AWS IAM Tutorial | IAM Group, Policy, User, Role | Amazon Web Services Basics

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys this is Raj agent of change back with another video I am an enterprise solutions architect working at AWS today we will look into an area which could be a little confusing to the newcomers of AWS but it is very very important I am identity and access management alright let's dive into it we will use two very common scenarios for this video scenario one when you have one AWS account for your organization shared by different groups let's say admin developer and tester in this case and you want to give each group different access in the same account scenario to where one AWS service needs to access other AWS services okay let's jump into scenario one to understand this first we have to understand what is AWS policy a policy is an object in AWS that when associated with an identity or resource defines their permissions easiest way to understand this is to dive into AWS console type I am into the main console then click policies all the AWS managed policies are shown in the screen then we type the name of the service let's say s3 and you see all the policies that's already defined for s3 click s3 read-only access and this is the JSON document that shows what this policy do this JSON has three main elements effect use allow or deny to indicate whether the policy allows or denies access then is action which includes the list of actions that the policy allows or denies in this case it's allowing get and list from s3 and resources specify a list of resources to which the actions apply in this case is asterisk that means this can be executed in any bucket and now let's click Amazon s3 full access if you look at this JSON instead of just allowing get and list on s3 it's allowing everything on s3 to be allowed on all resources and just for fun type in admin in the search box and if you see this administer for access and this policy allows any kind of action on all the AWS resources now these policies can be attached to a user groups or roles so if this policy is attached to a user or group you guessed it right there will have the administrator access so if we go back to our scenario I assign some names to these three groups in reality there'll be more than one person per group so let's jump back into the console and create these groups and then we will assign different users and different policies to these groups so for this we are assuming for the developer group will have access to read write and execute on lambda dynamo and s3 and the tester group will have access to execute lambda so we are back into the console let's click this groups button we are going to create a new group so you'll create admin click next step and what policy you are going to attach to this you guessed it administrator access create group we are going to create another group in this case developer and the developer needs lambda dynamo and s3 so lambda dynamo and s3 okay and then we're going to create our last group just test her and this group should only have lambda execution so now these groups are ready we now we have to put user under these groups so we click this link on the left so in your personal account you probably logged in as root but in real life you create I am user and then you log in with that I am user I am user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS a user in AWS consists of a name and credentials so let's create some users so we need three users Tina Bob and Susan we click add user username Tina and then we are just gonna give it doesn't matter for this demo auto-generated password girl permissions okay and now here it asks you add user to group let's assign Tina to administrator group so Tina has to use that link and the password to log in as the I am user Tina and then she will have admin access we're gonna show this in action for the developer group similarly we're going to create Bob and we are going to assign Bob to developer let's try to sign in as Bob and see if bob has access to anything else remember according to the slide Bob should have all the access to lamda dynamo and s3 so I opened the link in the incognito window and I typed him the user name Bob and the password and click sign in okay Bob should have access to s3 let's go to s3 yeah so Bob can go to s3 and do stuff now let's see if Bob can do anything in ec2 remember Bob only has access to s3 dynamodb and lambda so let's go to ec2 and you can already see Bob is getting lot of messages that we generally don't get anyway Bob is brave so we're going to click Launch instance and we're gonna try to select the ami and you can see you are not authorized to perform this operation so our policy attached to group is working and semi you will create I am using Susan and assign it to group tester now let's take a look at scenario to where this ec2 needs access to all these services so one thing to note policies cannot be attached to ec2 or any other AWS services directly they must be included in an AWS service role and that role can be attached to AWS service such as ec2 so what is the definition of the role and I am role is similar to an I am user that we saw in the last example in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS so if we want to go over this diagram if the cc's to has to access this s3 let's say you want to run this command AWS s3 LS what it has to have is the role attached to ec2 has to have a policy to access s3 now let's extend this let's say your application that's running in ec2 needs to read dynamic so what does this role need to have you guessed it right this role is to have a policy attached to it which can read dynamic and if the application wants to write to dynamo we you need a policy that will allow to write to dynamo and then you have to attach that policy to this role and this role Tracey - you're probably thinking wait a minute if I logged in as an admin group or administrator a root user which most of you are when you log into your private found can't my easy-to-access everything nope you have to tell you see to what role it can run with this separation are punished ons between user roles and service role is necessary to reduce blast radius when that code is running on your ec2 and it is also useful to enforce more granular control for example there are two developer teams project team a and project team B they are sharing one AWS account however team s application in easy to use as dynamo s3 and team B's application running in another ec2 users RDS they can use the same developer I am group to login to AWS and use ec2 roles to define access to other AWS services so let's try this in console so we are back - I am console this time we are going to click roles now we're gonna click create role and it kind of describes you as well choose the service that will use this role easy to allow ec2 instances to call AWS services on your behalf so let's click easy to click permissions and then here you have to say who each policy is you're going to attach to this role so let's say we put s3 let's give it Amazon s3 full access skip the tags for now role name so we give the role that I am ec2 to s3 full access click create role now let's try to spin up and easy to click Launch instance but this is the screen where you can assign the role to the ac2 while creating but don't worry once you create the ec2 you can change it later as well so for now I'm gonna keep the I am role as none so I'm going to launch ok I'll listen to instances up and we are SS aged in let's try our command so we get an error unable to look at credentials now we're gonna go and change the IM role in the ec2 so we come back to our console we select our ec2 click actions and then select attach to place I am role and we find our role as 3 full access there we go click apply close okay it should be instantaneous so we're gonna go back to our terminal and try the same extra command type the same command here we go now it can list the s3 buckets and if your Institute it's access to other services all you have to do is attach more policies to this role all right guys that is the video hopefully this video helps in your AWS journey please smash that like button and click subscribe I'll see you guys later peace
Info
Channel: Cloud With Raj
Views: 12,397
Rating: undefined out of 5
Keywords: aws iam, aws access management, aws security, AWS IAM Tutorial, Identity And Access Management, Introduction to AWS IAM, aws training, aws tutorial, Components of IAM, What is AWS IAM, aws security tutorial, AWS IAM Identity and Access Management, aws identity and access management, AgentofChange, Edureka, IAM Groups, IAM Policies, simplilearn, aws iam roles, aws, amazon web services tutorial for beginners, identity & access management
Id: 8WLoAfydS_4
Channel Id: undefined
Length: 11min 58sec (718 seconds)
Published: Tue Jul 02 2019
Related Videos
AWS re:Invent 2018: [REPEAT 1] Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1)
Amazon Web Services
147K
AWS IAM - Crash Course (Learn IAM in 1 hour!) | AWS Certification Tutorial
Enlear Academy
29K
AWS Security Basics - AWS KMS, Client/Server Side Encryption, CMK, Data Key, Real World Use | Demo
Cloud With Raj
28K
API Gateway Security Mechanisms | AWS_IAM Vs Cognito User Pool Vs Identity Pool Vs Lambda Authorizer
Cloud With Raj
14K
5 Open Source Projects For Beginners To Get A Job
Cloud With Raj
1.6K
AWS CLI for Beginners: The Complete Guide
Sanjeev Thiyagarajan
48K
Container Trends 2021
Cloud With Raj
1.5K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.