AWS IAM Tutorial | AWS Identity And Access Management | AWS Tutorial | AWS Training | Simplilearn

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to the I am overview and policies section in this section we're going to have a look at I am and provide an overview of what it is and what it's used for then we're going to take a look at I am policies and finally we'll do a demonstration of how to create an ion policy in AWS so what is I am well identity and access management is the service that enables you to securely control user access to all your AWS services and resources it's based around the concept of user management that you'll already be familiar with users groups and permissions so here we're just going to go through the key features of I am and then we'll cover each of them in more depth so the first thing is it gives you shared access to your account it provides granular permissions it gives secure access to AWS resources it can provide identity Federation and if you're not sure what that is we'll cover that identity information for assurance which is crucial these days with all the auditing that goes on its PCI DSS compliant it allows you to set up a password policy and also multi-factor authentication so let's take a look at each of these in detail now I am provides shared access to your account which allows you to grow on other people in your organization permission to administer and use AWS resources in your account without you having to share your password or access key now when you set up your AWS account for the first time you give an email address and a password and this is effectively your root account so you obviously don't want to be sharing this for people but there's an admin user you can use I am to share access so for example is a bunch of users they need access to ec2 and s3 and you can permission them to do that and not only you could have used access in just s3 you could have another group of users accessing are the SNS three you know and it's endless what you can do I am allowing you to set up very granular permissions so using I am users and groups you can grant different permissions two different people to manage their access to AWS so you can really define which users can access which services for example you could have a bunch of users that can have access to ec2 production instances but not to development instances and as you'll see as we go on you can get very granular you can start development teams to have read/write access two volumes but without administration access or development teams that can add new storage volumes to development instances but are not allowed to launch new instances I am allows you to securely allocate the credentials that applications running on ec2 instances need so that they can access other AWS resources for example s3 buckets or databases and this diagram here which we'll go over in a later section gives you a rough idea but what you need to know at this stage is that if you have an application that runs on an ec2 instance and the ec2 instance has been configured accordingly and I am the application can automatically inherit the permissions it needs to go and access s3 buckets or databases without actually having to store or pass user credentials I am allows you to set up identity Federation so you can allow users who already have passwords elsewhere for example Facebook Microsoft Active Directory or Google to get temporary access to your AWS account now you probably use this in applications where when you set up a new account you have options to log in using Facebook or your gmail account and that's basically identity Federation now a hot topic these days is identity information or auditing and I am allows you to log monitor and track what users are doing with your AWS resources through the use of cloud trail now there's a whole section on cloud trail later in this course here's a brief overview for you it logs everything user time we logged in IP addresses and it will write it to a log and store it in an s3 bucket where you can have full administration control and you can keep all the log files there for well for as long as you want or until the auditors come knocking I am is PCI DSS compliant which means it is payment card industry and data security standard compliant in other words it can process store and print transmit credit card data from a merchant or service provider I am has multi-factor authentication built-in so you can configure two-factor authorization for users and resources to ensure absolute security using MFA devices all these days it's easier and simpler to use MFA applications on your mobile phone such as Google Authenticator so I'm sure you've all been in here and done this where you have to login to a website and then you're asked to enter your 6-digit pin and you look at your device and type it in well that's what multi-factor authentication is and finally password policy I am allows you to define password strength and rotation policies and also the number of characters and special characters etc so you can really lock down your passwords accessing AWS so what are I am policies well a policy is a document that defines one or more permissions and policies can be attached to users groups and roles they're written in something called a JavaScript object notation or JSON for short and we're going to look at an example of this in a few slides time and there are a number of policies that AWS has predefined which you can select from or you can create and edit your own so as I mentioned AWS has many predefined policies which allow you to define granular access to AWS resources and here's a screenshot of the policy page where you can see there's around 200 policies that are available for use at the moment so let's take a look at a couple of them so you can get more of an idea of what a policy is one of the most commonly used policies is administrator access policy and this provides full access to AWS services and resources so it's kind of the administrator slash root user so here's your admin user and here is a screenshot of the Amazon Web Services console with all the services available so if you have the admin user administrator access policy you can do whatever you want you can go in and access absolutely everything so you would only be giving this to a select few people another popular policy is Amazon ec2 full access policy now this provides full access to Amazon ec2 and the associated resources which are elastic load balancer cloud watch and auto scaling so if your users have this they can do what they want with ec2 but they have no access to any other services Amazon s3 read-only access policy this policy provides read-only access to all buckets via the AWS management console so here's your users you've given them this policy they have read-only