1.

Create a Password policy on the AWS Account as per the below reccomendations

- Min Password Length -- 10 characters

- AtLeast 1 upper case -- Yes
- Atleast 1 Lower Case -- Yes
- Atleast 1 Number -- Yes
- At least 1 Non-Alphanumeric Yes
- Password Expiration -- 30 Days
- Passwords Remebered -- 3

Managment Console Access Type:

------------------------------

2. Create an IAM User "user0" with all default options

3. Login as "user0" and observe the permissions

Sign-In URL : https://767397901250.signin.aws.amazon.com/console

UserName : user0
Password : gw2dGtV5#'

Account Alias:
--------------

--> Account Alias is an alternative name to the Account ID, whihc can be used at
the time of IAM User Sign-IN

4. Set an account alias for the AWS Account as "aws42"

5. Using the Alias, login as "user0"

6. Create an IAM user "user1" with Full access on the entire AWS Account by
attaching an IAM policy "Administrator Access"

Note: There are 3 different ways that we can provide permissions to the users

- Attach an exisitng Policy

- Add users to a Group
- Copy from existing IAM User

7. Logn as "User1" and verify the Administrator access Permissions

- Check that the user1 can see all the list of users
- Create a new IAM user as "user1"
- Navigate to EC2 service, create a security Group

8. Create an IAM user "user2" with readonly permission on IAM Service only -By
attaching the policy directly to the user

9. Login as "user2" and verify the readonly permissions on IAM Service only

10. Cretae a new IAM Policy (Custom Policy), which can provide Full access on EC2
service.

11. Cretae a user "user3" and attach the above created custom policy
"EC2FullAccess". Use tags while creating the user
--> Tag is a Key-Value Pair, which can be used for Identification purpose.

--> We can add upto 50 Tags per resource

12. Login as "user3" and verify that he got EC2FullAccess Only.

13. Provide extra permissions "ReadOnly Access on All services" to an exisitng user
"user0" - By attaching a policy

NOTE: AWS will generate an ARN for every resource, ARN is a unique identification
of every resource

--> ARN Stands for "Amazon Resource Name"

ex: arn:aws:iam::767397901250:user/user1 --> ARN of an IAM User "user1"

arn:aws:iam::aws:policy/AdministratorAccess

arn:aws:iam::767397901250:policy/EC2FullAccess

--> We can attach Multiple Policies to the users, so that they can both the
policies applied.

14. Attach an extra policy "EC2FullAccess" to the user "user0"

- User0 has "ReadOnly Access"

--> IAM SUpports, Deny Policies. Which can be used to deny specific permissions to
a user.

--> Always, Deny Policy has the highest priority over Allow Policy

15. Create a Deny Policy "IAMFullAccess-Deny", which can deny all actions on IAM
Service

16. Attach the Deny Policy to user "user0" and verify the Final Permissions

- ReadOnly Access - Allow

- EC2 Full Access - Allow
- IAM Full Access - Deny

Observation:

- User0 Can read all services except IAM

- User0 Can get full access on EC2 service

UserGroup:
----------

--> Group is a container, we can collect similar type of users

--> Whatever the permissions appied on the group will be Inherite to all the group
members.

--> We can add Users into the Group, and Nested groups are not possible.

--> An User can be a part of Multiple Groups, And the permissions from Multiple
groups can be applied to the user.

--> We can attach a policy to the user, and the same user can be a part of a Group.

1. Create a userGroup "EC2Admins", and attach a policy which can provide Full
access On EC2 service.

2. Create a New user "user4" and add the user to the group "EC2Admins"

Tasks:
------

1. Create a new user "user5" and copy the permissions from an exisitng user "user1"

2. Create a new Group "IAMReadUsers" and attach a policy which can provide Readonly
Access on IAM Service.

3. Add the exisitng user "user4" to the group "IAMReadUsers"

- User4 is a part of 2 grops
- EC2Admins --> Full Access on EC2
- IAMReadUsers --> IAM Read Only Access

4. Attach a new policy to the user "user4" - S3ReadOnly Access

Access Advisor:
---------------

--> Access Advisor shows the services that this user can access and when those
services were last accessed.

--> It will display the list of services, not accessed in the tracking period

--> We can review what services are used by the user, and we can remove the
permissions whihc are not required.

--> Access Advisor cannot display who created what servcies and all, as access
advisor is not an auditing tool.

NOTE: Cloudtrial is the servcie, by using whihch we can audit all the user
activities.

--> An IAM user cannot reset his Forgotten Password

--> Any Administrator user, can reset the password for IAM User
1. Reset the password for "user1", To perform password reset login as any Admin
user.