AWS IAM (Identity Access Management) Crash Course

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody in this video we will be covering aws iam now what does that stand for well aws stands for amazon web services and it provides you a bunch of different services that you can utilize to build and host your application now iam stands for identity access management and i'll explain exactly what that is through a diagram so let's go over here and let's say that i have a great startup idea i have a great startup idea i talked to a bunch of investors they gave me a bunch of money and i was able to hire these five engineers so i was able to hire jeff ed shelby sam and michelle and we all went together and we started talking about the architecture of my wonderful idea and we decided that we needed to utilize these eight aws services now if you're taking this crash course i do expect you to know a little bit about aws aws has a bunch of different services that you can use obviously when you're building an application you're not going to use every single one you're only going to pick the ones that you really need now these are some of these services you do not need to know what these services are or what they do to learn about iam but just understand that these are some of the amazon services or aws services that are supplied to us so we need lambda functions we need rds we need cloud front we need dynamodb we need s3 we need elastic beanstalk lightsail and ec2 so this is what we need all right terrific so we went we went over this we figured out that this is exactly what we need we've we went over the architecture now we need to get access to these services now because i am the owner and this is my company what i need to do is to go to aws.com or aws.amazon.com and create an aws account so i would go ahead and create an aws account i would put in my information and then i would also put in my credit card information because of course these are not free services you have to pay to use them and so eventually once i do all that i end up with a root account and a root account can literally do anything it has access to every single service not just all these services it can create users delete users etc update users it can do everything now with iam it is best practice to never really use this root account even though i might want to have access to everything so what i can do instead is hey i can get this root account and then i can create what is known as a iam user or if you will just another aws account now if i want to create another aws account for me i probably want to have access to everything so what i can do is i can give myself administrative access using this root account so i can create an account with administrative access so i would just end up with a an account i would also have the root account but i would end up with an account with admin access now admin access has the exact same abilities as a root account except the account that it has admin access is not able to delete the root account but the root account is able to delete the account with the admin access so i would just create this account over here and now what i need to do is i need to will have my peers over here or my co-workers get access to these services so i mean one thing i could do is just share this across my share this password combination across every single person but this is highly not recommended instead what i can do is i can just create other accounts for them as well and really what i could do is just give every single one admin access so we can just give them all admin access and you guys really know what i mean by this so you can just give them all admin access and they'll all be able to do the functionality that they need however this is not best practice what instead we want to do is we want to figure out exactly what these individuals need and then give them the absolute least ability that they need to have to perform their job so what we can do is we can actually group these individuals into exactly what they do so over here these guys are data engineers these are data engineers and so we can group them together in a data engineer section and over here we can then just give them access to the services that they need so let's say all of the data engineers they just need access to rds dynamodb and s3 so these are the only three things that they need access to they don't they don't need access to light sale they don't need access to ec2 they don't need access to elastic bean stock etc so they just need access to these three well we're gonna group them together and then give them access to these three now over here we can also group this into devops and they they're going to need access to light sales ec2 cloudfront and lambda and that's exactly what we can do we can go ahead and we can just group them together and so once we group them together what we can do is we can attach policies to that specific group so let me kind of explain what i mean here so we group them together and what we can do is we can attach these policies and i'll show you exactly what they are in the aws console but policies are essentially you can think of them as permission so so so we give these individuals or these groups policies and then through those policies we are giving them permission so over here you can see that this policy for example says s3 read write so now all these individuals are able to access the s3 service and are able to read and write but there's other things that we might also be able to do with s3 such as list all of the things that are in s3 however within this policy we've specified that they can't do that so they don't have permission to do that they don't have permission to list them again if this doesn't make a lot of sense do not worry we will cover it in the console in a bit but yeah so we attach policies to this group and now jeff ed and shelby can read and write from s3 also over here what we can do is we can say another policy ec2 full access so over here you can say okay well sam and michelle they have access to ec2 and they can do anything within it because it's full access and of course within these policies we can attach multiple policies of course so we can say okay well you have s3 you have an s3 policy you're also going to have a dynamodb policy and an rds policy and we're going to attach that to this group and so each one of these individuals is able to access rds dynamodb and s3 however if jeff tried to access ec2 they would not be able to and again this is the best practice you want to give them the least amount of