Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IAM Introduction


Published on

by Apurv Awasthi, Sr. Product Manager, AWS Identity and Access Management, AWS

  • Hey guys! Who wants to chat with me? More photos with me here 👉
    Are you sure you want to  Yes  No
    Your message goes here

IAM Introduction

  1. 1. IAM Introduction Apurv Awasthi, Senior Product Manager AWS Identity and Access Management (IAM)
  2. 2. What to Expect from the Session We will look at: • What is IAM? • IAM Concepts – to help you get started • Common use cases – cover the building blocks • Demos – “Show and Tell”
  3. 3. AWS Identity and Access Management (IAM) • Enables you to control who can do what in your AWS account • IAM uses access control concepts that you are already familiar with User Group Permissions (IAM Policies) Role AWS Services and Resources
  4. 4. AWS Identity and Access Management (IAM) • Control – Centralized – Fine-grained - APIs, resources, and AWS Management Console • Security – Secure (deny) by default – Multiple users, individual security credentials and permissions
  5. 5. IAM Users What • Entity that represents the person or service that uses it to interact with AWS • Consists of a name and unique set of credentials • Console password • Access Key • MFA device (SMS, Virtual, or Hardware) • Each IAM user is associated with one and only one AWS account; does not require a separate payment method. When • Enable human or programmatic access to AWS resources and services • E.g. New employee, Rob, requires access to Amazon EC2 and Amazon S3 services • E.g. Rob has created an application that stores data in Amazon DynamoDB
  6. 6. IAM Users Why (Benefits) • Unique set of credentials • Individual permissions • Granular control • Easy to revoke access Do • Create IAM user for yourself • Create individual IAM users for others Don’t • Distribute your AWS root credentials • Use your root account user • Share your IAM user credentials
  7. 7. IAM Users and Permissions • No permissions by default • Permissions specify who has access to AWS resources, and what actions they can perform on those resources • Assign permissions individually to each user (or use Groups) • Rob (UX Designer) > access to Amazon S3 • Samantha (Database Administrator) > access to select Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS Lambda, and AWS Data Pipeline APIs • Use IAM Policies to assign permissions
  8. 8. IAM Policies • Contain a statement (permissions) which specify a combination of : • Who • What actions • Which AWS resources • When • Where • How Rob Can GET/PUT objects in S3 Bucket = “*” Until Dec 31, 2017 From IP range 123.456.789.012 If using MFA
  9. 9. IAM Policies • JSON-formatted documents Example of an Amazon S3 Read-Only Access Template { "Statement": [ { "Effect": "Allow", "Action": ["s3:Get*", "s3:List*"], "Resource": "*" } ] } • Attach policy to a user, group, or role (identity-based permissions) • Attach policy to select resources e.g. Amazon S3 buckets (resource-based permissions) Example of identity-based permission Example of resource-based permission Rob Can Read, Write, List On Resource : icon-designs icon-designs Rob: Read, Write, List Samantha: List Zoe: Read, List
  10. 10. IAM Policies Two types of identity-based policies in IAM • Managed policies (newer way) • Can be attached to multiple users, groups, and roles • AWS managed policies (created and managed by AWS) • Customer managed policies (created and managed by you) o Up to 5K per policy o Up to 5 versions • You can limit who can attach managed policies • Inline policies (the older way) • You create and embed directly in a single user, group, or role • Variable policy size (2K per user, 5K per group, 10K per role)
  11. 11. Live Demo 1. Create a new IAM user called Rob 2. Assign Rob a password 3. Enable MFA for Rob (Authy 2FA app: 4. Require password reset at next sign-in 5. Grant Rob administrative permissions over Amazon S3 by attaching an AWS managed policy i. Replace with a less permissive AWS managed policy ii. Replace with a customer managed policy Demo Time
  12. 12. Side bar SSH Keys: you can associate an SSH key with your IAM user and then use the SSH key to authenticate with AWS CodeCommit (a managed source control service) Credential Reports: You can generate and download a credential report that lists all IAM users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. For passwords and access keys, the credential report shows how recently the password or access key has been used Example of retrieving Credential Report Example of associating SSH keys to IAM user
  13. 13. Side bar Trusted Advisor: your customized cloud expert! It helps you to observe best practices for the use of AWS by inspecting your AWS environment with an eye toward closing security gaps, saving money, and improving system performance and reliability. Example of identifying security gaps by using Trusted Advisor
  14. 14. IAM Groups What • Collection of IAM users • Specify and manage permissions for multiple users, centrally • E.g. group for all UX Designers • A group can contain many users, and a user can belong to multiple groups When • Easily manage permissions for multiple users AWS Account IAM Group: Administrators Akshay Andrea Arvind IAM Group: UX Designers Rob Rachel IAM Group: DevOps Akshay Andrew Lin Zoe Example of managing permission using groups
  15. 15. IAM Groups Why (Benefits) • Reduces the complexity of access management as number of users grow • Easy way to reassign permissions based on change in responsibility • Easy way to update permissions for multiple users • Reduces the opportunity for a user to accidently get excessive access Do • Create groups that relate to job functions • Attach policies to groups • Use managed policies to logically manage permissions • Manage group membership to assign permissions
  16. 16. Live Demo 1. Create a new IAM group called UXDesigners 2. Assign permissions to the IAM group 3. Create a new IAM user called Rachel 4. Add Rob and Rachel to the IAM group Demo Time
  17. 17. IAM Roles What • Another identity with permission policies that determine what the identity can and cannot do in AWS • Can be assumed by anyone who needs it; not uniquely associated with one person or application • Does not have credentials; access keys are created and provided dynamically When • Give cross-account access • Give access within an account • E.g. access for application running on Amazon EC2 • [Federation] Give access to identities defined outside AWS • E.g. access for identities maintained in your corporate IdP
  18. 18. Use IAM roles to share access Why (Benefits) • No need to share security credentials • No need to store long-term credentials • Control who has access Do • Use roles to delegate cross-account access • Use roles to delegate access within an account • Use roles to provide access for federated users
  19. 19. Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} Acct ID: 123456789012 Authenticate with Rob’ access keys Get temporary security credentials for ddb-role Call AWS APIs using temporary security credentials of ddb-role { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account (123456789012) Permissions assigned to Rob granting him permission to assume ddb- role in account B IAM user: Rob Permissions assigned to ddb-role STS Use IAM roles for cross-account access
  20. 20. Use IAM roles for Amazon EC2 instances Why (Benefits) • Easy to manage access keys on EC2 instances • Automatic key rotation • AWS SDKs fully integrated • AWS CLI fully integrated Do • Use roles instead of long term credentials • Assign least privilege to the application
  21. 21. 1. Use Switch Role between two accounts 2. Launch an EC2 instance with a role Demo Time
  22. 22. Questions?
  23. 23. Everything and Anything Startups Need to Get Started on AWS