DEV Community: Oyinkansola Awosan

Understanding AWS Identity and Access Management (IAM) 1.

Oyinkansola Awosan — Fri, 20 Jan 2023 23:22:57 +0000

Introduction
- Definition of AWS Identity and Access Management (IAM)
- Importance of IAM in AWS
IAM Components
- Users
- Groups
- Roles
- Policies
- Access keys
- Multi-Factor Authentication
Conclusion

Definition of AWS Identity and Access Management (IAM)
Identity and Access Management is a web service provided by AWS that allows administrators to manage access to AWS resources. IAM enables the creation and management of users, groups, and roles and assigning permissions to these entities. It also provides a way to set up secure access to your AWS resources by creating and managing access keys and security credentials such as access keys, secret access keys, and the MFA.
It is a global service that applies to all of an organization's regions and accounts. It allows you to control access to AWS resources and services, using policies that specify what actions are permitted or denied for each user or group. It also integrates with other AWS services, such as Amazon S3 and Amazon EC2, to provide additional security features, such as encryption and access controls.

Importance of IAM in AWS
IAM enables you to secure your AWS infrastructure by controlling access to resources. It helps customers comply with security and compliance regulations by providing fine-grained control over who can access what resources and actions they can perform.
IAM manages access and permissions, which helps to ensure that solely authorized users can access sensitive data and systems. It also provides a way to manage temporary access to resources through IAM roles, which can be helpful in scenarios such as allowing third-party services to access your resources.
Additionally, IAM enables customers to apply security best practices like the principle of least privilege, which states that users should have the minimum permissions necessary to perform their job.
It is, without doubt, one of the building blocks of security on AWS.

IAM Components

AWS Identity and Access Management (IAM) has several components that can be used to manage access to AWS resources:

Users
In IAM, a user represents an individual or system that needs to access AWS resources. Each user is identified by a unique name and associated with a set of security credentials, such as an access key and a secret key.
Users can be created and managed through the IAM console, AWS CLI, or SDKs. Once a user is created, the administrator can assign permissions to the user, determining what actions the user can perform on what resources.

Users can be organized into groups, which makes it easier to manage permissions for multiple users at once. For example, you can create a group for all the users in a specific department and then assign permissions to that group.
Users can be assigned roles similar to users but not associated with a specific person or entity. Instead, roles are intended to be assumed by AWS services, applications, or users in other AWS accounts.
Users can also be granted temporary access to resources by assuming a role, which enables them to take on the permissions of that role. This is useful for scenarios such as cross-account or federated access to your AWS resources through an identity provider such as Active Directory.

Groups

Groups are collections of IAM users that can be assigned permissions as a group. This allows you to manage permissions for multiple users at once.
Groups are created within IAM, and users are added to them. Once a user is a group member, they inherit the permissions assigned to that group. This means you can assign permissions to a group, and all users will have those permissions.

You can use groups to organize and manage your users based on their job function or department. For example, you might create a group for 'Developers' and another for 'Managers.' You can then assign different permissions to each group so that developers have the permissions they need to work with your application code. In contrast, managers have the permissions they need to manage the application.

Roles

A role is similar to a user but not associated with a specific person or entity. Instead, roles are intended to be assumed by AWS services, applications, or users in other AWS accounts.
A role is a set of permissions that determine what actions can be performed on which resources. Roles can be created and managed through the IAM console, the AWS CLI, or the AWS SDKs. Once created, a user, an AWS service, or an application can assume a role.
Roles are useful in scenarios such as:

Cross-account access: If you have multiple AWS accounts, you can use roles to grant users in one account access to resources in another account.
Federated access: You can use roles to grant users in your organization access to your AWS resources through an identity provider such as Active Directory.
Service-linked roles: Some AWS services, such as Elastic Container Service (ECS) and Elastic Beanstalk, have specific roles linked directly to the service. The service automatically creates and manages these roles and cannot be modified or deleted.
EC2 Instance Profile: You can use roles to grant permissions to your EC2 instances so that applications running on the cases can access other AWS resources.
AWS Resource Access Manager: You can use roles to grant permissions to resources in one AWS account to users in another account.