privilege that they need to perform their job if later on that they need more access that's not a problem we can just give that to them you can add to add more policies now one thing that i want to quickly note is that uh an individual can fall into multiple groups for example let's say that shelby is a very very smart individual and it's costing me 200 dollars a year just because she's so incredibly smart and she is not only really a data engineer she's also a devops engineer and to be able to help out sam and michelle she needs to have access to all of the devops things so we need she needs to have access to ec2 lightsail lambda and cloudfront but she also needs to have access to well because she's a data engineer to s3 dynamodb and rds not a problem an individual can be a part of multiple groups so shelby can be a part of the data engineer group as well as the devops group and because of that she is going to inherit this policy as well as this policy and thus she is going to have the permission to access essentially all of these services now there's also a bunch of other services that we don't use in aws that i haven't listed here and she would not have access to that because we're not using it we don't need to give her permission but yeah just just to quickly note that we can have an individual with uh multiple uh or attached to multiple groups okay so that is enough of the theory i hope that made a lot of sense and now in the uh now what we're gonna do is we're gonna go into aws sign in to our console i do expect you to have a root account so sign in to your root account go into the console and then we're gonna start playing around with iam okay so i am now logged into my root account and now what i can do is i can access the iam service to create a bunch of other accounts now one thing that i also want to quickly note that is special to iam is that it's not region specific it is actually a global service just to quickly illustrate what that means let me just go to the ec2 service right over here and you can see that i can select multiple regions to launch my ec2 instance in let me just zoom in a little bit here so you can see here i can my default is is us east ohio but i can pick whatever i want i can pick mumbai i can pick central canada i can pick europe i can pick whatever it is that i want now if i go to the iam service and over here you can go to the iem service by clicking on service and then scrolling down to iam or you can just search for iam right over here and you should see that service this is a global service this is a global service you can see you can't pick any region so this is this is uh it's not required for you to select a region now before we dive into this let me just uh quickly illustrate how important it is to protect your root account so as soon as you sign up i highly recommend that you go to over here so you go over here to your your username and then go to my security credentials and then what i want you to do is set up multi-factor authentication so multi-factor authentication if you don't know what that is it's instead of just supplying your password to log into your aws account you would supply your password as well as some sort of code that you would get from a physical device that is near you so if you ever used google authenticator or authy or i think microsoft also has one well you can utilize those to increase the security and increase how difficult it would be to actually get access to your root account so you can see here just go over here and select a virtual uh multi-factor device and so this could be your phone or your computer you would just click continue and then what you would do is with your phone you would just go into that app like google auth and you would just scan this code over here and what this will do is will supply you with two pieces of code and you would add them in and then you would assign this to you assign this multi-factor authentication to your root account i'm not going to do that but i highly suggest that you do do that for your account okay cool so now let's just get into iam all right so i am let's click on that all right so here we are in the i am dashboard and you can see that we have a lot of different things that we talked about already so we have user groups which remember like this is a group right here data engineer is a group devops is a group we also have the users themselves so that's jeff ed shelby et cetera we also have roles and we also talked about policies remember policies is what gives those users permissions so let's actually just go ahead and let's just begin with remember we have a root account right now we really never want to use this so let's just go ahead and let's create an account for myself with admin access so how do we go about doing that well let's just go to users so we're going to go to users and we're going to and let me just zoom out a little bit what we're going to do is we're going to add a user so we're going to add a user very very easy and then i'm going to call this user lathe and over here you can see we have two options we have programmatic access so it does this user have programmatic access or do they have console access so when you're when you're dealing with like real human beings and you want to give them access to aws you're going to give them a console access console access basically means that they have access to this dashboard to this website programmatic access is when you want some sort of third party like a cli or an sdk or an api to have access to your aws account and for it to start performing some actions to your aws account for example let me just quickly search this up serverless so right here we have the serverless framework and what the serverless framework does is it builds your serverless architecture for you in aws so you can utilize the programmatic access you what you would do is you would get programmatic access give that to serverless and then serverless would programmatically add lambda functions etc so that is programmatic access but when we're dealing with real human beings we are going to give them a console access now we could also give them both and so what we can do is we can also get the access key and the secret ask us key and this would be kind of like the username and the password for something like this or you can just have a username and password or you can have both again but we're just gonna do console access and now what we can do is we can say uh we can give them a custom we can create a custom password for them or what we can do is we can just auto generate a