This course looks at the key Security services within AWS relevant to the SysOps Administrator - Associate exam. The core to security is Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. In addition to IAM, this course covers a range of other security services covering encryption and access control
- Learn about identity and access management on AWS including users, groups & roles, IAM policies, MFA, and cross-account access
- Learn the fundamentals of AWS Web Application Firewall (WAF) including what it is, when to use it, how it works, and why use it
- Learn how to manage data protection through encryption services such as the Key Management Service (KMS) and CloudHSM
- Learn how to secure your AWS accounts using AWS Organizations
- Understand how to configure and monitor AWS WAF, Firewall Manager, and Shield
- Learn the fundamentals of access control via federation using AWS Cognito and AWS SSO
Hello and welcome to this lecture where I shall provide an overview of what the Identity and Access Management service is and what IAM actually means. Firstly, I want to define what is meant by Identity and Access Management. I shall break this down into two parts, starting with identity management.
Identities such as AWS usernames are required to authenticate to your AWS account. Authentication is the process of presenting an identity, in this case, a username, and providing verification of the identity such as entering the correct password associated. The second part, access management, relates to authorization and access control.
Authorization determines what an identity can access within your AWS account once it's been authenticated to it. An example of this authorization would be the identity's list of permissions to access specific AWS resources. Access control can be classed as a mechanism of accessing a secured resource. For example a username and password, multi-factor authentication, MFA, or federated access. MFA and federated access will all be explained in greater detail as we go through the rest of this course.
So essentially IAM can be defined by its ability to manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within your AWS account.
We do have an existing course dedicated to AWS Authentication, Authorization and Access Control mechanisms which goes into great detail on each topic. This course can be found here. Having an understanding of the different security controls from an authentication and authorization perspective can help you design the correct level of security for your infrastructure.
Now we know what IAM relates to, let me explain what the service actually does. As I just explained, the AWS IAM service is used to centrally manage and control security permissions for any identity requiring access to your AWS account and its resources. This is achieved by using different features within IAM consisting of:
- Users: These are objects within IAM identifying different users.
- Groups: These are objects that contain multiple users.
- Roles: These are objects that different identities can adopt to assume a new set of permissions.
- Policy Permissions: These are JSON policies that define what resources can and can't be accessed.
- And Access Control Mechanisms: These are mechanisms that govern how a resource is accessed.
Each of these features will be discussed in detail as I take you through this course.
Within AWS some services are regional and some are global. IAM is a global service, meaning that you do not have to create different users or groups within each AWS region that you have resources.
IAM covers all regions. IAM is the first service a user will interact with when using AWS, the reason being the identity needs to be authenticated by IAM before accessing any AWS resource. This could be via the AWS management console within your browser or via the AWS command line interface using an API call trying to gain access to a resource.
It's critical to understand how IAM works and what can be achieved via the service, but it's even more important to know how to implement its features. Without IAM there would be no way of maintaining security or control of who or what could access your resources and what they could do with them, both internally and externally.
IAM provides the components to maintain this management of access, but it's only as strong and secure as you configure it. The responsibility of implementing secure, robust and tight security within your AWS account using IAM is yours, the owners of the AWS account. You must define how secure your access control procedures must be, how much you want to restrict users from accessing certain resources, how complex a password policy must be and if users should be using multi-factor authentication.
All of this and much more is down to you to architect and implement and much of it will likely depend on your own security standards and policies within your information security management systems.
From within the AWS management console, the IAM service can be found under the Security, Identity & Compliance category and when accessed it will take you to the IAM dashboard.
From here and if you have the correct permissions, you will be able to administer all security from an IAM perspective. The initial dashboard of the IAM console will display information relating to the IAM uses sign-in link and this is a URL link that you can send to users who will need to gain access to your AWS management console.
This link can be customized by clicking on the customize button to make it easier to remember and read. If you have multiple AWS accounts, this customization will help you distinguish between your accounts.
IAM Resources. This section provides an overview of your IAM resources using a simple count of the number of users, groups, roles, customer manage policies and identity providers you have configured within IAM.
Security Status. This is populated with five best practices from a security perspective that AWS IAM recommends you configure when using IAM which may include activate MFA on your root account, create individual IAM users, use groups to assign permissions, apply an IAM password policy and rotate your access keys.
When you implement any of the list of best practices, the status of them will change from an orange warning sign to a green tick to show you have achieved and implemented a recommended best practice. I recommend you try to adopt these best practices at your earliest opportunity. Maintaining tight security is paramount when working with an IAM solution.
That brings us to the end of this lecture where we looked at what is meant by IAM, what the AWS IAM service is and does, where the service is located within the management console and what information is held on the IAM dashboard within the management console. In the next lecture I'm going to introduce you to users, groups and roles and the part they play within IAM.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.