AWS Solutions Architect : Associate Level

Source: https://docs.aws.amazon.com/
IAM and Security on AWS
 Learning Objectives

By the end of the lesson, you will be able to:

Define Identity and Access Management in AWS

Create custom IAM Roles

Create IAM users and assign roles

Create IAM groups with multiple IAM users

Assign roles to AWS Services

Use AWS Directory Service

Demonstrate MFA and SSO

Introduction to Identity and Access Management
 What Is Identity and Access Management in AWS?

AWS Identity and Access Management or IAM is the service that enables you to securely control
user access to all the AWS services and resources.

AWS IAM
 Why Identity and Access Management

AWS IAM helps to:

01 03

Prevent security breaches and Track the usage of all of the

unauthorized logins AWS resources and services

02 04

Track user information such as Provide granular level

login credentials and more permissions to all of the AWS
services
Terminologies in AWS IAM
 Terminologies in AWS IAM

Users Policies

An IAM user is an identity with login An IAM policy is a set of permissions that
credentials and permissions attached to it.
control access to AWS resources and
services. Policies are stored in JSON format.

Groups Roles

An IAM group is a collection of multiple IAM An IAM role is a set of permissions that define
users. They are used to grant permissions to the actions that are allowed or denied for an
multiple users simultaneously. AWS entity.
IAM Users
 IAM Users

The IAM users are defined as the people or systems that use your AWS resources.

IAM users

Admin
people End Users Systems
Systems

AWS resources
 Security Credentials

AWS provides numerous ways to provide secure user access to your AWS resources:

Email address and password:

They are used to sign-in to the AWS Console.

IAM username and password:

They can be used by multiple individuals and applications to
access your AWS account.

Access keys :
Access keys can be used to grant access to programmatic
requests.
Creating an IAM User

Duration: 10 min.

Problem Statement:

Create an IAM user using the Amazon console

 Assisted Practice: Guidelines to Create an IAM User

Steps to perform:

1. Go to your Amazon Console

2. Open the IAM user dashboard
3. Click on the Add user button
4. Fill in the details about the user
5. Skip to the review page and click on the Create user button
IAM Groups
 IAM Groups

An IAM group is a collection of users that inherit the same set of permissions.
 Granting Permissions to IAM Groups

The following diagram shows how the permissions are granted to different IAM groups:

Admin

Developer Admin
s s
Mike Marc
Jane Sara
Ann Jim

Amazon EC2 AWS Elastic

Beanstalk
Creating and Adding IAM Users to an IAM Group

Duration: 10 min.

Problem Statement:

Create multiple IAM users and add them to an IAM group

Assisted Practice: Guidelines to Create and Add IAM Users to an IAM Group

Steps to perform:

1. Create multiple IAM users

2. Go to the IAM group dashboard
3. Click on Create IAM Group
4. Provide a name for the group
5. Go to the newly created group and click on Add users
6. Select the users you want to add to the group
IAM Roles
 IAM Roles

IAM Roles are permissions and policies that determine the access available to the AWS identities.

More about IAM Roles:

01 IAM Roles function in a way similar to that of IAM users.

They are not password protected and do not require

02
access keys.

IAM Roles
03 These roles can be used by anyone who requires them.
 Various Functions of IAM Roles

IAM Roles are used to provide access to users, applications, and services that do not have the
permission to use AWS resources.

AWS Account
3. Developer
2. Developer launches
launches an an
instance
instance with therole
with the Role.

EC2 Instance

2. Application Application
retrieves 4. Application gets
3. App retrieves 4. App gets photos
credentials of the photos using the
role credentials using the role
Role
fromfrom the
the instance credentials
credentials of the
instance. Role.
Instance Profile

Role: Get-
photos Amazon
S3 bucket

1. Admin
1. Admin creates
creates role a Role that
that
grants
grantsaccess
access totothe
the photos
photos
inbucket
the bucket.
Creating an IAM Role for an IAM User

Duration: 10 min.

Problem Statement:

Create an IAM role using the Amazon console for an IAM user
 Assisted Practice: Guidelines to Create an IAM Role for an IAM User

Steps to perform:

1. Go to the IAM role dashboard

2. Click on the Create IAM role button
3. Select Another AWS Account tab
4. Provide a name for the role
5. Select a permission from the list of pre-defined permissions
6. Click on the Create role button
IAM Policies
 What Is IAM Policy?

An IAM policy is a document that defines one or more permissions. IAM policies can be attached
to users, groups, roles, and AWS resources. They are written in JSON format.

More about IAM Policies:

IAM Policies can be preselected from the

01
AWS list of predefined policies.

Root users can edit the predefined policies

02
to make customizations.

Root users can create and define a custom

03 AWS IAM Policies
IAM policy from scratch.
 What Is IAM Policy?

AWS has many predefined policies which allow you to define granular access to AWS resources.
There are around 200 predefined policies available for you to choose from.
 AdministratorAccess Policy

AdministratorAccess policy provides full access to AWS services and resources.

