in production or in our projects for the most part we come across Federation scenarios sometimes we have to allow users from Facebook to log in to our application sometimes there could be Active Directory users whose authenticating from their corporate identities to our application so how are we handling this Federation so that's what we are going to discuss in that topic and finally we are going to discuss about SDS or security token service now security token service and I am are closely related so if you need temporal credential for an I am drawn the I am is always contacting Astaire's to get the security credentials so there are multiple methods that is really useful to know so we are going to discuss about SDS methods as well so this is the agenda and we are going to cover all these topics with example we are applicable and I hope this will be useful if you guys have any questions please post your questions in the comment section I will do my best to answer them as well and now let's move those slides I'll see you in the other side all right guys now before I start I want to show you this blog post related to AWS I am now this the latest blog post in my blog site so I recommend you to go through this side as well because I have covered much more detail about I am here with examples diagrams and you know some topics I'm not going to cover in the video like for example I am best practices since they are self explanatory so that's a quick note about the blog course I'll share the link in the description and guys I want to make another quick note before we begin this video is going to be a somewhat long so I have added the timestamp for corresponding topics in the description section as well as a comment you guys can either jumps to any interested topics using the time stamp or watch from start to end and if you find the face is still too slow you can always use the playback settings in YouTube and speed up the playback otherwise just keep watching okay so let's start with the introduction you guys already know I am managers access to so many different data bluest services right so how does it really provide access to those services so that is nothing but by providing access to these three entities now there are M users and I am Rose I am users can be part of I am groups so what I am service does it it will provide permission to these entities then if there is a user for example who has access to s3 bucket he can login to AWS console and access s3 if there are multiple users you can put them into a group and attach the permission to the group so every time you create any view so you just have to attach them to the corresponding group you don't have to manually setup permission for each and every users that way we will reduce some administration overhead then we have roles roles up basically for temporary credential grant now let's have a quick demo about these three entities I mean my AWS console I have logged in as this views called Minaj and if I go to services and I am which is identity and access management then you guys can see I have two users can click here or here on the left side path and I have two users and this is the user I am currently logged in as so this user if I go to the permissions sections you can see this one policy has been already attached now this is administrate access now this policy is managed by AWS so this is a managed policy now there are two main policies guys first one is manage policies now manage policies could be managed by a dub Oh there could be policies managed by the customer apart from that we can add in line policies as well so the difference between managed policies and in line policies are these managed policies can be reused among multiple entities you can attach the same policy to different users different groups you can basically use it but in line policies these are only attached to that particular entity in this case if I add an inline policy that inline policy will only be attached to manage cannot be reused so I want to just open up this administrator access select the JSON tab and you can see the policy document now this is the permission policy attached to administrate access first of all we have the version basically the version of iam policy and then we have set of statements this statement is an array of objects can say this theory and you have one object inside it you can have multiple objects like this as well if you look at the attributes inside this object they are effect action and resource effect is basically says whether this policy allows or denies access so you can have allow policies and deny policies in this case it allow so what action does it allow it's going to allow all the action so that's why this wildcard star represents here you can particularly mention what actions you are granting and then we have resource resource means onto which resources does these actions must take effect now in this case there's again a wild card so that means this policy allows all the actions to all the resources so that's why we this is called the administrate access now if we go to this other tab called groups this is a group called admin now I can select the groups on the Left sidebar as well and there I have two groups one is admin and when I click on that admin group I can see under the users panel this mono juice is part of that the full group there's a permission tab as well for that permission tab you can attach group level permission so once you have created group level permissions you can create any new user for example I can create another user admin - and providing programmatic an AWS management console access with an auto-generated password and click Next permission and then I'm getting to the screen to choose to add him to a group I can skip this stage but if you want to add him to already existing group just select that and click the next tags and next review and create user so as soon as the user is created he will be added to that particular group thereby he will inherit all the permission that is attached to the group let me show you if I now go to admin to the administrator access is already available for him now let's create another user now call him John now provide programmatic access and AWS management console access with an auto-generated password and click Next permission I'm not going to add him to a group and then click Next tags I will just type name is John and click Next and you can see when we just creating a user initially he's not being assigned with any permission so this user has no permission messages displayed so that's all right so we are going to create the user and once you have created the user you are provided with this screen so it has access key ID secret access key password and email login instructions as well so access key ID and secret access key is basically to access AWS through the API or C command-line CLI the password is essentially to log into the AWS console using a browser now let's try to access AWS console with this user