Lecture - Introduction To AWS Identity and Access Management

Lecture: Introduction to AWS
Identity and Access Management

(IAM)
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lecture overview
• Part 1: Shared responsibility model

• Part 2: Overview of IAM
• Part 3: Authentication with IAM
• Part 4: Authorization with IAM
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2
Lecture objectives
At the end of this topic, You should be able to

• Discuss the shared responsibility model
• Explain how IAM helps secure access to AWS resources
• Describe IAM user authentication
• Identify how to authorize an IAM user, group, or role
• Cloud9 IDE
• AWS Toolkit
• AWS X-Ray
• AWS CloudTrail
• AWS Cloud
Watch
Part 1: Shared responsibility
model
Shared responsibility model
6
Shared responsibility example
Accounts and credentials Customer

responsibility:
AWS Cloud • Guest OS
VPC • Application
Customer • Security group
Amazon S3 Amazon EC2 Database

bucket instances table
Amazon
WorkSpaces
AWS AWS Global Infrastructure
Shared Responsibility Principle: Let’s
Checkmate You!
Which of the following does AWS own under the shared security
responsibility model? Choose 3 answers
1. Patching of Amazon Elastic Compute Cloud hypervisors

2. Decommissioning storage devices at end of life
3. Encryption of traffic within a virtual private cloud network
4. Physical security of AWS data centers and facilities
5. Logical security of customer SSH private key material
6. Access control within a virtual private cloud
Shared Responsibility Principle: Let’s
Checkmate You!
Which aspects of Amazon EC2 security are the responsibility of AWS?
Choose 2 answers
1. Virtualization Infrastructure
2. Physical security of hardware
3. Guest operating systems
4. Application authentication
5. VPC and security group configuration
Part 2: Overview of IAM
AWS Identity and Access Management
• Identity (authentication): WHO can use your AWS

resources
• Access management (authorization): WHAT
resources they can use and in what ways
IAM
IAM: The big picture
Permanent Temporary
Best
practice
Authentication
S
User Group Role
Authorization
IAM policy
IAM Overview: Let’s Checkmate You!
A company uses one AWS account to run production workloads and has a separate
AWS account for the security team. During periodic audits, the security team needs to
view certain account settings and resource configurations in the other AWS account.
How can a solutions architect provide the required access to the security team
following the principle of least privilege?
1. Create an IAM user for each security team member on the production account. Attach a permissions
policy that provides the permissions required by the security team to each user.
2. Create an IAM role in the production account. Attach a permissions policy that provides the permissions
required by the security team. Add the security team account to the trust policy.
3. Create an IAM user in the production account. Assign administrative privileges to the user. Allow the
security team to use this account to log in to the systems that need to be accessed.
4. Create an IAM user for each security team member on the production account. Attach a permissions
policy that provides the permissions required by the security team to a new IAM group. Assign the
security team members to the group.
Part 3: Authentication with IAM
Authentication scenarios
1. AWS authentication 3. Resource authentication
Developer builds the environment. User uploads a photo to AWS.
AWS Cloud AWS Cloud

Photo
app
2. Application authentication 4. Database authentication

User signs into the photo application. An Amazon RDS database is updated
with entry for the new photo.
AWS Cloud AWS Cloud

Photo
app
15
IAM credentials
User name and password Access key ID and secret access key
(console access) (programmatic access)
AWS Command Line Interface (AWS CLI)
ACCESS KEY ID
Ex: AKIAIOSFODNN7EXAMPLE
AWS Management Console SECRET KEY
Ex:
UtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
API access
Multi-factor authentication
• Adds an extra layer of protection on top of

your user name and password
• Enable MFA for:
• AWS Management Console users
• AWS API users (requires temporary security
credentials)
Temporary credentials
• Delegate users or services temporary access to

your AWS resources
• Common scenarios:
• Cross-account access for an IAM user
• Users signing in to application from an
authentication system outside of AWS (e.g.,
enterprise identity provider or web identity provider)
• Mobile applications
• Applications that run on EC2 instances and other
AWS compute services
• Use AWS managed temporary
Providing AWS credentials. (Recommended)
credentials • Attach an IAM instance profile to the
EC2 instance.
• Store your permanent credentials
within the environment.
AWS credentials file and credential profile
Linux, macOS, or Unix: ~/.aws/credentials