permissions on s3 but they have no other permissions on any other services so as you can see you can get very granular with your policy creation as I mentioned earlier AWS policies are written in something called JSON or JavaScript object notation which stores data and easily readable key value pairs now here's an example of an AWS policy written in JSON and as you can see it's not that complicated so let's break this down so at the top there are some policy wide information that helps you identify details about the policy in this case it's diversion but you could put whatever you want here then there's a statement section kind of the meat of the JSON policy and this is where the policy rules are written in this example there are three entries there's the effect which is the effect the user has when they request access which is either allow or deny in this case the default is that resources are denied to users so you typically specify that you will allow users access rather than vice-versa then there's the action and this is the action that you will allow so each AWS service has its own set of actions and in this example we're allowing s3 list bucket access and any actions that you don't explicitly allow are denied so users will be able to list the contents of the bucket but they weren't bare to do anything else and finally there's the resource and this is the resources that you are allowing the action to take place on in this example we're allowing lists bucket access on the example bucket and users with this policy won't go to access any other buckets welcome to the ion policy creation demo in this demo I want to create a new policy that allows read-only access to an Amazon s3 bucket called simply learn so to do this I'm going to go to the security and identity section and click on Identity and Access Management you on the next page I'm going to click on policies on the left hand side and here we have a list of all the Amazon predefined policies as you can see this quite a few and you can tell that Amazon predefined because they have this little Amazon box logo next to them so we want to create a new policy and represented with three different options the first of which is copy and AWS manage policy so we can start with an AWS policy and customize it to fit our needs secondly as the policy generator where we can select services and actions from a list and the policy generator will create a policy for us or you can create your own policy using the policy editor and editing JSON code manually now we're going to select the first option because this is easy as for what we need to do so we'll click on select and represent it with a list of policies now we want an s3 policy so if we type s3 into the search we can see there's two options s3 full access and s3 read-only access so we want the latter we'll click select and here's our policy so as you can see it's given a predetermined policy name and which is Amazon s3 read-only access and is put the date in here so we want to remove that and we want to give it a more meaningful name so we'll call it simply learn s3 read-only access as a description saying what it is so we want to provide read-only access to simply learn buckets via the AWS management console then we get to the policy document which is written in JSON so as you can see we have the version which we won't need to change and then we have the statement and the effect is allow so we're allowing the action and the action is s3 get an s3 list and there's the resource at a minute it says Asterix which means all s3 buckets so in to change this so I'll cut and paste in this code that I copied from the Amazon website which is basically saying AWS s3 and then the name of the bucket we're giving access to so we'll change this to simply learn and we're giving read access to all files in the simple urn bucket now on the bottom there's a button called validate policy so we can see whether my code is correct so we click on that and it says this policy is valid so yes the code is fine so now we're okay to click create policy and there at the top it says simply learn s3 read-only access has been created now you are ready to attach your policy to users groups and roles so let's look for it in our policy list so we'll type in s3 and now we are simply there an s3 read-only access and you can tell that is a user defying policy because there's no Amazon box next to the name so there we are now we're ready to use our s3 read-only policy which we will look at use in following lessons welcome to the I am users groups and roles section in this section we're going to take a look at what I am users groups and roles are used for and then we'll have a demonstration on how to create each of them in the AWS management console so what are I am uses well users are defined as the people or systems that use your AWS resources they can be administrators you need to access the AWS console and manage your resources well it can be end-users like developers or production support who need to access AWS content or they can even be systems that need permissions to access your AWS data so AWS provides a number of different ways to provide secure access to your AWS resources and we're going to look at them here so the first one is an email address and password and this is created when you first sign up to use AWS and it allows you access to the AWS management console discuss forums and support center now this shouldn't be shared of anyone else as it's effectively the route account for your AWS resources the next option which we're discussing in this lecture is the I am username and password and this allows multiple individuals or applications access to your AWS account each user can use his or her own usernames and passwords to sign in to the AWS management console and discussion forums and support center next is multi-factor authentication or MFA for short and AWS MFA enabled when you sign into an AWS website you're prompted for your username and password as well as an authentication code from your MFA device these multiple factors provide increased security for your AWS account settings and resources now access keys they come as an access key ID and a secret access key and these are provided to you whenever you set up a new I am user you use access keys to sign programmatic requests that you make to AWS whether you're using the AWS SDK rest or query API so what this basically means is that developers don't need to store or pass credentials to AWS resources this is all done behind the scenes for you by AWS and here is an example of an access key ID and a secret access key and we'll look at this further in the demo that follows this lesson and finally there are key pairs now key pairs consist of a private and public key and are used only for Amazon ec2 and Amazon Cloud rather you