This course covers the core learning objective to meet the requirements of the 'Designing secure solutions in AWS - Level 2' skill
- Analyze the available options to secure credentials using features of AWS Identity and Access Management (IAM)
- Evaluate the appropriate routing mechanism to securely access AWS service endpoints or internet-based resources from an Amazon VPC
- Evaluate the appropriate encryption options available for data in transit and when at rest across AWS services
- Evaluate the most appropriate key management service and options based on business requirements and governance controls
Once you have created IAM users, you can view their details to configure additional security options or review permissions and change access. In this lecture, I want to cover these additional features. This will be easiest to explain via a demonstration, and I can explain each point as we go through, so let's take a look. So in this demonstration, I just want to select a user and just to show you some of the different elements that you can change of that user once it has been created, so let's take a look.
So I'm in the Identity and Access Management Dashboard at the moment and you can see I'm in the Users section. So let's take a look at this user, Patricia. So if I select the user and we can have a look at some of the options that we can see about this user and some of the things that we can change, et cetera. So this is a summary screen of the user. We have the users ARN at the top here, and we can also see the creation time of that user. And then we have a number of different tabs.
So start with the permissions tab. We can see that this user is getting permissions from two policies at the moment here, the Amazon S3 Full Access policy, and also the Amazon RDS Full Access. And if we wanted to, we can just take a quick look at these groups. We can have a look at the policy summary, or we can take a look at the JSON as well. So that's the policy and the JSON format. And then if we look at the policy summary, we can see here that this allows full access to S3 and S3 Object Lambda. Here we can set her permissions boundary. Currently there's not one set, but if we wanted to, we can set one to control the maximum permissions that this user can have. And also there's a feature here to generate policy based on CloudTrail events.
So what this will do, it will generate a policy looking at the user's activity. And then based on what the user has been accessing, it can generate a policy based on what services this user has been accessing. Also at the top here, we can add an inline policy for this user. So if we'd done that, then that will be a policy that is embedded within the user object itself. So it's not taken from a role, it's not taken from a group. The policy is attached within the user.
Okay, if we take a look at the groups, we can just see a quick breakdown of any groups that the user belongs to, and the policies that are attached to them, which we covered just a moment ago in the summary. The tags is what you'd expect. If there's any tags here for the user, then they would be listed, or if you wanted to add any tags, then you can do so here. So for example, we can add a key of location and say, UK, Save Changes. And then we can see this tag for this user. Under security credentials, we could see console link that this user can use and we can manage the user's password. And if we want to change the password, we can simply click on manage, and we can either disable the console access or generate a new password, or ask the user to create a new password at the next sign-in. We also have here, the assigned MFA device, the multifactor authentication.
At the moment, it's not assigned, but we can go ahead and set up MFA for this user. So let's go ahead and do that quickly. So if we click on manage, we have a couple of options here, virtual MFA device, U2F security key, or another hardware MFA device. For this, I'm just going to use a virtual MFA device and I'll use the Google Authenticator app on my phone to do this. If I click on continue. So, first of all, you need to make sure you have an app on your mobile phone or your computer. Like I say, I'm going to use the Google Authenticator app on my phone.
So what I need to do is to show the QR code, and now on my phone, I'm going to add this as a new entry in my Google Authenticator app, so I'm going to click on Scan QR code. And then we can see at the bottom there is added the user, Patricia. And then we add in that code, so 074720. And then what we need to do is to add the second code that comes in when it appears on the Google Authenticator app. So we're just waiting for that to come around and then I can add in the second code and then it'll be synchronized and configured. So, we can see it's about to change, and now I can add in the next code 185887, and then I click on Assign MFA. And that's it, so you have successfully assigned a virtual MFA device to that user. Click on Close, and there we can see here that there's an assigned MFI device. We can see that this user also had programmatic access 'cause there's access keys that have been generated.
Now, if we wanted to, we can make this access key ID inactive. So if wanted to do that, simply click on Make inactive. And it'll explained that once you've done this, you can't then use these keys to form any programmatic access. Click on deactivate. And you can see here, the status is now inactive. So any access keys that were used before for this user will no longer be allowed to make any kind of requests. If we wanted to generate new access keys, simply click on Create access key. And again, you'll have a new access key ID and a new secret access key. And if you wanted to, you can download the CSV file, so you don't forget those keys. Click on Close.
Now, if we go back up to the top to Access Advisor, I just wanted to show you this quickly. So what this does, it will basically show you which services that this user can access based on their current permissions, and also the last time that these services were accessed. So if you scroll down here, we can see that this user has access to a whole different range of services. And it'll show you which policies are actually granting these permissions.
So this access to EC2 in IAM is being granted through the RDS Full Access policy, and access to S3 is being granted through the Amazon S3 Full Access. So this is great to review to identify if there's any users there that do have access to services that they probably shouldn't do. So you can then modify the policies accordingly just to make sure that the users are only accessing what they are supposed to access. So that was a very quick demonstration of some of the key points that you can change within a user's properties once you have created an IAM user.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.