Tuesday, November 27, 2018

AWS IAM Roles



AWS Provides IAM roles  as a Service ( IAM is a Service that AWS provides us )

 https://www.youtube.com/watch?v=UqKWHZ36yEM

 This service helps us to keep our Account Secure

 This is important because, our account is very valuable.

 We add credit card and lots of services are present.
How does AWS handle Security ?

 Not the Application security.

 Apps and Systems need to be secure.

 AWS helps us automatically by basic DDOS attacks.
We are talking about giving the Right permissions to right people or right Services.

 People:  More than 1 person can use the account.
If we have an organization, multiple people can use this account.
There will be different teams, that use these services.
You can give access to different users.
We get

  1) Groups
 2) Users
 3) Roles
 4) Policies
We can add multiple Users and we can import these users into Groups

 We can create an Admin group who has full admin access, and we can crate one who has access to only S3 and Filestore.

 We can be more granular than that and only allow a certain group to access a certain bucket like a folder in S3 or only give read only Access.




Give read only access to a particular Group.




Even though we create the Admin Group, this group is not the same as the root account.
There are some restrictions to this group.
This group does not have access to billing information.
Why do i create a group with Admin rights, if i am alread the Admin ??? Answer above
We have attached a policy to the Group.

 If we want to give more people Admin rights, we use IAM services.
We create users and dont use our root account, except for maybe accessing our Expense report.

 We should create a user for our selves.

 Dont use the root Account for day to day business.
We need to create an user for ourselves.

 While Adding a user,  the type of access to the user is important.


We can also add more users in one Step

 The access type is dependent on the type of usage the user needs.

 The next step is the type of permissions that you want to give to the user.
The best is to add the user to a group and add the permissions at the group level.

 We can also attach policies directly to the user

 So, creating the user, we will see the following details.



The user will now need the link provided above to login.
He will need the username and the password.
Now, our security status has improved.

 Strongly recommend enabling MFA.

 We also enable a  Password Policy. ( Types of characters that go into and so on )


What about Roles and Policies:

 We saw that we attached a policy of Admin to the User
What about Roles
We can look and choose the existing policies or we can create our own policy.



Policy is something that defines sets of rules.

 This is a json and looks as follows.


This is how the summary of the policy looks like.

 We define the version of the policy language here.

 Example Elastic Beanstalk service:



This says the Action that a policy can do,  and the type of Resource that this action can be performed on.

 We can either use an existing policy or create our own policy.

So far so good.

 We have  user, policies
Groups and policies we can use to assign to groups or users.
By default in AWS, no service has permission to access our service.

 We might wonder -  Why would a service access our service ?

 Eg: We use a Bean stalk. Bean stalk is just a simplicification.

       In the background Beanstalk is an EC2 machine. It started a EC2 instance in the background a VM.
It did so, because it had the permissions to do so.
We gave it that permissions, when we started using it from the console.
By default though, no service has any permission to access our services.

 If we have code on Ec2, Once we reach out to S3 to store our files there., Our Ec2 instance should have the permissions to do so.

 So that is the last Step

 The Roles allow services to reach out to

 Roles can be attached to Services. So our services can have certain roles, that can allow them to interact with our services.

 That is how IAM works.
Security on IAM works.

 We define who accesses what.
The best practice is to be granular and strict as possible.
Dont give more permissions than a user / role needs.

AWS Essentials: What is IAM > Linix acade

https://www.youtube.com/watch?v=4ngYrnJb7F8&index=8&list=PLv2a_5pNAko0Mijc6mnv04xeOut443Wnk

Under Security and Identity, we see the IAM WebService.

 1) IAM is where we manage the AWS users and their access to AWS accounts and AWS Services.

 2) Common use case of IAM is to manage Users, Groups, IAM access policies and Roles.
3) We are going to dive into deeper usage in the following lessons.
4) User created when we created the AWS Account is called the AWS ROOT User.
5) MFA Best practice is a service to protect your root account provided by a third party.







at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

netstat

A copy from there - TCP Connection States 
 Following is a brief explanation of this handshake. In this context the "client" is ...

  • CIDR
    Source: https://www.youtube.com/watch?v=m7osap3K_MU&list=PLjrF25Df7idwxvJzLpECBc2rZjQLOazgV&index=3 CIDR Notation Classness int...
  • AWS 18
  • AWS Certified Solutions Architect
    The following information is used for Solutions architect training Certified solutions architect associate - 2018 AWS Certificate ------...