use the private key to create a digital signature which AWS validates against the corresponding public key so that's just an extra layer of security so before we go to the demo I'd like to ask you which of these options would you choose would you rather have your users logging straight into Amazon Web Services all using the same administration accounts or would you rather users log in with their own individual accounts using I am well obviously is the latter you want to create individual accounts for each user that accesses your AWS resources so you can tighten down exactly what security they use you can have auditing capabilities so you know who's doing what and when and it will simplify the management of your systems because if you're all using the same user when you change the password you have to tell everyone but if everyone's using their own individual user accounts let's see the steps to create an iamb user so in this demonstration we're going to create a new user and create their password so that someone can log into the AWS console without having to use a shared account so to do this we'll start in the security and identity section and click on I am and we will move to the left hand side and click on users and you can see that currently there's only one user in here and that's me but we want to create a new user so let's click on create new users and you can enter some usernames to create now we're going to create a new user called simply learn user which is going to be our basic read-only simply learn a camp and there's an option here to generate an access key for each user these are not used in the user name password type scenario instead they use to allow access to AWS via external tools such as command-line interface and we'll covering that more in the ec2 section now you only get to see these credentials once so you need to download them so we will click on create user now it tells me that my user has been created successfully and also that this is the last time these user security credentials will be available for download so if I click on show user credentials there I can see my simply learn access key ID and secret access key ID now you don't need to know these you just need to save them down into a safe place so that you can use them to access other resources so if I click on download credentials in the bottom right and it will create a credentials CSV file now when I click close that's the last time I'll see those okay so there's my new user simply learn user now at the moment if someone was had this account and they wanted the login to the console I couldn't because we haven't set a password so that's the next thing we're going to do so we click on user actions and manage password and we have two options we can either assign an auto-generated password or we can assign a custom password if we wanted to type something in but whichever you choose it's always a good idea to require the user to change their password the next time they log in now we're going to use an assign an auto-generated password and we'll click on apply and it tells me that my password has been created and again this is the last time these credentials will be available so we can show them and there's the password and we can also click download to push them into another CSV file for safekeeping so we'll click on close and now we can see that my user has been created and there's a tick against the password and we can also see that it's never being used because obviously I've just set this up so what else can we do well let's click on the user now we're under the security credentials tab now if the user forgot their password at any point in time we could click on manage passwords and with its various options of how we can reset their password for them also we can see here here are the access keys for that user and if we manage to lose the keys or we wanted to replace them we can click create access key here and we'll generate some new ones but we're not going to do that now the last thing I'd like to show you here is the multi-factor authentication device and it's currently set to no now for administration accounts it's always a good idea to setup MFA access and we could do that by clicking manage MFA device and then you would choose a virtual MFA device or a hardware MFA device now these days most people would you have a software device on their mobile phone if you're as old as I am then you probably used to use like a hardware token that you had to carry around of you on your keychain so we'll select a virtual MFA device and then it says to activate a virtual MFA device you must first install an AWS MFA compatible application on your smartphone PC or other device now I have Google authenticate on my phone and then what it does is it gives you a QR code and you use your mobile phone the Google Authenticator application to scan the QR code so you can it will generate some numbers so I'm just going to do that now and I've just scanned that on my mobile phone so now it's going to give me some numbers to type in so if I type in and is the new one and I click on activate virtual MFA and there we are my MFA device was successfully associated with this device so now every time I want to log in as the simply learn user I'll also be requested to type in my security code from Google Authenticator and that concludes the I am user creation demonstration now an IM group is defined by Amazon as a collection of users that all inherit the same set of permissions so that's pretty standard user security terminology so let's take a look at the scenario imagine you are the security administrator for your company so whenever a new user joins your company you need to give them the permissions they require so they can do their job properly if you're granting permission to the users that means every time a new developer joins you have to log in and give their user the development permissions then vennett an administrator joins you have to give them the administrator permissions and so on now obviously this is a time consuming and inefficient way of doing thing and that's where groups come in by granting permissions at the group level means you only have to set the permissions once so you as the admin user can create a group called developers and give it the appropriate permissions and you can create a group called admins and give it the administrator permissions then when new people join it's just a case of adding their user into the appropriate group let's see the steps to create an iamb group so in this demonstration we're going to create an iamb group so that we don't have to grant permissions to users individually so let's start again security and identity Identity and Access Management section and we will move to the left-hand side and this time we're going to click on groups