The course is part of these learning paths
This course looks at one of the key Security services within AWS, Identity & Access Management, commonly referred to IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important step in ensuring your resources are secure.
Within this course we will look at:
• What is Identity & Access Management? This lecture will explain what IAM means and why it’s necessary to implement and maintain control of this service.
• Groups, Users & Roles: This lecture will define the differences between Groups, Users and Roles and how each of these objects are typically used
• IAM Policies: This lecture we will discuss what IAM Policies are, how to create, modify and apply them within your AWS environment
• Multi-Factor Authentication: This lecture will explain what MFA is and the best practices
• Identity Federation: This lecture will explain how external identities (users who do not have IAM user accounts) can access your AWS resources through the use of identity providers
• IAM Features: This lecture will focus on the information contained within IAM Account settings, the credential report and also how IAM integrates with KMS
By the end of this course, you will be able to:
• Setup and configure users, groups and roles to control which identities have authorization to access specific AWS resources
• Implement Multi-Factor Authentication
• Create and implement IAM Policies allowing you to grant or restrict very granular and specific permissions across a range of resources
• Implement a Password policy to align with your internal security controls
• Understand when and why you may use Identity federation access
• Understand how the Key Management Service (KMS) is used in conjunction with IAM
This course contains:
• 8 lectures
• Over 70 minutes of high definition video
• Live demonstrations on key components within the course
Hello and welcome to this lecture where I shall provide an overview of what the Identity and Access Management service is and what IAM actually means. Firstly, I want to define what is meant by Identity and Access Management. I shall break this down into two parts, starting with identity management.
Identities such as AWS usernames are required to authenticate to your AWS account. Authentication is the process of presenting an identity, in this case, a username, and providing verification of the identity such as entering the correct password associated. The second part, access management, relates to authorization and access control.
Authorization determines what an identity can access within your AWS account once it's been authenticated to it. An example of this authorization would be the identity's list of permissions to access specific AWS resources. Access control can be classed as a mechanism of accessing a secured resource. For example a username and password, multi-factor authentication, MFA, or federated access. MFA and federated access will all be explained in greater detail as we go through the rest of this course.
So essentially IAM can be defined by its ability to manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within your AWS account.
We do have an existing course dedicated to AWS Authentication, Authorization and Access Control mechanisms which goes into great detail on each topic. This course can be found here. Having an understanding of the different security controls from an authentication and authorization perspective can help you design the correct level of security for your infrastructure.
Now we know what IAM relates to, let me explain what the service actually does. As I just explained, the AWS IAM service is used to centrally manage and control security permissions for any identity requiring access to your AWS account and its resources. This is achieved by using different features within IAM consisting of:
- Users: These are objects within IAM identifying different users.
- Groups: These are objects that contain multiple users.
- Roles: These are objects that different identities can adopt to assume a new set of permissions.
- Policy Permissions: These are JSON policies that define what resources can and can't be accessed.
- And Access Control Mechanisms: These are mechanisms that govern how a resource is accessed.
Each of these features will be discussed in detail as I take you through this course.
Within AWS some services are regional and some are global. IAM is a global service, meaning that you do not have to create different users or groups within each AWS region that you have resources.
IAM covers all regions. IAM is the first service a user will interact with when using AWS, the reason being the identity needs to be authenticated by IAM before accessing any AWS resource. This could be via the AWS management console within your browser or via the AWS command line interface using an API call trying to gain access to a resource.
It's critical to understand how IAM works and what can be achieved via the service, but it's even more important to know how to implement its features. Without IAM there would be no way of maintaining security or control of who or what could access your resources and what they could do with them, both internally and externally.
IAM provides the components to maintain this management of access, but it's only as strong and secure as you configure it. The responsibility of implementing secure, robust and tight security within your AWS account using IAM is yours, the owners of the AWS account. You must define how secure your access control procedures must be, how much you want to restrict users from accessing certain resources, how complex a password policy must be and if users should be using multi-factor authentication.
All of this and much more is down to you to architect and implement and much of it will likely depend on your own security standards and policies within your information security management systems.
From within the AWS management console, the IAM service can be found under the Security, Identity & Compliance category and when accessed it will take you to the IAM dashboard.
From here and if you have the correct permissions, you will be able to administer all security from an IAM perspective. The initial dashboard of the IAM console will display information relating to the IAM uses sign-in link and this is a URL link that you can send to users who will need to gain access to your AWS management console.
This link can be customized by clicking on the customize button to make it easier to remember and read. If you have multiple AWS accounts, this customization will help you distinguish between your accounts.
IAM Resources. This section provides an overview of your IAM resources using a simple count of the number of users, groups, roles, customer manage policies and identity providers you have configured within IAM.
Security Status. This is populated with five best practices from a security perspective that AWS IAM recommends you configure when using IAM which may include activate MFA on your root account, create individual IAM users, use groups to assign permissions, apply an IAM password policy and rotate your access keys.
When you implement any of the list of best practices, the status of them will change from an orange warning sign to a green tick to show you have achieved and implemented a recommended best practice. I recommend you try to adopt these best practices at your earliest opportunity. Maintaining tight security is paramount when working with an IAM solution.
That brings us to the end of this lecture where we looked at what is meant by IAM, what the AWS IAM service is and does, where the service is located within the management console and what information is held on the IAM dashboard within the management console. In the next lecture I'm going to introduce you to users, groups and roles and the part they play within IAM.
About the Author
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data centre and network infrastructure design, to cloud architecture and implementation.
To date Stuart has created over 40 courses relating to Cloud, most within the AWS category with a heavy focus on security and compliance
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.