Hii fellows, it is my first time writing here and OMG I am so happy to have registered in this site. To the purpose, I am planning to take AWS certified Solutions Architect Associate exam(SAA03). So going forward I begin preparing myself which is what I am currently doing and I also considered, why not to share it with other people that also want to know more about cloud, since it would provide students like me with guidance and resources that I did not get and was unaware of.
So, there that is all,..since today I will tell you what I learned in that day about various services. We have first today our service of "IAM".
Every cloud environment is built upon security and in AWS, IAM is the starting point in terms of security. IAM determines who is allowed to do what within your AWS account whether you are deploying an EC2 instance, creating a database or a serverless app.
This blog covers all the fundamentals to the advanced real-life practice, such as policies, role, boundaries of permissions, access cross-account, and enterprise-quality security models.
What Is IAM?
AWS IAM (Identity and Access Management) is a service that will assist you in the safe management of:
- Who has the access to your AWS resources?
- What are the things they can do.
- What services or resources they are able to interrelate with.
- How they can authenticate
- Consider IAM as the gatekeeper to the security of your AWS.
Why IAM Matters
IAM prevents:
Unauthorized access
Data loss
Misuse of services
Cloud account compromise
Security breaches
The majority of AWS vulnerabilities occur because of improperly set IAM permissions - not services.
IAM Core Building Blocks
Four key components are used in the construction of IAM:
1.IAM Users
A user is either (a real person) developer, administrator, tester or (a software application) that requires AWS access.
Users have:
Login password (optional)
Access keys (optional)
Permissions (via policies)
2.IAM Groups
Groups assist in grouping users who have similar duties.
Examples:
Network, DevOps, FinanceTeam, Developers, Admins.
You give permissions to the group once as opposed to giving them individually.
3.IAM Roles
The concept of IAM most important is roles.
A role is a permissioned identity, which lacks long-term credentials.
Roles are used by:
AWS services (EC2, Lambda, ECS, Glue...
Users when on temporary privilege escalation.
External identities (google, azure ad, okta)
4.IAM Policies
Policies are permissions defined by means of documents in JSON.
Example policy:
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
}
Policies are responses to three questions:
Question Defined By
What action is allowed? Action
On which service/resource? Resource
Allowed or denied? Effect
The manner in which IAM Authorization works.
The order of assessment of policies in IAM is:
Implicit Deny - deny everything without exception, unless explicitly allowed.
Explicit Allow - Assuming that a policy permits the action - permitted except in the case that there is an explicit deny.
Deny Explicit - Like everything.
This is what makes the deny policies powerful in blocking access.
IAM Authentication selections.
Password (Console access) - Human logins are made using this.
Access Keys (CLI / SDK access) - Should never be put into GitHub.
MFA (Multi-Factor Authentication)- This is highly recommended to all users.
All right, gangs that is it today, I will meet you tomorrow.
Top comments (0)