can see there's this link shown here as well the user can login with this link so this link can be customized so earlier it was only the account ID then the rest of the URL but I added a new prefix here you can do that from the dashboard pane but for now I'm going to go to a different browser in this case I am in Firefox and paste this URL and hit enter so now it has prefilled the account ID or Elias and here I have to type the username so let me type John and I will get back to Safari I have created the user and copy the password and come here paste that in and hit sign in so you must change the password to continue so let me just change the password and click confirm and afterwards John will be able to log in to AWS console well that's great now let's try to access some AWS services I will click services and I will click easy to under compute category now look I get this you are not authorized to describe instances and you're not authorized messages all over the place now the reason here is that we haven't provided any permission to this user so that he cannot access any of these services let me try another service I will try s3 under storage there you go you get an error here access denied now let's provide him some permission shall we I will click close and I will click John here and currently John doesn't have any permission policies I will click add permission and then I will select attach existing policies directly this is the place where we can attach some manage policies I'm not going to add him administrate access but I will type ec2 and try to add easy to read only access then we have Amazon manage policy for Amazon ec2 read-only access will select that and click Next review it's a managed policy and click Add permission now it has been added if I click this small arrow now if I click on this chase and tap to weave the policy in JSON you can see the statement array has multiple statements so if you look at them quickly first it allows easy to describe action to any resource and it's allowing easy to elastic load balancing list matrixes cloud watch and auto scaling described now this is a read on lip access all these actions getting the information from this service but it has not allowed any action to create instance or create load balancers as such so that's why this is only a read-only access policy now that we have applied this policy to John let's go here to Firefox where John has been logged in and I will go to easy to section let's see if those errors are missing yes now the errors are gone now I can click on run instance and actually see if there are any instances at the moment there's no any instance but let me try to create and launch instance from this John user remember we have given only the read-only access so this should essentially do not allow him there you go you don't have to permission even to list the instance profiles that's alright so I will just click preview and launch and then launch and click Launch instance there you go launch fail you are not authorized to perform this action ok so now let's get back to this user let's add some custom policies for him so that he can launch an ec2 instance so I'm going to remove this read-only policy because read-only it's just not enough so I will remove click detach and then I will go to this policies section on the left sidebar that will show me all the manage policies including AWS manager cease and customer manage policies you are going to create a new customer manage policy so you can click create policy up here and then I get to choose the visual editor or the jason editor to construct my policy including the option to import or manage policy and edit it so I'll do that click import manage policy and this time I'm going to select ec2 full access early it was easy to read only access this time I am picking the manage policies to full access so let's see what are the permissions that I have by the looks of it from the visual editor I can see I have access to ec2 ELB cloud verge auto scaling you know a lot of permissions so let's trim down this permission I will show you in the Jason Weaver cell you can see there are a lot of permissions right here so what I will do is I'm going to remove ELB permissions I will just highlight that block and remove it and I'm going to remove auto-scaling block as well and I will only leave cloud watch and create service link crawl so that this user is only able to launch ec2 instance and perform all the actions within easy to but is not able to create elastic load balancer so anything else so that's going to cost me extra so are we limited those permissions great so I will click review policy and I'm going to do a name for this policy I will call limited easy to access now click create policy ok it's created now I will go back to my users and I'll go to Joan and I will click Add permissions and attach existing policies directly here I will search for limited easy to access select that customer manage policy we just created and click preview and add permissions okay so it is now added very good I'll go back to this page where the launch failed message is still displaying we will try to retry this if this works well it looks like it's working so your instances are now launching great so I can click on the instance ID and weave it in the ec2 console and see the instance is now up and running so at least pending status now since we have removed load balancing capabilities I will click load balancing on the Left sidebar and let's try to launch a load balancer will click create load balancer you can pick one of these load balancers in this case application load balancer and you get the error message up top John is not authorized to perform elastic load balancing described load balancers and even creating load balancers so you are not permitted so that's great now I can create a group click groups and create a new group can give a meaningful name in this case I will just type Limited so this is the limited group and I can pick the policy filter and only select customer manage ones and somewhere on the bottom I should see my limited policy there you go click limited easy-to-access click next and create a group so the limited group is now created now I can add any new views as to this group so let's create a new user I will add Jane I want to add the same permission to chain as well so I will click Next permission so right now I can simply click limited group with that limited easy to access permission and click next next and create the user he will automatically be assigned to that group we the limited privileges okay so that's about groups and users now when you create a user this users get long-term access credentials now let me show you that I will click John here and if I go to security credentials section so this is tab called security credentials and there I have the section of access case now this access case access key ID and the secret access key which is only being displayed at creation of user our long-term credentials