Policies

A policy is a set of rules that determine what actions a user, group, or role can perform on what resources. Policies are written in JSON and can be attached to users, groups, and roles.
Policies are the building blocks of IAM. They define a user, group, or role's permissions to access AWS resources. Policies are made up of statements that specify the actions allowed or denied on a particular resource or set of resources. Policies can be created and managed through the IAM console, the AWS CLI, or the AWS SDKs.
There are two types of policies:

Managed policies: These are policies that are created and managed by AWS. They include pre-defined policies for everyday use cases, such as read-only access to S3 or full access to EC2.
Inline policies: These are policies that are embedded directly in a user, group, or role. They allow you to grant fine-grained permissions specific to a user, group, or role.

Policies can be used to grant permissions for a wide range of AWS services, such as Amazon S3, Amazon EC2, and AWS Lambda. They can also be used to grant permissions for specific resources, such as one particular S3 bucket or EC2 instance.

Access keys

As seen above, access keys consist of an access key ID and a secret access key. These keys are used to make programmatic calls to AWS services using the AWS SDKs, the AWS CLI, and other tools. Access keys are associated with an IAM user or the AWS account root user. Users can have multiple access keys, but only one set can be active.
They are used to authenticate when making API requests and are typically used in conjunction with the AWS SDKs and the AWS CLI. Access keys are used to sign the requests, and the service uses the key to identify the sender and verify that the request is authentic.
You can create and manage access keys for IAM users through the AWS Management Console, AWS CLI, or AWS API. When creating access keys, it is vital to store the secret key in a secure location and rotate them regularly as a security best practice.
It's important to note that access keys should be protected and kept secret. They should never be shared and should be rotated regularly as a security best practice. It is also important to know that IAM access keys are intended for use with the AWS API, CLI, and SDKs and are not meant to be used for logging into the AWS Management Console.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication is an IAM component in AWS that is an additional layer of security that requires a user to provide a one-time password in addition to their username and password. MFA adds an extra authentication step, making it more difficult for unauthorized users to access your AWS resources.
MFA can be enabled for IAM users through the AWS Management Console, AWS CLI, or AWS API. In addition, different types of MFA devices are available, such as a hardware token or a virtual device that runs on a smartphone. Once MFA is enabled, users will be prompted for a one-time password when they sign in to the Console or make programmatic calls to AWS services using their access keys.
You can enable MFA on the AWS account root user, IAM users, or on a role. By doing so, you will ensure that only users who have provided the correct MFA code can sign in or make changes to the resources.
It's worth noting that MFA can be used in conjunction with other security measures, such as access keys and roles, to provide an additional layer of protection for your AWS resources.

Conclusion

These are the core components of IAM, but there are additional features like Identity Federation, Service Control Policies, and Resource-level permissions. Together, these components provide a comprehensive system for managing access to AWS resources and ensuring that only authorized users have access to sensitive data and systems.

How Does The AWS VPC Work?

Oyinkansola Awosan — Sat, 16 Oct 2021 13:07:21 +0000

When I first encountered the term VPC, my mind immediately went to VPN, and I thought I would be learning how to create my own VPN. However, that was not the case.

A VPC is a Virtual Private Cloud and is very different from a VPN. As the name denotes, it is a private/isolated cloud hosted within a public cloud. It is a private space that gives you complete control over your virtual networking environment. It allows you to do several things, including selecting your own IP address, configuring route tables, network gateways, and creating your subnets.

To understand this concept better, try to imagine the public cloud as a famous coffee shop or eatery that is always crowded but has a table in an isolated corner that is always reserved. The table in this analogy refers to the VPC. Even though the eatery is full, no one will sit in the reserved corner except those who reserved it.
You can also think of your house, perhaps with your parents and siblings around. The house definitely belongs to everyone, but the part of the house that is your room is private and entirely yours. Only people you allow in can access it, and since you have complete control over that part of the house, you can customize it as you want. The house here is the public cloud, while your room is the VPC.

This analogy clearly describes how a VPC works. There are several resources available on a public cloud, and several clients are accessing those resources. Still, with a VPC, some of those resources are explicitly reserved for your use only.

