This course looks at one of the key Security services within AWS, Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important step in ensuring your resources are secure.
Within this course, we will look at the following topics:
- What is Identity & Access Management? This lecture will explain what IAM means and why it’s necessary to implement and maintain control of this service.
- Groups, Users & Roles: This lecture will define the differences between Groups, Users and Roles and how each of these objects are typically used
- IAM Policies: This lecture we will discuss what IAM Policies are, how to create, modify and apply them within your AWS environment
- Multi-Factor Authentication: This lecture will explain what MFA is and the best practices
- Identity Federation: This lecture will explain how external identities (users who do not have IAM user accounts) can access your AWS resources through the use of identity providers
- IAM Features: This lecture will focus on the information contained within IAM Account settings, the credential report and also how IAM integrates with KMS
Learning Objectives
- Setup and configure users, groups, and roles to control which identities have the authorization to access specific AWS resources
- Implement Multi-Factor Authentication
- Create and implement IAM Policies allowing you to grant or restrict very granular and specific permissions across a range of resources
- Implement a Password policy to align with your internal security controls
- Understand when and why you may use Identity federation access
- Understand how the Key Management Service (KMS) is used in conjunction with IAM
Intended Audience
This course has been designed for AWS administrators, security engineers, security architects or anyone who is looking to increase their knowledge of the IAM service in preparation for an AWS certification.
Prerequisites
To get the most from this course, it would be good if you already had some basic hands-on experience of AWS and its services, although it's not essential.
This course contains
- 8 lectures
- Over 70 minutes of high definition video
- Live demonstrations on key components within the course
Hello, and welcome to this final lecture where I just want to briefly summarize some of the points that we have looked at. You should now have an understanding and overview of what the Identity and Access Management service is and does, and the different components of the service that allows you to effectively secure access of your identities to your AWS resources.
We started off by looking and understanding what is meant by IAM, how this linked authentication authorization and access control, which are used heavily within the service.
Next we looked at the different components of the service, starting with users, groups, and roles. Let me just quickly provide an overview of these three components again.
I defined users as objects representing an identity which are used in the authentication process to your AWS account. User objects are created to represent an identity. This could be a real person within your organization who requires access to operate and maintain your AWS environment. Or it could be an account to be used by an application that may require permissions to access your AWS resources programmatically.
IAM groups are objects much like user accounts, however, they are not used in any authentication process. They are used to authorize access to AWS resources through the use of AWS policies. The groups contain users, and these groups will have IAM policies associated that will allow or explicitly deny access to AWS resources.
IAM roles allow user of AWS services and applications to adopt a set of temporary IAM permissions to access a AWS resources. This could be required to enforce security best practices. Following this section, I then explained more about IAM policies. I explained that IAM policies are formatted as JSON documents and each policy will have at least one statement where the structure may look like the following example.
A full explanation was given as to what each item define within the policy to relay to start creating your own custom policies. We also learnt that there were two types of policies, AWS Managed and Customer Managed. AWS Managed Policies are predefined IAM policies that are already configured allowing you to assign them as required.
Customer Managed Policies are created and modified by the customer, so essentially any other policy outside of the AWS Managed Policies.
After looking at policies, I explained what Multi-Factor Authentication was and why it is used. For many cases the verification of an identity requires more than just a password to confirm the identity.
In these cases, typically those identities with a higher level of authorization these users should have MFA associated their accounts as an additional verification step within the authentication process. This adds another layer of security attached the identity. Using and MFA device which can be a physical token or a virtual device a random six digit number is generated for a very short period of time, usually seconds. This number then has to be entered as a part of the authentication process.
Following MFA, I looked at how Federation can be used as a single sign on approach. Identity Federation allows users from identity providers external to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account.
As a part of the configuration process to implement Federated authentication a trust relationship between the identity provider and your AWS account must be established. AWS supports two types of identity providers, OpenID Connect, OIDC, and SAML 2.
OIDC Federation allows authentication between AWS resources and any public OpenID Connect provider such as Facebook, Google, or Amazon.
SAML 2 based Federations can allow your existing active directory users to authenticate to your AWS resources allowing for a single sign on approach. SAML stands for Security Assertion Markup Language.
Finally, I quickly covered some of the other features of AWS which explain how to create a password policy for users within IAM and how this could be configured to reflect your own internal security standards.
I then gave a high level overview of how KMS Customer Master Keys can be created from within the IAM console.
Thank you for taking the time to view this course and if you have any feedback, positive or negative I would very much appreciate your comments.
That now brings us to the end of this course. I wish you continued success with any future development and learning of cloud computing here at CloudAcademy.
Thank you.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.