that means you can use those access key IDs and secret access key so that means this access case and secret access case will never expire unless you make inactive or remove the full access key altogether so if these keys were compromised who ever have this keys will have long-term access to AWS console as well as aw say pas right so there is this certain risk involved with long-term credentials so that's where I am Rawls comes into the picture now you can see there's another section called I am roles I kill click on that so this I am role now this I am roles are the main way of providing temporary credentials to whoever the entity that assumes this role and once you have created I am role this role can be assumed by I am users AWS services like easy to lamda SQS is etc and also that can be accessed by I am users from within the same account or from different accounts so in that case we called cross account access so let's create a role so I will click create role and then I get to choose you know who are we trusting this policy to be assumed by so this is called the trusted entity so we can choose our trusted entity to be an AWS service and pick whether the service is or it could be an another AWS account in this case you have to mention the account ID could be an web identity like Facebook Google or coke meter or it could be a sam'l two Federation so in this case it could be an Active Directory and on premises so it is essential to add this trust policy to an I am role the I am role consists of two main part first one is the trust policy who can assume this role and then what are the permissions once they have assumed it so that is called permission policy so we'll look at both of these so in this case I'm going to select AWS service and I will pick easy to service so easy to service is trusted to assume this role and click Next permission and this is the place where we will define our permission policies you can see you are listed with the AWS manager see or you can filter your own customer manage policies as well so in this case I'm going to click administrate access and click Next tags and click preview and here you can provide a roll name in this case I will call it ec2 admin role click create role okay now easy to admin role has been created so now what we can do is we can attach this role to an ec2 instance so let's do that I will go to services ec2 and open it and different tab let's launch another new instance I will click Launch instance here Amazon Linux and accept II to micro configure storage and right here you see there's this IM role that we can pick for this instance in the drop-down you can see easy to admin role so this is the I am raw we just created so I am going to pick this one and click Add storage and add tags security groups ok I'm going to take out this security group as well and review and launch so I don't need any key pair and I and we'll launch it so now this easy to instance is attached with easy to admin role so that means any application that is running inside this ec2 instance can use the temporary credentials that is attached to this role so if I click on this easy to admin role I am role we just created you can see we attach the administrator access permission policy so he can do anything so the applications can also do anything and I want to take you to this trust relationship tab so this is the place it's going to define you know who are the entities that is trusted to assume this role so I can click Edit trust relationship or I can see the show policy document and there it's another JSON document so this is a different policy type and it is allowing the principle of ec2 dot amazon.com now this is the ec2 service so it is allowing the principal principal is whoever can assume the role is a service and that service is easy to service so any ec2 instance can assume this role now as when an entity assumed and I am role it's going to supply white temporary security credential for that entity so how does I am get these temporary credentials now we know for an IM role we provide and permission policy so that could be administered access or any fine-grained access when that role has been assumed by an entity I am is going to contact STS or security token service and then the STS is going to respond with a temporary security credential object so that temporary security credential object is scoped down to the permission that is attached to that particular iam role and that security credential object contains a session token access key secret access key and the expiration so whichever the entity can use access and the secret access key oh this isn't token to access that resource within the expiration time once the credentials are expired the entities are no longer able to access those resources so in that case they have to refresh those tokens but this is a special case in easy to in easy to this Refresh of tokens happens automatically using ec2 instance profile okay now let's look at another example we have already seen an AWS service the ec2 in our case using I am role but now let's demo cross account access with I am Ross so another demo cross account I need to have multiple AWS accounts so I went ahead and created an a douglas organization organization here we go so in my AWS organization I have three AWS accounts so this is my current account and I have created another account for project Y and another account called project B you can add the account or link your existing account with your AWS organization but that's a topic for another video essentially this accounts could be part of your own organization or it could be totally isolated two accounts may be belonging to two organizations but for now I am going to show cross account access within an organization accounts so this is my master count which is the currently logged-in account and in google chrome i have looked into this project why let me show you that so I am in Google Chrome you can see the project Y is listed here so in project Y account I have logged in as and root user let me show you that if I go to services and I am so at the moment I don't have any users that means I have logged in as the root user so in my organization if I look at the organization we right here I have root in the root level I have my master count so master count is the account that I am right now logged in with Safari so the user is managed and inside that root account we have an organizational unit called engineering now if I click onto this organizational unit engineering you can see the tree here as well so in inside engineering I have project Y and project B so project Y is the account that I have logged in using Chrome and this account is my master account that is at the root level so my idea is to access project Y from the master count so how can we accomplish that so in order to complete that we have to create an I am role in the project Y and allow that role to be assumed by this master count so let's go ahead and do that so I am in my project Y I will