CloudAcademy
  1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Introduction to Security Best Practices for Linux Instances on AWS

How to use IAM to control access to your resources

play-arrow
Start course
Overview
DifficultyBeginner
Duration51m
Students1321

Description

Launching your EC2 instance is just the first step to becoming an AWS professional: securing your cloud resources is something you just can't ignore. In this course the experienced Linux System Administrator David Clinton will share some common best practices to enhance your infrastructure security.

You'll learn how to manage access to your instances with IAM and Multi Factor Authentication, how to encrypt your storage, how to keep your Linux instance updated with security patches, how to monitor your system and your network to ensure that nobody unauthorized is using your resources, and finally, the basic principles of penetration testing and how to use nmap to ensure that your security group is properly configured.

Who should take this course

This course is aimed even at beginners with little or no experience with cloud security. Some basic knowledge about Linux system administration, TCP/IP, and security topics are recommended.

To increase your knowledge, you may want to check our many AWS courses, in particular the ones introducing EC2 and S3. And why not take the challenge and try out a quiz?

Transcript

Welcome to CloudAcademy.com's video series on security for AWS, Amazon Web Services. In this video, we'll talk about account management. And it's a big topic. It's an important topic. You may be aware that your AWS account is associated with your Amazon.com account. So think about this scenario, you may once have lent your password to a friend or a relative to allow him or her to make a quick Amazon purchase. Well, that friend or relative, no matter how much you trust them, also has full access to every website and every instance associated with your AWS account.

You may not be comfortable with that. There's another consideration. Your company, the one that is served by this AWS account, may have a large number of employees. Many of whom, might require access to various aspects, the various elements of this AWS account. But not all of them require or should have access to every element of the account. You may have developers who need access to the code.

You may have marketing people who need access to the website. But one doesn't need access to what the other has. It's an excellent idea to fine tune the access that each member of your team has. And Amazon has made this quite straight forward using IAM. IAM is Amazon's Identity and Access Management tool. Here you can create and administrate users and groups. Let's create a user. Clicking on user, we see there are no users yet associated with this account. Let's create a new one. We'll call him Tony. Click on create. Show user security credentials. As you can see from the note associated with this popup window, this is the last time these user security credentials will be available for download. So it's a good idea to either click on download credentials, or simply to highlight the information, perhaps right click with your mouse over the highlighted area and copy.

You can then paste that information into a text file somewhere on your computer. For our purposes though, we'll just close the window. And Tony now exists. We can select Tony and edit his groups, permissions, security credentials, or if necessary, delete him, manage his access keys, manage his password. We have full control over his account. His account isn't all that useful yet though, because he doesn't yet belong to a group. In fact, there is no group yet. Let's create one. Let's call it Developers. Click on continue. And here we define what power and roles the Developers group will have. Let's give them Administrator Access. That is, they'll be able to access instances, services, and resources associated with this AWS account, but will not allow them to manage the users and groups. That's the power user access. By the way, there are dozens of pre-formatted permission profiles that Amazon provides for us. The odds are you'll find among these pre-formatted profiles something to fit pretty much every need you're going to have. But just in case there's something you don't find, you can generate your own policy or a custom policy, or create users with no permissions at all. For our purposes right now though, we'll just select Administrator Access. We'll have a quick look at the code that defines that access, and then continue. Create the group, and the Developers group now exists. Again, by selecting the Developers group, we'll be able to edit and manage the details associated with this group. But for now let's go back to the IAM dashboard.

There's one more detail we can discuss. You'd like your colleagues to be able to sign into this console, giving them a web URL, an address. But the one that Amazon assigns automatically to our account, in this case, is 426497493112.signin .aws.amazon.com/console.

It's a little unwieldy and it doesn't really provide an intuitive address that you can be comfortable sharing with your colleagues. So Amazon gives us the option of creating an account alias. Let's name it after our company, the Acme Widget Company. Create the alias, and the web access now is https://acmewidget.signin.aws.amazon .com/console. It's not particularly quick to type, but it's more intuitive. It'll make things a little bit easier. So we've learned to create and manage users, and create and manage groups, so that when a new user has to be added, you don't have to again laboriously define every aspect of the permissions and the authority he's going to have. Rather you just create the user, and drop him into those groups where he'll be most effective, and keep him out of the groups where he doesn't belong.

It's a simple, straight forward, and very clean approach to managing users.

About the Author

Students17434
Courses17
Learning paths2

David taught high school for twenty years, worked as a Linux system administrator for five years, and has been writing since he could hold a crayon between his fingers. His childhood bedroom wall has since been repainted.

Having worked directly with all kinds of technology, David derives great pleasure from completing projects that draw on as many tools from his toolkit as possible.

Besides being a Linux system administrator with a strong focus on virtualization and security tools, David writes technical documentation and user guides, and creates technology training videos.

His favorite technology tool is the one that should be just about ready for release tomorrow. Or Thursday.