password that is what i will do and we will also require a password reset so once they uh once they log into their account for the first time we would require them to reset their password and you can see here if i let me just zoom in you can see here that it says user automatically gets the iem use user change password policy which will allow them to change their own passwords you can see that this is a policy that they get which gives them the permission to change their own password all right so now let's just go here and say next permissions and this is going to be well this is where we give them permissions so what we can do is we can either place this user inside of a group and attach the policies thus the permissions to that group or we can just give the policies directly to the user it's highly recommended to always put an individual inside of the group and attach the policies to that group so what we can do is we can just create a group or we can of course copy permissions from an existing user we're not going to do that because we have no users or we can go over here attach existing policies directly that's also not what we're going to do so we're going to go over here we're going to create a group and we're going to call this admin and now what we need to do is we need to attach policies to this group and you can see here there's a bunch of different policies so you can see here we have amazon ec2 uh so amazon full so this is registry full access dynamodb read-only access et cetera now for me i want to have administrative access so this is kind of like the root account i have access to absolutely everything and this is the policy that i want to attach to the admin group so i can create this group now so i have created this group and now what i can do is i can go to next so over here so i created the group and not only did i create the group i also attached my myself for that user that i was creating to this group and now i can go to next now what i can do is i can also add tags they're just key value pairs that allow you to uh get more information or or just tag user information within that so you can have their email their job description so i can say something like i don't know description admin or whatever maybe shelby would be i don't know department devops or data engineer so we can add that in there i won't but you can if you want to and then over here it just gives you a kind of a quick summary just hey are you sure this is the username blah blah blah this is just a way for you to review everything once you're happy with it you will just click on create user and there we go we have successfully created our user now how do you log into this well if you were to well to to log into this what you would need to do is give the individual or i guess yourself this url over here as well as their username which is lathe and as well as their password now one thing that i quickly want to note this password i will delete of course uh so i'm going to show it to you guys but i will delete it so it's not going to really mean anything to you but this password you're never going to see it again so what i highly suggest is store this password in a very very secure place and actually what's going to happen is you're going to require a password reset anyways but you're never able to recover your aws account you're never going to see this password again so you can either just download the svg store it somewhere else or you can store this somewhere very secure but i highly suggest store some are very very secure all right so now what we can do is we can essentially go to this url so you would give yourself or the person that you created the account for this url and what i'm going to do is i'm going to open this up on safari so i'm going to open this up on safari the reason why i'm going to do this because i don't have any cookies or anything in memory or stored within my browser so it's kind of a fresh slate you can also if you want to use chrome just open it up on incognito i'm just going to open up on safari maybe later on i'll also do incognito but now what we can do is you go to this url over here and so you would say okay here's the url and then they would just say their username and then their password would be this now just to prove to you that this password is useless to you guys it's asking me to change the password so let me just quickly change the password to this all right so i'm going to go ahead and change his password and now there we go now i have well admin access so now i created an iam user so you can see i have all of these services i have all access to them not a problem all right terrific so now let's go ahead and let's create uh let's create shelby so let's create an account for shelby and remember shelby is within the data engineers so she's she's a data engineer and so let me just quickly log out of my account over here if i know how to log out it will sign out so i'm going to sign out and what we're going to do is we're going to create an account for shelby and remember shelby we only want to give her rds dynamo db and s3 access so what we're going to do now is we are going to go to uh back to iam you can either do this in our roots account or even in our admin account but i'm just going to do in my root account whatever just for this demonstration highly suggest probably just do it in your admin account which is better and so what we're going to do now is we're going to create another user probably guys get this by now and we're going to say shelby so shelby is the new user or ad user and we're going to say shelby and we can also add multiple users in if we want to at the same time we're going to give shelby console access we're going to allow her to we're going to auto generate ask her to update it and now what we want to do is we want to give her access to um we want to give her access to these three remember these three so let's just go ahead and let's create a group and we're going to call this group data engineer engineer an old spell engineer let's actually just do dash engineer so over here we have data you know underscore engineer looks better and now what we want to do is we don't want to give her access to everything we want to just give her access to what she needs so we can say rds and we can also say okay so this is rds full access now this might be too powerful we might not want to give her full access so i'll show you a way to kind of customize exactly what you want in a bit but for now let's just say she'll be very smart you want to give her full access you want to give dynamodb you