go to services I will go to I am I will go ahead and create a new role click create role and this time I am trusting snorer AWA service but another AWS account so select another AWS account and here it's going to ask the account ID of the account that I am trusting so I will go back to my master account and I will click accounts in AWS organizations and there I will see the account IDs so I am allowing master account ID to assume that role so let me copy that account ID from the master account and come back to project Y and paste that account ID okay and I will click Next permission now I can define permissions to this cross account role know what resources can master account access in my project Y once he has assumed that role so in this case I want him to access only s 3 so I will type history here and I will check Amazon s3 full access she only has three nothing else right next tags I'm not going to add a tag here and review and provide a name to this role I will call it master control allow account to assume this role that grants permissions only to s3 okay and I'm going to click create role now the master control has been created now let's explore this role a little bit I will click master control and there I see the permission policies attached Amazon s3 full access if I go to cross relationships and if I see the policy document now you can see the principal has been changed to my master account a RN or Amazon resource name so this is the master account ID and the principal is the AR end of the master account now I should be able to assume this role and access project Y from master calm so let's go to master count here I will click this drop down and there you should see the switch role link just click on that so we are going to switch our current role so what is the account ID so here we have to add the account ID of project Y because the role that we have defined is in the project Y so let me quickly find that I have recorded that in my online notepad so this is the project Y account ID I will come back here put the account ID right here and then I have to tell the name of the role so what is the name master account role so this is the name of the role I will copy the role name and get back here and paste that in master control and you can provide a display name I will add the name of the account its project while I can pick a color as well in this case blue color and then I will click switch role so let's see if you are able to login to project Y great now I am in project Y you can see the label has been changed to project Y if you click here you can see I can go back to my knowledge that means my master count and right now I am in project Y beautiful so in this project why this role only allows us to go to h3 and perform all that actions so let's see if there is possible I will click history now remember when an entity assumes a role it's going to ditch its current permissions that means right now I am I have assumed this role master count I am role from the project while so I don't have any permissions that I had in my previous account that means in the master count I had administrator permission but right now in the project ye I have only the permissions attached to the I am roar which is the full access to s3 so I can create another steel bucket bucket from master role I don't know just a name I just came up with click Next and I click Next create bucket so the bucket is created because our role permissions allows that I can do anything for s3 service but if I go to a different service for example if I go to easy to under compute what you guys thinks will I be able to do anything no right you see you are not authorized to describe running instance means we are not able to do anything else other than accessing s3 okay guys so let's move on to our next topic now we already know who are the a I am users groups and roles now the next topic is about different policy types now we have already looked at some policy types like trust policies and so on but there are some main policy types as well I'd like to take your attention to a CPS identity based policies and resource based policies a CPS or service control policies are used at AWS organization level now say that you have a complex organization with multiple departments you may have HR department engineering department and admin department so you know AWS organization you can organizational units for these departments and under these departments you can add AWS accounts for engineering you can add maybe development engineering account production account staging account this chain counts and so on which are you can add an account that managers HR related work similarly for administrations as well so once you have this organizational structure set up with a CPS or service control policies you can blacklist or whitelist different AWS services for each and individual organizational units as well as for AWS accounts directly now let me show you that now this is my master account I'm still assuming the role in project Y so I will just go back to menage that means my master account and there I will go to services and I will go to AWS organization in the organization account section you can see I have my root organization under that I have this organizational unit called engineering now this can well be mapped to a department so under that organizational unit I have two AWS accounts now if I click on that you see these are the two accounts project Y and project B so I can create more organizational unit under root for example let me select root and click new organizational unit here I will add admin create organization unit I can add another one HR right so I can create many organization units as required and once you have created that you can attach service control policies food for organizational units they are by those permissions will be inherited by the underneath accounts oh you can actually attach a CPS to an account directly as well so let's go ahead and do that so what I'm going to do is I'm going to block easy to access to all the accounts in this engineering organized maybe they're using service or something so let's do that just for an example so first of all what I have to do is I have to create a service control policy so up here you can choose policies section and right now I have full AWS access and just another thing I will go back to my organizational account and if you select one of these organizational units and click service control policies there is this full AWS access policies already attached now this happens by default because a CPS has been introduced recently so aw doesn't want to disturb any permissions as soon as you add an account to an organization's that's why this default policy full aw success is already attached to any account inside the organization but you can detach this and attach any specific policies as well so let's go back to our policies and right now I will click create policy here you can provide a policy name I will type block