ok so at the minute we can see there's one group in my account and that's administrators so I click on that we can see that it just has me in there so what we want to do is create a read-only group for our simply learn user so we go to create new group we give the group a name which we're going to call simply learn underscore read-only so this is a restricted user group that only has read-only access click on next step on the bottom right and now we get to attach policy to our group now if you remember a few lectures back we created the simply learn read-only access policy and we're going to attach that policy to our simply learn read-only group so we tick on the box and we click next step and then we get to review so it's we get to review the name of chosen and the policy we've applied so we're happy with that so we'll click on create group and there we are now we can see there is our new simply learn underscore read-only group now at the minute it has no users attached to it so if we tick the box next to simply then read-only go to group actions and we want to add users to the group so as to use available me or simply then user so let's click on simply learn user and click add users and there we are now we can see that there's one user in the group if we click on this we can see that the simply learned user is in this group we look at the permissions and we can see that there's one policy attached to this group and it's to simply learn s3 read-only access policy so now whenever a new person starts in the organization and they require this permission we just simply add them to the group and that concludes the I am group creation demonstration so what are I am roles well anion role is similar to a user it's basically an AWS identity with permission policies that determine what the identity can and cannot do however the difference between a role and a user is that there is no password or access key associated with it and it can be assumed by anyone who needs to use it so how do roles work well roles can be used to delegate access to users applications or services that are not typically able to access your AWS resources so if you look at the diagram here this is an example of a mobile app that wants permission to use AWS but doesn't actually store AWS keys in the app itself so we cover this in more detail in ec2 section but the brief overview here is that step one is that the administrator creates a role that gives read access to the photos Barket then you launch an instance with this role so that means that any application or user that accesses or users or runs on this instance will automatically inherit the permissions of the role so when the application runs it retrieves the role conduct credentials from the instance which means it can access the photos bucket and then the application performs the action it requires which is getting photos from the bucket let's see the steps to create an iamb role okay in this final demo for I am we are going to create a role so as we've seen we've created users and policies and groups that allow people to have access to our s3 simply learn bucket now say we had an application that needed to run on an ec2 instance and also needed read-only access to this bucket well we can create a role and allocate that to the ec2 instance so that it has permissions automatically so to do that we'll go to security and identity and the I am option back over to the left-hand side where I'm sure you're now getting very familiar with and we'll click on roles as you can see there's a few roles in here already for various things but we want to create a new role so we're going to call this simply learn s3 read-only and that's going to be our role so we click on next step as you can see there's various options here there's the AWS service role which allows resources to call AWS services on your behalf you have the role for cross account access so you can provide access between AWS accounts you own or AWS accounts from other companies or organizations and it's also a role for identity provider access so here you can set up your federated access or your single sign-on using sam'l now in this example we want to keep it simple we want to create an Amazon ec2 instance that has read-only access to our s3 bucket so we click on select and here's the policy page now we want to select our simply learn s3 read-only access so we select the policy we click on next step we get to review so we have the roll name we have the trusted entity which is ec2 and we have our policy which is the simply learn s3 read-only access so we click on create role and there is the new role created so if we click on that we can just have a look and we can verify that it has the s3 read-only policy and trusted identities are Amazon ec2 now when we get to the ec2 section of this course we can launch an ec2 instance with this role and it would automatically inherit the details and the rules of this particular policy so this is iron best practices and this is the final lesson in the iron section and we'll give an overview of the AWS recommended best practices for using I am firstly you should always create individual I am users this means that everyone in your organization will have unique credentials and you can control their permissions at an individual level it's also much easier to make users rotate their credentials when you're not using shared accounts we all know how complicated and difficult it can be to try and change passwords on shared accounts ie impossible and if you're using individual users it's much easier to identify security breaches because then you can do a forensic investigation and you can pinpoint exactly where the problem came from with shared accounts that's probably not going to happen when you create iron policies make sure that you grant least privilege in other words only grant the permissions that your users require to perform only the task they have to do although it's much easier to grant elevated credentials from the start is not good practice and it's much more secure to start with minimum permissions required and grant additional access as required trust me when I say it's easier to grant permissions to a user than trying to revoke them the goal of I am is really to protect your assets first rather than to make your life easier so you really should grant only what users actually need you should always manage permissions with groups for the main reason it will minimize your workload drastically as it's easier to assign a permission to a group and to assign it to many individual users as one change to a group will update the permissions for multiple users it's also simpler to reassign permissions if ur usage has a changing responsibilities for example if a developer moves to the admin team you just have to move the user account from