This course looks at one of the key Security services within AWS, Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important step in ensuring your resources are secure.
Within this course, we will look at the following topics:
- What is Identity & Access Management? This lecture will explain what IAM means and why it’s necessary to implement and maintain control of this service.
- Groups, Users & Roles: This lecture will define the differences between Groups, Users and Roles and how each of these objects are typically used
- IAM Policies: This lecture we will discuss what IAM Policies are, how to create, modify and apply them within your AWS environment
- Multi-Factor Authentication: This lecture will explain what MFA is and the best practices
- Identity Federation: This lecture will explain how external identities (users who do not have IAM user accounts) can access your AWS resources through the use of identity providers
- IAM Features: This lecture will focus on the information contained within IAM Account settings, the credential report and also how IAM integrates with KMS
- Setup and configure users, groups, and roles to control which identities have the authorization to access specific AWS resources
- Implement Multi-Factor Authentication
- Create and implement IAM Policies allowing you to grant or restrict very granular and specific permissions across a range of resources
- Implement a Password policy to align with your internal security controls
- Understand when and why you may use Identity federation access
- Understand how the Key Management Service (KMS) is used in conjunction with IAM
This course has been designed for AWS administrators, security engineers, security architects or anyone who is looking to increase their knowledge of the IAM service in preparation for an AWS certification.
To get the most from this course, it would be good if you already had some basic hands-on experience of AWS and its services, although it's not essential.
This course contains
- 8 lectures
- Over 70 minutes of high definition video
- Live demonstrations on key components within the course
Hello and welcome to this short lecture where I'm going to look at some of the other features of IAM. This will include an overview of the IAM account settings, along with an explanation of the credential report and finally, the integration of KMS within IAM. Let me start with the account settings.
These can be found in the menu bar on the IAM console. The account settings contains information relating to your IAM password policy and Security Token Service Regions. The password policy is used and adopted by your IAM users that you have created. There are a number of different components that you can change within the password policy to align it to any security controls or standards that you may have to ensure you maintain compliancy.
Let's say for example your security standards required the following from your password policy. A minimum of 10 characters in length, alphanumerics along with uppercase and lowercase letters, users are allowed to manage their own password, the expiration of your password should be set to 30 days and the same password must not be used from the previous five passwords used.
If this was the case, then your password policy would be configured as shown. Once you have set your password policy, you must click on apply password policy to activate it.
The second element of your account settings are at the bottom of the screen which relates to Security Token Service Regions. This is a list of regions that are either activated or deactivated for the Security Token Service.
By default all regions are activated. However, you can deactivate some if required for increased security. To deactivate, simply click on deactivate for the required region.
Okay, so let me now talk about the credential report, what it is and what it looks like. This can be accessed by selecting credential report on the menu bar of IAM. From here all you need to do is click on the download report. This will then generate and download a CSV file containing a list of all your IAM users and their credentials. It's worth noting that a credential report will only be generated once every four hours.
For example if you downloaded a credential report for the first time at 1 pm, a new report will generated and downloaded. If you then wanted to download another credential report at 4 pm, a new report will not be generated. Instead the existing report that was generated at 1 pm would simply be downloaded instead. To generate a new report, you have to wait at least four hours from the previous generation.
The report itself is comprised of a number of columns which are fairly self-explanatory. However, here is brief run-down of what each column means. Feel free to pause the video and take a read. This credential report can be useful for when you're auditing your security services. You can use the information within the report to ascertain if specific standards are being met, such as access key rotation or if additional levels of authentication are being used for implementing MFA.
This report could also be sent to external auditors to help secure evidence of compliance.
I now want to move onto the final part of this lecture which looks at how the Key Management Service is linked with IAM and what you can use it for. I won't go into deep detail of KMS as we have a separate course for that which can be found here.
The Key Management Service is a managed service by AWS that enables you to easily manage encryption keys to secure your data. Through the creation of these keys, you are in control of how these can be used to encrypt your data. If you lose or delete your encryption keys, they cannot be recovered. It's up to you to administer the keys and administer how they are used.
IAM allows you to create and manage your KMS Customer Master Keys, CMK, from within your IAM console. The CMK is primarily used to protect data keys which are used to encrypt your data within AWS. To administer your CMK, select encryption keys within the side menu bar. From here you're able to create a new CMK, view any existing CMKs which will show which region the key exists in, the alias, the key ID, its current status and the creation date of the CMK.
From here you can also go back and edit and tag your keys too for greater management.
Like I mentioned previously, a full explanation of KMS and how to use it to encrypt your data can be found in the course dedicated to the service.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.