easy-to-access not going to add a description because the name is self-explanatory and then it's going to ask ok choose the service to add this action for and if you scroll down a little bit you know you have to first choose the service and then resource and any other conditions and this sa piece are essentially another JSON object so this is like the visual editor why identity and access management so let's pick ec2 service right here so it's going to update this section as well so I'm going to block all the actions so I will check all actions you can see it has just added this entry action everything and it's going to deny and I will add a resource ok basically I need to add this to AWS ec2 for all the ec2 instances and click Add resource alright so I have created this deny policy to block access to all ec2 api's or ec2 actions and then I'm going to click create policy so that's going to create block easy-to-access so what I'm going to do next is I will go to AWS organization accounts and I will go to engineering section or the engineering organizational unit so I have I am right here right now and then I will select service control policies and the policy we just created is displaying right now what I can do is I can attach that policy as well so when you attach multiple SCPs it's going to take the overlap so now that we have added this block easy-to-access let's go to project Y and see if we are able to access too easy too so I am now here in project Y right now I am accessing as the root user let's see if these SCPs are even applying to root user so I will go to services and I will click ec2 oops you are not authorized to describe a instances now see now I am still the root user still I cannot access that now that is the power of SCPs so as being the organizational master count you can control any other counts now if I go to a different service like s3 I'm still able to access that and managing permission within this account we have to use I am right no recipes are basically whitelist and no blacklist AWS services to fine-grained level access control you still have to use I am within the account context so that's about a CPS now the next two policies I want to cover in this video are identity based policies and racial space policies so I hope you have a good understanding about ACPs now so idly base policy we actually have used it now in my AWS account of the master count in the I am I have already created a couple of users so those users have been assigned some permissions now these permissions like Limited easy to access this is the custom managed policy we had created so these policies are attached to this I am users or this particular identity itself so the policies that we apply to an identities like users roles are called identity based policies now the speciality here in identity based policies is that we don't have a principal name directly referencing the identity based policy now if I open up this policy document you can see what the attributes displaying here are SIDS effect action resource and condition and here's another statement again it only has effect actions and the resource note that it does not have the principal attribute now the principal attribute says that to whom this policy applied to but in identity based policies we don't add that principal directly because the main reason is if you are applying this policy to a user the principal is already known because you are applying this policy to a user so the principal is the user himself if you are applying this policy to a role the principal itself is that role now in contrast the resource based policies we applied to a resource itself for example a resource based policies can be applied to s3 bucket now if I go to s3 here into services and s3 I'm going to create a new ways three bucket here I will say I am YouTube demo bucket okay we'll pick the region to Frankfurt and click Next and again click Next I'm going to antique block all public access and click Next and create bucket and this is the bucket I just created I am YouTube demo bucket and right now it is empty there's no any object inside that but I want to focus your attention on to the permission tab in the permission tab we have bucket policy now the bucket policy is essentially the resource policy that we are applying on to this s3 bucket so how does that bucket policy or the resource policy for history looks like let me go to documentation link right here and I will click bucket policy examples if I scroll down a little bit I should see granting read-only permission to anonymous use a bucket policy let me copy that get back to my history console and paste that bucket policy now have a look at this policy now it's essentially another JSON object and it has version and set of statements so we have the statements array and the ID effect actions resource is all included in our identity based policy iam policies but the difference here is that we have to explicitly define the principle and then this is very understandable because this policy is attached to the resource the s3 bucket itself not to a certain entity like a user or a role since we attaching this policy to the history bucket this s3 bucket can be accessed by anybody it could be an IMU say it could be somebody outside I am could be an anonymous user so the principle differs so that's why we have to specifically mention to which principle this bucket policy applies to and in this case it is tar that means whoever is trying to access this bucket this policy get applied that's the main difference between identity based policies and resource based policies and one another major differences between bucket policies and I identity based policies take effect when it comes to cross account access now look at this example now this bucket policy states that any principle can get objects like read objects that is there in this s3 bucket right and the resource itself is the s3 bucket so let me just replace this three bucket name instead of the example bucket so I will replace this one and I'm going to save this bucket policy so this means that anybody can access this bucket and read this content we are loving anybody this could be an user from a different AWS account so he can simply access this history bucket and view the content so if you want to allow s3 bucket to be accessed by a different account you can specify the account AR n here as well like instead of this very general all principle oh you can totally forget about this bucket policy and create an I am role with the permission to this particular 3 bucket so those are the two ways so say that you won't provide access to this particular bucket for a user in project Y what is the first way you can create a bucket policy here and put the resource a principle named as the AR end of that particular user Oh what you can do instead is to go to I am from the master count where this s3 bucket belongs to and create an cross account role and provide the ID of the project Y let's say it's something like