Admin User
 AmazonEC2FullAccess Policy

AmazonEC2FullAccess policy provides users or groups full access to the Amazon EC2 services and
resources.

Users

Amazon Elastic Load Amazon Auto

EC2 Balancer CloudWatch Scaling
 AmazonS3ReadOnlyAccess Policy

AmazonS3ReadOnlyAccess policy provides read-only access to all the buckets using AWS Management Console.

READ ONLY

Users
Types of IAM Policies
 Types of IAM Policies

There are two types of IAM policies:

Identity-based policies Resource-based policies

• Identity-based policies can be • Resource-based policies are

attached directly to identities attached to AWS resources
such as users, groups, and such as Amazon S3, Amazon
roles. EC2, and more.

• These policies define the • These policies define the

permissions such as allow or permissions such as allow or
deny for the identities. deny for the AWS resources.
 Syntax of Writing AWS IAM Policies

AWS policies are written using JavaScript Object Notation (JSON).

Policy-wide information:

Version: Date when the policy was

created

One or more individual

statements:

Effect: Allows permission

Action: Lists all the S3 buckets
Resource: Name of the S3 bucket
 Example of an Identity-based Policy

Allowing a user to access Amazon EC2 from us-east-1:

{
“Version”: “2012–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ec2:*”
],
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“aws:RequestedRegion”: “us-east-1”
}
}
}
]
}
Example of a Resource-based Policy

Allowing EC2 to access Amazon S3 from its public IP:

{
“Version”: “2012–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ec2:*”
],
“Resource”: “*”,
“Condition”: {
“IpAddress”: {

“aws:SourceIp”: [

“public_ipv4”

]
}
}
}
]
}
Assigning IAM Roles to Amazon Services
Creating an IAM Role for Amazon EC2 Service

Duration: 15 min.

Problem Statement:

Create and assign an IAM role to Amazon EC2 Service

Assisted Practice: Guidelines to Create an IAM Role for Amazon EC2 Service

Steps to perform:

1. Go to the IAM role dashboard

2. Click on the Create IAM role button
3. Click on the AWS Service tab and select EC2 service
4. Provide a name for the role
5. Select a permission from the list of pre-defined permissions
6. Click on the Create role button
Features of AWS IAM
 Features of AWS IAM

AWS IAM offers the following features:

01 Multi Factor Authentication (MFA)

02 Strong Password Policy

03 Payment Card Industry (PCI)

04 Identity Information for Assurance

 Features of AWS IAM

AWS IAM offers the following features:

05 Shared Access to AWS accounts

06 Granular Permissions

07 Secure Access to AWS Resources

08 Identity Federation
 Multi Factor Authentication

AWS IAM supports Multi Factor Authentication (MFA) for users and resources to ensure absolute security by
using MFA devices.

User ID + Password

MFA Devices Code

 Strong Password Policy

IAM allows you to define password strength and rotation policies.

 Payment Card Industry

AWS IAM supports Payment Card Industry (PCI) which enables users to process, store, and
transmit credit card data from a merchant or a service provider.
 Identity Information for Assurance

AWS IAM used with CloudTrail can be used to log, monitor, and track what users are
doing with your AWS resources.

Account A

IAM Admin User –

Full Control

Account B Account C
S3 Bucket

IAM User IAM User

Logs Logs Logs

AWS CloudTrail AWS CloudTrail AWS CloudTrail

 Shared Access to AWS Accounts

AWS IAM can be used to grant permissions to users for accessing and using resources in
your AWS account without sharing your password.

Admin User

Users Users Users

Amazon EC2 Amazon EBS Amazon RDS

 Granular Permissions

Granular permissions allow granting permissions to various users. These permissions include user access to
specific services, specific permissions for action, specific access to resources, and more.

Read Write Access

Volume
Development
Admin Access
Team

Instances Instances

+
Volume
 Secure Access to AWS Services

AWS IAM lets you securely allocate credentials that are required by the applications hosted on EC2
instances in order to access other AWS resources.

S3 Bucket

IAM
Application on
EC2 Database
Storage
 Identity Federation

AWS IAM allows users with external accounts to get temporary access to AWS resources.
AWS Directory Service
 What Is an Active Directory?

Active Directory or AD is a Microsoft product that offers services compatible with Windows
servers. It is used by organizations to store their information such as number of users,
computers, printers, networks, and more.
 What Is AWS Directory Service?

AWS Directory Service offers multiple ways for users to use Microsoft Active Directory with AWS
services and resources. It is built on actual Microsoft Active Directory and does not require the
synchronization or replication of data from your existing Active Directory to the cloud.

AWS Directory Service

When to Use AWS Directory Service

AWS Directory Service can be used when you:

Need actual Active Directory features to support AWS

applications or services

Want to extend the on-premise Active Directory to the AWS

cloud

Provide Single Sign-On feature to the applications hosted on

cloud
 How AWS Directory Service Works

The following diagram shows the working of AWS Directory Service:

Source: aws.amazon.com
AWS Resource Access Manager
 What Is AWS Resource Access Manager?