Windows: C:\Users\USERNAME \.aws\credentials
[default]
aws_access_key_id = ACCESS_KEY_ID
aws_secret_access_key = SECRET_ACCESS_KEY_ID
[prod]
aws_access_key_id = ACCESS_KEY_ID
aws_secret_access_key = SECRET_ACCESS_KEY_ID
Summary of DO
authentication best • Use credentials files
practices • Use IAM roles with temporary
credentials (preferred for
applications running on Amazon EC2
and for mobile applications)
DO NOT
• Use root account credentials
• Store AWS credentials in code
• Store credentials in public places
IAM Authentication: Let’s Checkmate
You!
Your company has separate AWS accounts for development and
production. Each developer is assigned an IAM user in the development
account. Developers occasionally need to access the production account to
roll out changes to that environment. Your company does not allow the
creation of IAM users in the production account. What strategy will
allow the development team to access the production account?
1. Create an IAM role in the production account. Allow IAM users in the development
account to assume the role.
2. Create an IAM group in the development account. Grant IAM users in the
development account membership in the group.
3. Create an IAM group in the production account. Grant IAM users in the development
account membership in the group.
Part 4: Authorization with IAM
Policies and permissions
Full access Amazon S3

bucket 1
Read Amazon S3
IAM group only bucket 2
IAM policies with

permissions
Demonstration: Create an IAM user and
IAM group
• Create an IAM user and IAM group
• Assign AmazonS3FullAccess permissions to group
• Test permissions
Identity-based and resource-based policies
Identity-Based Policies Resource-Based Policies

What does a particular identity have access to? Who has access to a particular resource?
Carlos Read Write List Resource X Read Write List

Resource X    Bob   
Richard Read Write List Doug   

Resource Y  Jim  
Resource Z  Sara 
Managers Read Write List Resource Y Read Write List

Resource X  Bob   
Resource Y  Larry 
Resource Z  Sam  
Example of identity-based policy
{
"Version": "2018-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:*LoginProfile", The actions that are
"iam:*AccessKey*" allowed
"iam:*SSHPublicKey*"
],
"Resource": "arn:aws:iam::account- The AWS resource on
id-without-hyphens:user/${aws:username}" which the action is
}
performed
}
Example of resource-based policy
{
"Version": "2018-10-17",
"Statement": {
"Sid": "AccountBAccess1", Who can make the
"Principal": {"AWS": "1111222233"}, request (Account B)
"Effect": "Allow",
"Action": "s3:*", Actions that are
"Resource": [ allowed
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
Resources that are
]
} being shared by
} Account A
28
Managed versus inline IAM policies
IAM policies
• Standalone, identity-based policies Managed Inline • Resource-based policies

• Can be attached to multiple users, • Embedded in a principal entity
groups, and roles (e.g., user, group, or role)
AWS managed Customer managed

• Reusability • Strict 1:1 relationship between a
• Central change management policy and the entity
• Versioning and roll-back
• Permissions management can
be delegated to others
Evaluation logic for IAM policies
Evaluate all applicable
policies
Explicit Yes
Deny (explicit deny)
deny?
No
Yes
Allow? Allow
No
Deny
Example of how policy logic works
{
"Version": "2012-10-17", Allows entity to perform any DynamoDB action
"Statement":[{ and any Amazon S3 action on this DynamoDB
"Effect":"Allow", table and these S3 buckets.
"Action":["dynamodb:*","s3:*"],
"Resource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/pollynotes",
"arn:aws:s3:::polly-notes-web",
"arn:aws:s3:::polly-notes-mp3/*"]
},
{
"Effect":"Deny",
"NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/pollynotes",
}
]
}
Example of how policy logic works
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Resource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/pollynotes",
}, Ensures that the entity cannot perform any action on
{ any DynamoDB table or S3 bucket except for the
"Effect":"Deny", tables and buckets specified in the policy
"NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/pollynotes",
}
]
}
An explicit deny statement takes precedence over an allow statement.