this select s3 or you can create your own policy and only allowing access to that particular I am YouTube mystery bucket so those are the two ways but the difference here is when you create an I am role and a user from Project Y assumes this role is going to drop piece trusted account permission by trusted account I meant is the account that he is belongs to we call that it's the trusted account he's going to drop all the permissions that is applicable within the context of the trusted account and it's going to be replaced by this I am roles permission of the trusting account trusting account is the account that the user is accessing to so in this case our master count so if I reiterate it again so they said has this usage on in project Y when he's assuming this cross account role in in the master account he's going to drop his existing permissions and replaced them with the cross account royal permissions since he has access permissions that is designated to this particular role although he can view this tree content he may be not able to copy the history content onto his own account because he doesn't have access at his account level but on the other hand when it comes to a resource policy like this when John trying to access I am YouTube demo bucket he's not going to assume an I am role but the permission will be determined by this bucket policy or the resource policy so in that case he will still have access to all the permissions available in his trusted account plus the additional bucket permissions so he can view all the content and also he can maybe copy this content to his own account as well because he has access in his own account context as well so that's another major differences between these two policies I hope you guys understood that now let me give you another demo now I will save this bucket policy and I will go to the bucket itself and I'm going to upload some document get this document so it's a Word file I will just upload it so it is now uploaded now I'm going to go ahead and create another user or I will use a user in this account itself let me go to I am in the same account where the bucket exists and go to users I can create any view so I may pick Jane here in this case so I'm going to add some permission to access s3 I will click use existing policies directly and I'm searching for s3 so here we have s3 full access so I will allow Jane to have a straight full access and I'm going to add permissions now s3 full access policy or the permission policies attached to Jane now I will go to security credentials and I'm going to create a new access key because I earlier I forward to keep the secret access key as well now I have the seek access key ID and secret access key so what I'm going to do is I'm going to open my terminal in my local machine I'm going to configure credentials of Jane in my terminal so how can I do that I will type a WS configure I have installed a W CLI and hit enter so it's asking okay what is the access key ID so this is the access key ID of John Jane test at him and what is the secret access key okay this is that one and paste that team default region EU central one is fine okay now we have configured our local CLI or console with Jane's credentials now I should be able to list all the buckets in s3 since Jane have full access to s3 right so how can I do that I can use this CLI command AWS s3 LS so that's going to list all these three buckets you can see it has listed all these three buckets available in this account including the bucket we just have created which is I am YouTube demo bucket this one right so I will do one other thing I will particularly access this bucket as well so how can I access a specific bucket so that is by using AWS s3 LS and then we have to provide the bucket name with the prefix of s colon forward slash four slash hit enter it should be s3 not just s hit enter there you go so it has listed the bio Docs or the document that I just uploaded to that bucket beautiful now I'm able to access this history bucket because Jane has the permission policy for s3 full access here what would happen if I go to the bucket policy and edit it and deny access to everybody who's trying to access this history bucket biggest thing the Jane will still be able to access that bucket let's try that so this is the bucket and it is the document I will go to permissions and Buckett policies and instead of allow I'm typing deny here for all the actions so let's save this so right now our bucket policy says deny access to everybody so if I try to access this s3 bucket using the CLI Lai be able to do that so let's see I'm going to hit enter yes I'm still able to access this now here's the theory if you're an IM use of the same account and has permission to do something like here s3 access it doesn't matter what the resource policy says as long as you are in the same account even though the resource policy says deny all access if you have I am permission within the same account to access that s3 resource you can still access that but this is different if you are a user from a different account or when you are doing a cross account access so in that case the I am role or the user has to have the necessary permission to access s3 as well as the bucket policy or the resource based policy must allow that access okay now let's move on to our next topic policy evaluation so we talked about policy types now there are different other policy types as well I will attach some reference points to dive deep into these areas as well but right now our focus is policy evaluation now you know a particular resource can be associated with multiple policies so when it comes to evaluating those policies and decide whether or not to grant permission for an entity to access that resource there is a certain logic so that's what we are going to discuss so when AWC is evaluating an entity can access a resource this is the flow that it takes first the decision starts at deny so it W assumes this entity cannot access this resource so that is where I it starts then what is going to do it's going to evaluate all the applicable policies there could be resource based policies there could be I am based policies or any other policies that has been applicable to that resource but together with that it's going to evaluate the AC piece attached to this account as well now say this account is a part of an AWS organization and the master account has denied permission to this resource so in that case no matter whatever the other policies are attached to this resource the decisions is denied if SCP allows then it's going to look at all the IAM permissions or identity-based permissions and resource based permissions at the third step it's going to check whether there are any explicit denied policies attached if there's any excess explicit denied policies then the final decision is denying split denies take priority over explicit allows so no matter how many explicit allows you have if there's only one explicit deny the decision is