IAM: Identity and Access Management
IAM: Identity and Access Management
- IAM: Permissions
- Users or groups can be assigned JSON documents called Policies.
- These policies define the permissions of the users.
- In AWS, apply the Least Privilege Principle.
- IAM: Password Policy
- Multi-Factor Authentication (MFA)
- How can users access AWS?
- Three options:
- AWS Management Console
- AWS Command Line Interface (CLI)
- AWS Software Developer Kit (SDK)
- Access keys are generated via the AWS Console.
- Users manage their own Access Keys:
- Access Key ID = username
- Secret Access Key = password
- IAM > Users > stephane > Security Credentials > Access Keys > Create Access Key
- AWS CloudShell
- IAM Roles
- IAM > Roles > Create Role
- Trusted Entity: AWS Service ✅
- Use Case: EC2 ✅
- Add Permissions: IAMReadOnlyAccess ✅
- Role Name: DemoRoleForEC2
- IAM Security Tools
- IAM Credentials Report (account-level):
IAM > Credential Report > Download .csv file
- IAM Access Advisor (user-level):
IAM > Users > Last Accessed
- IAM Best Practices
- Don’t use the root account except for AWS account setup
- One physical user = One AWS user
- Assign users to groups and assign permissions to groups
- Create a strong password policy
- Use and enforce Multi-Factor Authentication (MFA)
- Create and use Roles for giving permissions to AWS services
- Use Access Keys for Programmatic Access (CLI / SDK)
- Audit permissions using IAM Credentials Report & IAM Access Advisor
- Shared Responsibility Model for IAM
- IAM Section – Summary
- Users: mapped to a physical user; has a password for AWS Console
- Groups: contains users only
- Policies: JSON document that outlines permissions for users or groups
- Roles: for EC2 instances or AWS services
- Security: MFA + Password Policy
- AWS CLI: manage your AWS services using the command-line
- AWS SDK: manage AWS services using a programming language
- Access Keys: access AWS using CLI or SDK
- Audit: IAM Credential Reports & IAM Access Advisor
No comments:
Post a Comment