the developer group to the admin group and your work is complete the alternative would be to have to completely reassign the permissions for each individual user and using groups means it's also easier to keep track of your security configuration if an auditor comes to you and says let me know all the people that have administration access to a particular ec2 instance if you're in groups you just say hey here's the list of users if you're not using groups that means you have to go through each individual user to find out what they're doing where possible is always a good idea to add additional access control to ensure that your resources are fully protected examples of this are adding further conditions like the use of MFA to login or specifying the access to certain resources can only come from a particular IP address a good example of this would be allowing RDP access to a production server you could insist that to log in with an account that has this permission the user first needs to connect using MFA and then once logged in you can specify that they can only RDP from a server with a particular range of IP addresses this means that anyone that fails this security check won't be able to RDP in there are several features available in AWS that you can use the log user actions the log file show the time and date of actions the source IP for an action and which actions fail due to inadequate permissions and many many more the best monitoring tool for I am is cloud trail which we talked about briefly earlier which logs AWS API calls and related events made on or behalf of an AWS account and here's that diagram again and you can see that user activity is written to a log and stored in an s3 bucket for use in the future it's an obvious one but obviously very important you need to ensure that your users require strong passwords and that they rotate their passwords periodically as you can see in a screenshot here this is the ion password policy page and using it you can define a suitable password policy to set requirements such as minimum length whether it requires non alphanumeric characters and how frequently there must be rotated and many more applications that run on Amazon ec2 instances need credentials so they can interact with other AWS products and services now we've seen this diagram before but rather than making your developers pass credentials to Amazon EC - you can use I am roles so that temporary credentials are dynamically passed ec2 this means that there's no need to share crude security credentials and no need to store long term credentials I am will also automatically rotate these credentials for you so as in this diagram suggest when you launch new ec2 instances you can specify an iamb role for the instance then any applications that run on this particular ec2 instance will automatically inherit the roles credentials when they access AWS you should also reduce or remove unnecessary credentials you shouldn't use the root account unless absolutely necessary and instead you should create accounts that only have the access required also you can run a credential report to remove I am credentials that aren't needed so if you run a report and you can see that particular passwords and access Keys have not been used in a long time you can remove them to tighten up your security this is the practice assignment for configuring I am access where you'll use I am to configure user access to AWS as the admin for your company's AWS account you need to assign permissions to for new users to users require full access to ec2 one user requires administration access to all AWS resources and one user requires read-only access to s3 use AWS best practices when configuring the user access so be sure to make use of groups you can now log in to your AWS console and practice the given scenario which should ideally take you around ten to fifteen minutes to complete welcome to the key takeaway section AWS identity and access management allows you to securely control access to your AWS services and resources for your users policies which are written in JSON allow you to define granular access to AWS resources users are defined as the people or systems that usually AWS resources like administrators or end-users or systems that need permissions that access your AWS data groups are a collection of users that all inherit the same set of permissions and can be used to reduce your user management overhead I am roles are similar to users but they can be assumed by anyone who needs them and a role does not have a password or access key associated with it roles are used to delegate access to users applications or services AWS also has a list of ion best practices to ensure that your environment is secure and safe this concludes the identity and access management lesson the next lesson is virtual private cloud hey there let us now talk about the third lesson of the AWS Solutions Architect course we all know that security is a critical part of any IT infrastructure and a key part of a Solutions Architect role is to ensure that all resources residing on the AWS cloud are securely protected you need to ensure that resources can only be reached by the end users or applications that should be accessing them for this you have to design and control the security access to AWS so that end users and applications do not have more permissions than they need along with this you have to enforce strict password policies to make sure there are no weak points of entry into your cloud environment fortunately AWS makes it easy to do all of this and more how through the AWS identity access management service that enables you to securely control access to AWS services and resources for your users this lesson will cover all the features available within the AWS Identity and Access Management Service so let's begin by the end of this lesson you will be able to describe the key features of I am and how they can simplify and secure user access to AWS use the AWS policies to define permissions to AWS users explain the steps to create users in AWS describe how groups simplify I am management use roles to delegate access to the AWS resources list the best practices for I am you

Info

Channel: Simplilearn

Views: 46,286

Rating: undefined out of 5

Keywords: AWS iam tutorial, aws iam, aws iam deep dive, aws tutorial, aws tutorial for beginners, aws iam best practices, aws iam roles, aws iam roles tutorial, iam tutorial, aws identity and access management, aws services, amazon iam tutorial, amazon iam explained, amazon iam roles, amazon iam best practices, aws identity and access management tutorial, identity and access management, identity and access management aws, Simplilearn, Simplilearn aws

Id: 3A5hRIT8zdo

Channel Id: undefined

Length: 39min 55sec (2395 seconds)

Published: Wed Jun 29 2016