To create your own VPC using AWS, you will have to create an account with AWS. This can be done easily and quickly. After doing this, navigate to the VPC dashboard, and you can do that either by typing VPC in the search box or clicking on services which will bring you an array of services AWS offers, as seen below.

Once the dashboard opens up, the first step is to create your EIP (more information about this below), after which you go back to the VPC dashboard and click on the "Launch VPC" button to launch your VPC.
From there, you are taken to a page for you to choose your VPC settings. On this page, you select the type of VPC you want to create, as seen below.

You are then directed to the configuration part from this page, which allows you to configure/customize your VPC.

The Elastic IP allocation box is where you select the elastic IP you've already created. After this, you click on create VPC, and your VPC gets created within a few minutes.
Using AWS, we have two types of VPC:

The Default VPC
The Custom VPC

Default VPC

The default VPC comes with every AWS account. When you create your AWS account, a default VPC is created with default subnets and other components. This VPC is not difficult to recognize, as seen below. However, it is not a secure VPC, and this is where the second type of VPC comes in.

Custom VPC

A custom VPC is the more advisable type of VPC, as it is a VPC you can customize to suit your needs, just as the name suggests. While creating this VPC, you get to choose and define what you want in the components of your VPC. It is your configuration, to your taste.
An example of a custom VPC is the "SCA" VPC configured above and seen in the image below.

What are the components of a VPC?

The components of a VPC are what make up a VPC. In other words, they are what makes a VPC a VPC. Let's take a look at some of them.

Elastic IP (EIP)
Subnets
Route tables
NAT gateway
Security group
NACL

Elastic IP

An EIP is also known as Elastic Internet Protocol. It is a reserved public address that can be assigned to an EC2 instance in any region.
The option to create this is available in your VPN dashboard, by the left. After finding it, you can expect a page like the one below, after which you click on create. This is the first step to carry out before launching the VPC wizard. After doing this, you can then leave the page to continue creating your VPN.

Subnets

Subnets are sub-networks. They are like containers but for routing purposes. They make networks efficient by shortening the distance network traffic pass through and eliminating unnecessary routers. It is a subnetwork in a network, something like a part of a whole. Subnetting is dividing part of the network for private use. It helps narrow down the IP address to usage within a range of devices.
To create your subnet, you click the subnet option on the VPC dashboard, as seen below.

It is essential to know that there are two types of subnets:

Public Subnets
Private Subnets

Public Subnets

A public subnet is simply a subnet whose traffic is routed to an internet gateway. It basically allows its router to serve other devices.

Private Subnets

A private subnet is simply a subnet that does not have the default route to the internet gateway. They do not have a public IP address because they do not accept traffic from the internet. A private subnet can use the NAT gateway to send requests to the internet.
Private subnets are also the type of subnet believed to be secure.

The process of creating a subnet requires you to choose the VPC you are creating the subnet in, after which you name your subnet, as seen in the image above. You then fill in the IPV4 CIDR block, leave the rest as default, then go ahead to create your subnet.
Repeat the same steps for the second subnet.

Route Table

A route table is what allows internet access, as it is attached to your VPC. It is like a database containing a set of rules - routes- to determine where to forward or direct network traffic from your VPC.
To add a new route, you click on the 'Routes Table' option in the VPC dashboard highlighted in the image below. For every VPC you create, a route table is created by default. To edit that route table, find it on the routes page and click on it.

After opening up the particular route table for your VPC, if it is not yet associated with a subnet, you should associate with one of your subnets, preferably the public subnet. If it is already associated with a subnet, it will show as the third route table in the image above.
Click on the edit button after opening up your desired route table. If a route like the one highlighted below is not yet created, you can add it manually by clicking the 'Add route' button.

Once you do, please give it a destination of 0.0.0.0/0 as seen above and a target of Internet Gateway, then save the changes.

NAT Gateway

A NAT gateway allows instances in the private subnet to connect with the internet so that it prevents the internet from having a connection with these instances but responds to requests from the private subnet.
NAT gateway means Network Address Translation gateway. To create a NAT gateway, you will find the NAT Gateway option by the left side of the VPC dashboard, along with other options. Once the page opens up, click on 'Create NAT Gateway,' and the page below will open up. You can fill in the options as it is in the image below.