denied if there are no explicit denies then it's going to look at are there any explicit allows attached to this particular resource if there are then the final decision is allowed say that there are no any explicit allows or noindex it denies then the final decision is denied you see stays as the default because the decision starts at deny and when going through this flow it couldn't find any explicit allow so this stays at the starting decision which is denied so this is the policy evaluation of you now let's look at our last two topics identify duration and STS first identity Federation now there are two types of identify duration allowed by AWS first one is saml-based identify duration and web by Linda Federation first of all what really is identify duration imagine that your organization has ten thousand plus users and you want to create I am users for all these ten thousand users you know you can go to AWS I am and start creating those ten thousand users so that's going to be a nightmare for that means right and but from that I am only allows 5,000 users per count so that's this hard limit test well I believe it's a height limit so even if AWS allows to create as many users you know creating all those users in AWS I am is a hassle say that there's another 10 new users joined to the organization new recruits again you have to add those users too I am so that's why the identity Federation's comes into the play identity Federation is based on trust you manage the identities or users externally to the AWS for some herbicide in the Federation it is active directory of on-premises organization and what we are going to do is we are going to set up the trust between on-premises Active Directory with AWS account so once the trust has been established whenever a user logged in with his domain credentials a Douglas will trust that he belongs to that organization's and allow access to AWS console or AWS api's on the other hand the web ID Federation is that your identities are maintained in external ideal providers like Facebook Google Twitter etc again in order to make that thing work you have to set up trust between these two entities AWS and Facebook imagine that you are creating an mobile application you want users to logged in with Facebook so first of all what you're going to do is you are going to create an application in Facebook can do that by going to developer your facebook.com and create an application and once you are creating an application you get some tokens these tokens can be configured with AWS a service like AWS Cognito and tell AWS trust all the users who have logged into this application with their Facebook credentials so after that your mobile application users who logged in with the Facebook will be able to access AWS resources for example they be able to upload their profile photo into AWS s3 bucket so that is the basic concept of identity Federation now let's look into some herbicide no Federation and web binder Federation in little bit in depth first saml-based identified aeration now there are two types of Federation that we can set up with saml-based identified aeration first is you can let users who have logged into their Active Directory domains to access AWS console secondly you can allow them to curl up on AWS api's once they have successfully logged into their Active Directory so let's look at this floor separately first one is AWS console access now before going over this diagram let me show you where can you configure this information about two active directory in AWS so I am in my master count and if I go to services and identity and access management on the left side bar you should see identity providers click on that and they are you can click create provider here and then you can pick the provider type so it provides sam'l based providers and open ID connect based providers so in this case we'll choose sam'l based providers because Active Directory is communicating over sam'l protocol or security assertion markup language and there you can give a provider name my org for example and here you have to upload the metadata document of the active directory this method read document can be found in your active directory and download that and upload it here and afterwards when you click Next steps you will be given some information to be configured in your active directory as well so once you have added this configuration that trust the handshake will happen and AWS will start trusting your active directory on-premises and your own premises active directory will trust AWS so once that trust has been established then the use authentication flow in the diagram that I am going to show you will take place this one so at high level this is your ghen ization so this part and this is the AWS so your users in the organization first log in with their domain credentials so what happens is users within the organization will browse the identity provider or the Active Directory login page they will enter their username and the password the domain username and the password and then the identity provider will authenticate with the LDAP identity store or this could be Active Directory or LDAP whichever and if the users have successfully authenticated the IDP returns a sam'l assertion to the browser the sam'l assessment says ok this user has successfully logged in with Active Directory and at the AWS side we have a single sign-on endpoint once the user has successfully logged into the Active Directory what the browser does it it's going to send that sam'l assertion to that single sign-on endpoint of AWS see the client post the sam'l assertion - single sign in URL and from a dope luis sites it's going to check the users group you know in the Active Directory you can have different groups and at AWS you can map those groups to a particular roles we already know in order to access AWS resources it has to be either users or roles so what we are doing here is we are going to map Active Directory groups to a corresponding rows with corresponding permissions so that I am role is going to consult STS security token service and get those security credentials and then it's going to send a redirection to AWS console page to users browser so with that redirection the client is directed to AWS management console without having to enter any password or username at AWS site so that's how the AWS console access Federation happens and now let's look at how does AWS API access happens with sam'l based authentication or Federation rather so here's what's going to happen since we are going to create enroll in AWS and once the users have successfully authenticated with their Active Directory it's going to call upon an API in STS assume roll with sam'l so this is the API call and it's going to send the roll name along with the sam'l assertion that it returns from the Active Directory and STS will evaluate that and it's going to send the temporary credentials belongs to that drawers permissions so now that the client app or the browser has the