1. Home
  2. Training Library
  3. Security (SAA-C02)

Features of IAM


Security Introduction
AWS Shield
Amazon Cognito
SAA-C02- Exam Prep
Start course
2h 33m

This course looks at the key Security services within AWS relevant to the Solution Architect associate exam. Core to security is Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important service in ensuring your resources are secure.

Want more? Try a lab playground or do a Lab Challenge

Learning Objectives

  • Learn about identity and access management on AWS including users, groups & roles, IAM policies, MFA, identity federation, and cross-account access
  • Learn the fundamentals of AWS Web Application Firewall (WAF) including what it is, when to use it, how it works, and why use it
  • Understand how to configure and monitor AWS WAF
  • Learn about AWS Firewall Manager and its components
  • Learn how to configure AWS Shield
  • Learn the fundamentals of AWS Cognito

Hello and welcome to this short lecture where I'm going to look at some of the other features of IAM. This will include an overview of the IAM account settings, along with an explanation of the credential report and finally, the integration of KMS within IAM. Let me start with the account settings.

These can be found in the menu bar on the IAM console. The account settings contains information relating to your IAM password policy and Security Token Service Regions. The password policy is used and adopted by your IAM users that you have created. There are a number of different components that you can change within the password policy to align it to any security controls or standards that you may have to ensure you maintain compliancy.

Let's say for example your security standards required the following from your password policy. A minimum of 10 characters in length, alphanumerics along with uppercase and lowercase letters, users are allowed to manage their own password, the expiration of your password should be set to 30 days and the same password must not be used from the previous five passwords used.

If this was the case, then your password policy would be configured as shown. Once you have set your password policy, you must click on apply password policy to activate it.

The second element of your account settings are at the bottom of the screen which relates to Security Token Service Regions. This is a list of regions that are either activated or deactivated for the Security Token Service.

By default all regions are activated. However, you can deactivate some if required for increased security. To deactivate, simply click on deactivate for the required region.

Okay, so let me now talk about the credential report, what it is and what it looks like. This can be accessed by selecting credential report on the menu bar of IAM. From here all you need to do is click on the download report. This will then generate and download a CSV file containing a list of all your IAM users and their credentials. It's worth noting that a credential report will only be generated once every four hours.

For example if you downloaded a credential report for the first time at 1 pm, a new report will generated and downloaded. If you then wanted to download another credential report at 4 pm, a new report will not be generated. Instead the existing report that was generated at 1 pm would simply be downloaded instead. To generate a new report, you have to wait at least four hours from the previous generation.

The report itself is comprised of a number of columns which are fairly self-explanatory. However, here is brief run-down of what each column means. Feel free to pause the video and take a read. This credential report can be useful for when you're auditing your security services. You can use the information within the report to ascertain if specific standards are being met, such as access key rotation or if additional levels of authentication are being used for implementing MFA.

This report could also be sent to external auditors to help secure evidence of compliance.

I now want to move onto the final part of this lecture which looks at how the Key Management Service is linked with IAM and what you can use it for. I won't go into deep detail of KMS as we have a separate course for that which can be found here.

The Key Management Service is a managed service by AWS that enables you to easily manage encryption keys to secure your data. Through the creation of these keys, you are in control of how these can be used to encrypt your data. If you lose or delete your encryption keys, they cannot be recovered. It's up to you to administer the keys and administer how they are used.

IAM allows you to create and manage your KMS Customer Master Keys, CMK, from within your IAM console. The CMK is primarily used to protect data keys which are used to encrypt your data within AWS. To administer your CMK, select encryption keys within the side menu bar. From here you're able to create a new CMK, view any existing CMKs which will show which region the key exists in, the alias, the key ID, its current status and the creation date of the CMK.

From here you can also go back and edit and tag your keys too for greater management.

Like I mentioned previously, a full explanation of KMS and how to use it to encrypt your data can be found in the course dedicated to the service.


About the Author
Stuart Scott
AWS Content Director
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.