For the Elastic IP option, you need to select the EIP you created for the VPC. After doing this, click on 'Create NAT gateway,' and you are ready to go.

Network Access Control List (NACL)

A network access control list is a virtual firewall for your subnet. It is a layer of security that controls traffic going in and out of your subnet. When you create a VPC, an NACL is automatically created by AWS.
A Network Access Control List can take on multiple subnets, i.e., numerous subnets can be associated with one NACL, but a subnet can only be associated with one NACL.

Security Group

A security group is basically a virtual firewall that filters or controls incoming and outgoing traffic. Keep in mind that security groups function at the instance level, not the subnet level. Inbound rules control incoming traffic while outbound rules control outgoing traffic.
You can configure your security group while creating your EC2 instance, as it is one of the processes required to create an instance.

One significant difference between NACL and security groups is that a security group operates at the instance level while NACL operates at the subnet level.
These various components make the AWS VPC functional and allow you to create your own private space in the public cloud.

My utmost appreciation goes to the She Code Africa team, Ada Nduka Oyom - the founder, Esther Okafor - the project manager, Deimos Cloud, and my able mentor - Olumide Falomo .

I hope you enjoyed reading this as much as I enjoyed writing it. I also hope you found this helpful. I would like to hear from you, so feel free to drop a comment or connect with me via Twitter, LinkedIn, or you can check out my Github page for some cool projects.

How To Format Dates In JavaScript

Oyinkansola Awosan — Tue, 12 Oct 2021 19:29:54 +0000

If you are a developer who uses JavaScript, you’re going to have to format dates often. Date formatting may seem complex and overwhelming for beginners, but it is pretty simple as you will agree after reading through this article.
JavaScript’s Date() function object can easily be used to display date, time, even specific to time zones.

let date = new Date();
console.log(date);

The code above is probably the easiest, most common way the date function is used, and since I didn’t assign another function to it, the date and time will be printed in a localized format.
There are other simple date formatting methods available in JavaScript, one of which is the toLocaleDateString method.

The toLocaleDateString Method

This method lets you customize your date with a specific location of your choice and exactly the way you want it to appear. It allows you to add a locale(a language code) and an option, takes both as arguments, and gives you the time and date in your specified locale and format.
You can use the toLocaleDateString method without a locale and option. You can also use it without an option or with both a locale and an option present. The syntax for each is listed below.

toLocaleDateString()
toLocaleDateString(locales)
toLocaleDateString(locales, options)

When using locales, you need to remember the language code you want to use. For the USA, we have en-US; for the United Kingdom, we have en-UK, and it goes on like that. You can find the appropriate language code by searching it up.
Using locales only, we would have the syntax in this format:

new Date().toLocaleDateString(‘en-US’)
new Date().toLocaleDateString(‘en-UK’)
new Date().toLocaleDateString(‘zh-CN’)

However, using locales with options gives us more room to customize so the syntax is usually like this

const options = { weekday: ‘short’, year: ‘numeric’, month: ‘long’, day: ‘numeric’ };
const today = new Date();
console.log(today.toLocaleDateString(“en-UK”, options));

My preferred way of writing the same syntax is

console.log(date.toLocaleString(‘en-UK’, {
weekday: ‘short’,
day: ‘numeric’,
year: ‘numeric’,
month: ‘long’,
}));

Both ways get the job done and allow you to customize as you want to. While weekday, day, month, year are the basic options commonly used, you can also add hour, minute, and second options if you also want to customize your time.

The weekday option specifies how you want your weekday to appear. You can have it abbreviated(short) or in full(long).

The month option specifies how you want your month to appear. You can have it abbreviated(short) or in full(long).

The year, day, hour, minute, and second options are usually numeric, meaning they appear as numbers.

There are other ways to format dates, one of which is the Intl.DateTimeFormat This method is similar to the toLocaleDateString and I will be covering it in my next article.

I hope you found this useful. I would like to hear from you so feel free to drop a comment or connect with me via Twitter, LinkedIn, or you can check out my Github page for some cool projects.