The document discusses AWS Identity and Access Management (IAM), including how to manage users and groups, assign permissions using policies, and create billing alarms to monitor estimated AWS charges. IAM allows you to securely control access to AWS services and resources. Key aspects covered include creating and managing IAM users and roles, assigning them to groups with specific permissions policies, and setting up CloudWatch alarms that trigger notifications when billing amounts exceed thresholds.

1. Intro

2. IAM (Identity and Access
Management)
2
▪ AWS Identity and Access Management (IAM) enables you to
securely control access to AWS services and resources for your
users. Using IAM, you can create and manage AWS users and
groups and use permissions to allow and deny their access to AWS
resources.
▪ IAM allows you to : Manage IAM users and their access -You can
create users in IAM, assign them individual security credentials (i.e.,
accesskeys, passwords, and Multi-Factor Authentication devices) or
request temporary security credentials to provide users access to
AWS services and resources.
▪ You can manage permissions in order to control which operations a
user can perform . Manage IAM roles and their permissions -You
can create roles in IAM, and manage permissions to control which
operations can be performed by the entity, or AWS service, that
assumes the role.
▪ You can also define which entity is allowed to assume the role.

3. IAM (Identity and Access
Management)
3
▪ The common use of IAM is to manage:-
– Users
– Groups
– IAMAccess Policies
– Roles
NOTE:The user created when you created the AWS account is calledthe
"root" user.
▪ By default, the root user has FULL administrative rights and
access to every part of the account.

4. IAM Resource
4
▪ Users:
– Can have username/password to login to aws console.
– Can have aws credentials for making API calls to interact with aws
services.
– New IAM user have no permission to do anything, permission must be
explicitly granted.
▪ Groups:
– As collection of IAM Users
– You assign permission to group and all users under that group inherit
permission of the group.

5. IAM Resource
5
▪ IAMAccess Policies:
– When you create a IAM group , user you associate an IAM policy with it
which specify the permission that you want to grant.
– IAM policies are JSON formatted documents that defines AWS
permission.
▪ Roles:
– The permission of an IAM role can be granted/assigned toEC2 instance.
– All AWS SDK has built-in way to auto discoverAWS credentials on AWS
EC2.-Credential file-Environmental variable-Instance profile

6. Access Management
6
▪ Policies and Accounts:
– If you manage a single account in AWS, then you define the permissions
within that account using policies.
– If you manage permissions across multiple accounts, it is more difficult
to manage permissions for your users.
▪ Policies and Users
– IAM users are identities in the service.When you create an IAM user,
they can't access anything in your account until you give them
permission.
– You give permissions to a user by creating an identity-based policy,
which is a policy that is attached to the user.

7. Access Management
7
▪ Policies and Users
– Example show the policy json that allows user to have s3 List access on
bucket name “example_bucket”.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket”
}
}

8. Access Management
8
▪ Policies and Groups
– You can organize IAM users into IAM groups
and attach a policy to a group.
– In that case, individual users still have their own
credentials, but all the users in a group have
the permissions that are attached to the group.
Use groups for easier permissions management.
– Users or groups can have multiple policies attached
to them that grant different permissions.
– In that case, the users' permissions are calculated based on the
combination of policies. But the basic principle still applies: If the user
has not been granted an explicit permission for an action and a
resource, the user does not have those permissions.

9. Access Management
9
▪ Federated Users and Roles
– Federated users don't have permanent identities in your AWS account
the way that IAM users do.
– To assign permissions to federated users, you can create an entity
referred to as a role and define permissions for the role.
– When a federated user signs in to AWS, the user is associated with the
role and is granted the permissions that are defined in the role.
▪ Identity-based and Resource-based Policies
– Identity-based policies are permissions policies that you attach to a
principal (or identity), such as an IAM user, group, or role.
– Resource-based policies are permissions policies that you attach to a
resource such as an Amazon S3 bucket.