AWS Resource Access Manager or AWS RAM allows you to share your AWS resources securely
with any AWS account. Users can create AWS resources centrally in a multi-account
environment.

AWS Account 2

AWS Account 1 AWS Account 3

 How AWS RAM Works

The following diagram shows the working of AWS RAM:

Source: aws.amazon.com
 Benefits of AWS RAM

Reduces operational overhead by eliminating the need to provide duplicate

resources in every account

Provides security and consistency by allowing users to use existing policies and
permissions to govern the consumption of shared resources

Provides comprehensive visibility into the usage of shared details when

integrated with CloudWatch to CloudTrail

The following are the three different ways to access AWS RAM:
AWS RAM Console
AWS RAM service offers a
web-based user interface
that can be accessed from
Amazon console.
Accessing AWS RAM
AWS Command Line Interface
The AWS CLI provides
direct access to the AWS
RAM API operations from
platforms such as
windows, linux, and
macOS.
AWS Tools for Windows
PowerShell
AWS offers commands for
developers who script in
the PowerShell
environment. These
commands are also
available for AWS RAM.
AWS Organizations
 What Is AWS Organization?

AWS Organization is an account management service that allows users to consolidate multiple
AWS accounts into a group called an organization that they can create and manage centrally.

AWS Account 2

AWS Account 1 AWS Account 3

AWS Organization
 What Is AWS Organization?

AWS Organization is used with AWS RAM to share resources across a group of AWS accounts. It
helps to centrally manage billing, control access, compliance, and security across the member
AWS accounts of the organization.

More about AWS Organization:

01 Accounts are grouped into logical groups called organizational units (OUs).

02 The parent container for all the accounts in all OUs is called the root.

03 The OU that contains the member AWS accounts is called the custom OU.

The OU that contains the log archive account and details such as what
04
resources are being shared among the accounts is called the core.
AWS Single Sign-On
 What Is AWS Single Sign-On?

AWS Single Sign-On is a property of identification and access management that allows users to
authenticate their AWS accounts by signing in once and using a single set of credentials.

AWS Single Sign-On

 Working of AWS Single Sign-On

The following diagram shows the working of AWS Single Sign-On:

Source: aws.amazon.com
Enabling AWS Single Sign-On for a User

Duration: 15 min.

Problem Statement:

Enable AWS Single Sign-On for a user using AWS SSO console
Assisted Practice: Guidelines to Enable AWS Single Sign-On for a User

Steps to perform:

1. Open AWS SSO console and select Users

2. Click on the create user button
3. Provide an email address for the user
4. Create a group and add the user in that group
5. Sign in using the AWS SSO account
AWS Multi Factor Authentication
 AWS Multi Factor Authentication

Multi Factor Authentication or MFA adds an extra layer of security to the signing-in process. It
requires users to authenticate from an AWS supported MFA mechanism in addition to their
sign-in credentials when they access AWS services.

Multi Factor Authentication

 AWS Multi Factor Authentication

The following are the AWS supported MFA mechanisms:

SMS Text Message-Based

Virtual MFA Devices U2F Security Key
MFA

• This is a type of MFA
where an application
running on a phone or
other devices generates a
six-digit numeric code.
• This is a type of MFA where
U2F security key is enabled
after a device is plugged
into a USB port on the
user's computer.
• This is a type of MFA
where the IAM user
settings include a phone
number of user's SMS
compatible mobile.

• The user is required to
type the code from the
device on the webpage
while signing-in.
• The users sign in by
entering their credentials
and then tapping the device
instead of manually
entering a code.
• When the users sign in,
they are required to type
the six-digit code sent by
AWS to the provided
mobile number.
Enabling Multi Factor Authentication

Duration: 15 min.

Problem Statement:

Enable Multi Factor Authentication for the root user

Assisted Practice: Guidelines to Enable Multi Factor Authentication

Steps to perform:

1. Open AWS SSO console

2. Choose settings from the navigation pane
3. Enable Multi Factor Authentication
4. Choose authentication methods for the AWS accounts
5. Click on the Save changes button
6. Login using the AWS account for which MFA is enabled
 Key Takeaways

AWS IAM is the service that enables you to securely control user access
to all the AWS services and resources.

An IAM policy is a document that defines one or more

permissions and are written in JSON format.

AWS Directory Service can be used with on-premise AD

services for managing the AWS services and resources.

AWS RAM and AWS Organization are used to share resources

across groups of AWS accounts.

AWS Single Sign-On and Multi Factor Authentication request

the users to provide AWS supported MFA entities for
authentication in addition to their credentials.
 Secure the Access to AWS Services
Duration: 60 min.
Problem Statement:

You have been asked to utilize AWS IAM options to secure the access to AWS
services for the users in your organization.

Perform the following:

• Open the Amazon IAM dashboard
• Create IAM groups for the production and development departments
• Create IAM users in both the Product and Developers IAM groups
• Attach the relevant IAM policies to the Developers group
• Attach the relevant IAM policies to the Product group