can see that there are some existing policies here dynamodb full access read only so there's a bunch of different things we're going to give her this over here and now let's say for s3 we don't want to give her absolutely everything so what we want to do is we want to kind of limit the access she has for s3 so what we can do is we can kind of fine-tune what we want from the existing policies or what we can do is we can just create a policy so let's go over here and we can do is create this policy so when we create this policy you can see here that we can do it in two different forms i prefer the visual editor or you can use just a json blob i'm not going to cover the json blog because i honestly prefer the visual editor so over here what we can do is we can just select a service so the service that we want is s3 let's just click on s3 so this is the service that we want and then we also want over here you can see all of the actions that or all of the access level so what we can do is we can just give her access to everything or well there's not really a point that we want to fine tune what we want so maybe we want her to be able to list everything in s3 um maybe we want her to be able to read everything but maybe we don't want her to tag and maybe we don't want to let her write something so you can see here okay right but then we have 89 that were selected and so maybe we don't want her to delete objects we don't want her to delete perform any of the delete functionality so we can actually get rid of this so over here we're allowing her to create we're allowing her to update but we're not allowing her to delete so you can see we're really fine tuning we're really fine tuning our uh uh our policy okay cool and now what we need to do is we need to specify the resources and so over here i'm going to say all resources and then what we can do is we can just say next tags so over here next tags no thank you i'm not going to provide any tags then over here review let's just give this policy i don't know um s3 uh uh i don't know data engineer whatever you guys probably can't think of a better name you can give it a description i'm too lazy to do that and now what we can do is we can create this policy so we have created this policy wonderful so you can see here that it's a little bit different so it's not like the typical aws policy this is a a very fine-tuned policy and now what we can do is we can go back over here and let's just refresh and now we should see if we were to refresh we should see this policy over here so we're going to attach this policy to the data engineer group as well so let's go ahead and let us create this group and so now we can just give shelby access to the data engineer group so let's do a next tag and then next review and then yeah so she's part of this group if you want you can just click on the group right click on the group to see the group itself and all the permissions that it has so you can see your permissions and it has all these policies over here and so now we can just create the user and so i would just give shelby this url she would go to her browser enter it and then she would write her username as well as her password and then of course she would save this somewhere and then you would put our old password let me just put in a password here i'm just like literally making up a password as we go so that just more security for myself damn it it doesn't match all right maybe you can just pick a simpler password there we go there we go okay terrific so now she has her aws account now she if she were to go to rds uh this is taking some time sometimes i'm not sure why safari is kind of slow but you can see here she can do whatever it is that she wants with rds she can see all of the instances if she wants to uh or actually didn't give her access to that stuff unfortunately i guess not i guess maybe i didn't give her access to that but dynamodb she should also have access to dynamodb uh did i give her access to rds i always i thought i did rds data okay that's probably it yeah what i probably meant was just rds but let's just go over here you can see here she has access you can create a table she can do whatever it is that she wants now if she were to go to lambda however you can see hey you're not authorized to for lambda if you were to go to ec2 you're going to get the same message you're not you're not authorized to do any of this stuff so you can't see any of the running instances you're not authorized to do this you're not authorized now if she were to go to s3 you can see here that so let me just zoom in you can see that okay well we have a bunch of uh different uh s3 buckets and she's able to see them now let's say that shelby uh i demoted her and i want to give her less access what i could do is i can go to the s3 policy so i can go to the s3 policy and i can change the policy just to show you how this looks like from a json blob this is how it would look like so you can see here that we have the version which is kind of an id and then this is the id of the statement and over here we're allowing these actions allowing these actions on these resources so s3 get object and all these kind of permissions on every single resource out there but yeah so that's how that looks like but now let's just quickly go back to the policy summary and let's go over here to s3 and we want to edit the policy so what we can do is let's say that what we want to do at this point is uh go over here to actions and we don't want to give her list access so now what we can do is we can just review the policy save the changes and if shelby were to go back over here and we were to refresh this page i wonder if there's a refresh option here i guess not let's just refresh the page you can see that now she doesn't have access to the list and that right there is the summary of iam iam allows you to create accounts and give them specific permissions to specific services so really all you really need to know is users users groups and policies those are the kind of the main concepts of iam now again also if you're if you're using something like serverless framework that needs access to your account you're going to have to need to give them programmatic permission which gives them some sort of access key and an access secret which serves as a username and a password all right hopefully you guys found that informative and i'll see you guys in the next one

Info

Channel: Laith Harb

Views: 792

Rating: 5 out of 5

Keywords:

Id: 2SNckEy7yGM

Channel Id: undefined

Length: 30min 18sec (1818 seconds)

Published: Tue Jul 27 2021