10. Access Management
10
▪ Identity-based and Resource-based Policies
– Identity-based policies control what actions that identity can perform,
on which resources, and under what conditions. Identity-based policies
can be further categorized:
– Managed policies – Standalone identity-based policies that you can
attach to multiple users, groups, and roles in your AWS account.You can
use two types of managed policies:
▪ AWS managed policies – Managed policies that are created and managed by
AWS. If you are new to using policies, we recommend that you start by using
AWS managed policies.
▪ Customer managed policies – Managed policies that you create and manage
in your AWS account. Customer managed policies provide more precise
control over your policies than AWS managed policies.You can create and
edit an IAM policy in the visual editor or by creating the JSON policy
document directly.
– Inline policies – Policies that you create and manage and that are
embedded directly into a single user, group, or role.

11. Bill alarm
11
▪ You can monitor your estimated AWS charges using Amazon
CloudWatch. When you enable the monitoring of estimated
charges for your AWS account, the estimated charges are
calculated and sent several times daily to CloudWatch as metric
data.
▪ Billing metric data is stored in the US East (N.Virginia) region and
represents worldwide charges.This data includes the estimated
charges for every service in AWS that you use, in addition to the
estimated overall total of your AWS charges.
▪ The alarm triggers when your account billing exceeds the threshold
you specify. It triggers only when actual billing exceeds the
threshold. It does not use projections based on your usage so far in
the month.
▪ If you create a billing alarm at a time when your charges have
already exceeded the threshold, the alarm goes to
the ALARM state immediately.

12. Bill alarm
12
▪ Enable Billing Alerts:
– Before you can create an alarm for your estimated charges, you must
enable billing alerts, so that you can monitor your estimated AWS
charges and create an alarm using billing metric data. After you enable
billing alerts, you cannot disable data collection, but you can delete any
billing alarms that you created.
1. To enable the monitoring of estimated charges
2. Open the Billing and Cost Management console
at https://console.aws.amazon.com/billing/home?#.
3. In the navigation pane, choose Preferences.
4. Choose Receive Billing Alerts.

13. Bill alarm
13
5. Choose Save preferences.

14. Create Bill alarm
14
▪ After you've enabled billing alerts, you can create a
billing alarm. In this procedure, you create an alarm
that sends an email message when your estimated
charges for AWS exceed a specified threshold.
Note: This procedure uses the advanced options. For more
information about using the simple options, see Create a Billing
Alarm in MonitorYour EstimatedCharges Using CloudWatch.

15. Create Bill alarm
15
To create a billing alarm using the CloudWatch console
1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
2. If necessary, change the region to US East (N.Virginia). Billing metric data is stored in
this region and represents worldwide charges.
3. In the navigation pane, choose Alarms, Billing, Create Alarm.
4. Choose show advanced to switch to the advanced options.
5. Under AlarmThreshold, replace the default name for the alarm (for example, My
Estimated Charges) and a description for the alarm (for example, Estimated Monthly
Charges).Alarm names must contain only ASCII characters.
6. Under Whenever charges for, for is, choose >= and then type the monetary amount
(for example, 200) that must be exceeded to trigger the alarm and send an email.

16. Create Bill alarm
16
Note
7. Under Alarm Preview, there is an estimate of your charges that you can use
to set an appropriate amount.
8. Under Additional settings, for Treat missing data as, choose ignore
(maintain alarm state) so that missing data points do not trigger alarm
state changes.
9. Under Actions, for Whenever this alarm, choose State is ALARM. For Send
notification to, choose an existing SNS topic or create a new one.
10. To create an SNS topic, choose New list. For Send notification to, type a
name for the SNS topic, and for Email list, type a comma-separated list of
email addresses where email notifications should be sent. Each email
address is sent a topic subscription confirmation email.You must confirm the
subscription before notifications can be sent to an email address.
11. Choose Create Alarm.

17. IAM Summary
17
▪ Today, AWS made it easier for us to understand the
permissions of ourAWS Identity and Access Management
(IAM) policies grant with policy summaries in the IAM
console.
▪ Instead of reading JSON policy documents, we can scan a
table that summarizes the services, actions, resources, and
conditions defined in each policy.
▪ This summary enables us to quickly understand the
permissions defined in each IAM policy.