32
Principle of least privilege
Best practices:
Full access • Don’t start with
permissions that are too
lenient.
Read
• Start with the minimum
IAM group only permissions and grant
more as necessary.
IAM policies with
permissions
IAM scenario
Login: Maria@email.com
Root Account Password: *********
IAM user
IAM group
IAM role
IAM
policy
IAM scenario
IAM user
Maria
IAM group
IAM role
IAM
policy
IAM scenario
IAM user Admins
Maria
IAM group
Joe
IAM role
IAM
policy
IAM scenario
IAM user Admins Analysts

x
x
Maria x Richard
x
IAM group
Joe x Ana
x
IAM role x Shirley

x
IAM
policy
IAM scenario
IAM user Admins Analysts Developers

x
x
Maria x Richard Carlos

x
IAM group
Joe x Ana Jorge

x
IAM role x Shirley Mary

x
IAM
policy
IAM scenario
IAM user Admins Analysts Developers

x
x
Maria x Richard Carlos

x
IAM group
Joe x Ana Jorge

x
IAM role x Shirley Mary

x
TempRole1 TempRole2
IAM
policy TempDev
DO
Summary of authorization
best practices • Use groups to assign permissions
• Use the principle of least privilege
IAM Authorization: Let’s Checkmate You!
A marketing company is storing CSV files in an Amazon S3 bucket for

statistical analysis. An application on an Amazon EC2 instance needs
permission to efficiently process the CSV data stored in the S3 bucket.
Which action will MOST securely grant the EC2 instance access to the S3
bucket?
1. Attach a resource-based policy to the S3 bucket.
2. Create an IAM user for the application with specific permissions to the S3 bucket.
3. Associate an IAM role with least privilege permissions to the EC2 instance profile.
4. Store AWS credentials directly on the EC2 instance for applications on the instance to
use for API calls.
Lecture review
Lecture review
• Shared responsibility model

• Overview of IAM
• Authentication with IAM
• Authorization with IAM
To finish this lecture, complete the knowledge check.
Up next: Lecture 4 –
Developing Storage Solutions with
Amazon S3
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon
Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: aws-course-feedback@amazon.com. For all other
questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.

Lecture - Introduction To AWS Identity and Access Management

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture - Introduction To AWS Identity and Access Management

Uploaded by

Copyright:

Available Formats

Lecture: Introduction to AWS

Identity and Access Management

• Part 1: Shared responsibility model

At the end of this topic, You should be able to

Accounts and credentials Customer

Amazon S3 Amazon EC2 Database

AWS AWS Global Infrastructure

1. Patching of Amazon Elastic Compute Cloud hypervisors

• Identity (authentication): WHO can use your AWS

AWS Cloud AWS Cloud

2. Application authentication 4. Database authentication

AWS Cloud AWS Cloud

AWS Command Line Interface (AWS CLI)

• Adds an extra layer of protection on top of

• Delegate users or services temporary access to

Linux, macOS, or Unix: ~/.aws/credentials

Full access Amazon S3

IAM policies with

Identity-Based Policies Resource-Based Policies

Carlos Read Write List Resource X Read Write List

Richard Read Write List Doug   

Managers Read Write List Resource Y Read Write List

• Standalone, identity-based policies Managed Inline • Resource-based policies

AWS managed Customer managed

An explicit deny statement takes precedence over an allow statement.

IAM user Admins

IAM user Admins Analysts

IAM role x Shirley

IAM user Admins Analysts Developers

Maria x Richard Carlos

Joe x Ana Jorge

IAM role x Shirley Mary

IAM user Admins Analysts Developers

Maria x Richard Carlos

Joe x Ana Jorge

IAM role x Shirley Mary

A marketing company is storing CSV files in an Amazon S3 bucket for

• Shared responsibility model

To finish this lecture, complete the knowledge check.

You might also like