temporary credentials it can use AWS as the case or CLI to access those resources permitted by AWS I am role you see in this case the role says okay whoever assumes this can access s3 bucket and upon successful user authentication to Active Directory it's going to call assume roll with sam'l with that sam'l assertion and the role name SDS we'll look at that and it will return the credentials security credential access key and secret access key then from client app it's going to access the extra bucket and do the operations could be uploading some files or so I hope it's clear now let's move on to the web binary Federation now this is more or less the same now there are only two differences instead of users logging with the Active Directory on the left side they are logging with the identity provider so it could be Facebook it could be Google it could be Twitter or it could be Amazon once they have successfully logged in with the external identity provider it's going to return an ID token so earlier in sam'l it's going to return a sam'l assertion now in this case it's going to return an ID token so with that ID token the browser is going to call another STS method that is called assumed role with web identity together with that ID token and the role that's going to assume so once the STS received that request it's going to check whether it's valid if it is valid it's going to send the secret key and secret access key all that security credential to the browser there by browser will able to access those resources using those temporary credentials in this case it's accessing and DynamoDB using those temporary potential now in the diagram you will see the Cognito service now this kognito service is makes our lives quite easy when associating these web identities let me quickly show you that I'm in my AWS account I will go to services and search for kognito there we have it incognito you can create a use of pool widened opposed this case I'm going to create a user pool I will create a new user pool YouTube demo I will remove remove the defaults and create the usable and useful is basically list of users aww is going to manage the infrastructure of this user pool so for this particular user pool we can attach identity providers you see under Federation category you can add identity providers and there you can attach Facebook Google like open ID connect even sam'l with this user pool so I can select Facebook and here I have to add the or app ID of the Facebook app secret and once I have enabled Facebook that any user who logs in with Facebook will be authorized to access the application could be mobile or web application and as and when a user authenticate with Facebook a new user entry will be added in the user pool I'm not going to go into depth how that happens because we have already created video on Federation with Facebook or single sign-on with Facebook I will put a link in the description as well so that's how the web Federation happens and as the final topic for this video I'm going to talk about STS API methods now we have seen it's always calling STS api's no matter is using sam'l based identity Federation or way binary based Federation now these are main methods that is supported or that is provided by STS it has assumed role API now this is the API that gets called when we have assumed a role in the project why from master count so you had to add the account ID and the role name then I assume role API will be called behind the scene and it's going to return security potential there by logging the user or the master account into project Y account and assume roll with the Biden T is going to be used when you're authenticating with web ID Federation now this one so here as soon as you logged in with Facebook the ID tokens and the the role will be sent out to STS and it's going to return some security credentials temporary security credentials for you assume roll with sam'l is used with saml-based authentication or saml-based Federation and then it's going to call this assumed role with sam'l method together with the sam'l assertion and the roll name and all these three assumed role api's requires an IM role but these two api's get federation token and get session token is essentially using an IM users long-term credentials now if you look at this gate federation token api that must be used in a safe environment that means say that in your own premises network where you have set up all the security no firewalls and everything then you can store the access key and secret access key of a certain user with get federation token what happens is you're going to receive some temporary credentials with those long-lived credentials this temporary credential then be used to proxy some applications now say that you have an application in on-premises that made access to certain AWS services temporarily or for a short amount of time so in that case you can request some temporary credential from a double using your long-lived credentials that is stored within the identity server and send those temporary credential to that particular application that proxy application to use that on behalf of you to access AWS temporarily so that is about get Federation token API now get session token ApS is also using AWS I am user credentials but in unsafe environments say that you are an I am use of a particular AWS account and you want to access AWS account while you're on vacation you want to access some AWS resources so in that case you can do so with get session token it's going to send your MFA challenge or multi-factor authentication challenge so you have to verify code that is sent out your mobile phone and with that code it will make sure that this is an authentic user they are by it will provide the access or the temporary access to that particular result remember all these ApS is going to send you temporary access credentials okay now these are the main topics that I want to cover in this video I hope this has been useful so if you guys have any questions please feel free to post it in the comment section and I will add all the references in the AWS documentation in the description sections as well so you can dive deep into this concept if you need ok guys so that's it thank you very much for joining with me this long video and I'll see you in another video
Info
Channel: Enlear Academy
Views: 27,722
Rating: 4.9246573 out of 5
Keywords: Serverless Computing, AWS Certification, Cloud Computing, AWS IAM, Crash Course, IAM Crash Course, AWS Security, aws tutorial, Identity and access management, aws certification, aws tutorial for beginners, aws training, aws cloud, what is aws, aws full course, aws course, aws for beginners, aws iam policy, aws interview questions, aws this week, aws certified security specialty training, aws services, components of iam, introduction to aws iam, aws security tutorial
Id: WYH8SQW6RJQ
Channel Id: undefined
Length: 72min 40sec (4360 seconds)
Published: Sun Jul 21 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.