Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Identity and Access Management (IAM)

2,737 views

Published on

This session introduces the concepts of AWS Identity and Access Management (IAM) and walks through the tools and strategies you can use to control access to your AWS environment. We describe IAM users, groups, and roles and how to use them. We demonstrate how to create IAM users and roles, and grant them various types of permissions to access AWS APIs and resources.

  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Introduction to Identity and Access Management (IAM)

  1. 1. IAM Introduction Apurv Awasthi, Senior Product Manager AWS Identity and Access Management (IAM)
  2. 2. What to Expect from the Session We will look at: • What is IAM? • IAM Concepts – to help you get started • Common use cases – cover the building blocks • Demos – “Show and Tell”
  3. 3. AWS Identity and Access Management (IAM) • Enables you to control who can do what in your AWS account • IAM uses access control concepts that you are already familiar with User Group Permissions Role AWS Services and Resources
  4. 4. AWS Identity and Access Management (IAM) • Control – Centralized – Fine-grained - APIs, resources, and AWS Management Console • Security – Secure (deny) by default – Multiple users, individual security credentials and permissions
  5. 5. IAM Users What • Entity that represents the person or service that uses it to interact with AWS • Consists of a name and unique set of credentials • Console password • Access Key • MFA device (SMS, Virtual, or Hardware) • Each IAM user is associated with one and only one AWS account; does not require a separate payment method. When • Enable human or programmatic access to AWS resources and services • E.g. New employee, Rob, requires access to Amazon EC2 and Amazon S3 services • E.g. Rob has created an application that stores data in Amazon DynamoDB
  6. 6. IAM Users Why (Benefits) • Unique set of credentials • Individual permissions • Granular control • Easy to revoke access Do • Create IAM user for yourself • Create individual IAM users for others Don’t • Distribute your AWS root credentials • Use your root account user • Share your IAM user credentials
  7. 7. IAM Users and Permissions • No permissions by default • Permissions specify who has access to AWS resources, and what actions they can perform on those resources • Assign permissions individually to each user (or use Groups) • Rob (UX Designer) > access to Amazon S3 • Samantha (Database Administrator) > access to select Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS Lambda, and AWS Data Pipeline APIs • Use IAM Policies to assign permissions
  8. 8. IAM Policies • JSON-formatted documents • Contain a statement (permissions) which specify: • What actions a principal can perform • Which resources can be accessed Example of an Amazon S3 Read-Only Access Template { "Statement": [ { "Effect": "Allow", "Action": ["s3:Get*", "s3:List*"], "Resource": "*" } ] } • Attach policy to a user, group, or role (identity-based permissions) • Attach policy to select resources e.g. Amazon S3 buckets (resource-based permissions) Example of identity-based permission Example of resource-based permission Rob Can Read, Write, List On Resource : icon-designs icon-designs Rob: Read, Write, List Samantha: List Zoe: Read, List
  9. 9. IAM Policies Two types of identity-based policies in IAM • Managed policies (newer way) • Can be attached to multiple users, groups, and roles • AWS managed policies (created and managed by AWS) • Customer managed policies (created and managed by you) o Up to 5K per policy o Up to 5 versions • You can limit who can attach managed policies • Inline policies (the older way) • You create and embed directly in a single user, group, or role • Variable policy size (2K per user, 5K per group, 10K per role)
  10. 10. Live Demo 1. Create a new IAM user called Rob 2. Assign Rob a password 3. Enable MFA for Rob 4. Require password reset at next sign-in 5. Grant Rob administrative permissions over Amazon S3 by attaching an AWS managed policy i. Replace with a less permissive AWS managed policy ii. Replace with a customer managed policy Demo Time
  11. 11. Side bar SSH Keys: you can associate an SSH key with your IAM user and then use the SSH key to authenticate with AWS CodeCommit (a managed source control service) Credential Reports: You can generate and download a credential report that lists all IAM users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. For passwords and access keys, the credential report shows how recently the password or access key has been used Example of retrieving Credential Report Example of associating SSH keys to IAM user
  12. 12. IAM Groups What • Collection of IAM users • Specify and manage permissions for multiple users, centrally • E.g. group for all UX Designers • A group can contain many users, and a user can belong to multiple groups When • Easily manage permissions for multiple users AWS Account IAM Group: Administrators Akshay Andrea Arvind IAM Group: UX Designers Rob Rachel IAM Group: DevOps Akshay Andrew Lin Zoe Example of managing permission using groups
  13. 13. IAM Groups Why (Benefits) • Reduces the complexity of access management as number of users grow • Easy way to reassign permissions based on change in responsibility • Easy way to update permissions for multiple users • Reduces the opportunity for a user to accidently get excessive access Do • Create groups that relate to job functions • Attach policies to groups • Use managed policies to logically manage permissions • Manage group membership to assign permissions
  14. 14. Live Demo 1. Create a new IAM group called UXDesigners 2. Assign permissions to the IAM group 3. Create a new IAM user called Rachel 4. Add Rob and Rachel to the IAM group Demo Time
  15. 15. IAM Roles What • Another identity with permission policies that determine what the identity can and cannot do in AWS • Can be assumed by anyone who needs it; not uniquely associated with one person or application • Does not have credentials; access keys are created and provided dynamically When • Give cross-account access • Give access within an account • E.g. access for application running on Amazon EC2 • [Federation] Give access to identities defined outside AWS • E.g. access for identities maintained in your corporate IdP
  16. 16. Use IAM roles to share access Why (Benefits) • No need to share security credentials • No need to store long-term credentials • Control who has access Do • Use roles to delegate cross-account access • Use roles to delegate access within an account • Use roles to provide access for federated users
  17. 17. prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 Authenticate with Rob’ access keys Get temporary security credentials for ddb-role Call AWS APIs using temporary security credentials of ddb-role { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to Rob granting him permission to assume ddb- role in account B IAM user: Rob Permissions assigned to ddb-role STS Use IAM roles for cross-account access
  18. 18. Use IAM roles for Amazon EC2 instances Why (Benefits) • Easy to manage access keys on EC2 instances • Automatic key rotation • AWS SDKs fully integrated • AWS CLI fully integrated Do • Use roles instead of long term credentials • Assign least privilege to the application
  19. 19. 1. Use Switch Role between two accounts 2. Launch an EC2 instance with a role Demo Time
  20. 20. Questions?
  21. 21. aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

×