In this video, get an overview of the role of IAM and learn how to deploy security for users, groups, and applications.
- [Instructor] Identity in access management is key for securing everything in the AWS cloud. It doesn't matter whether you order a service or whether you want to access a resource, IAM is in the background, checking out whether you can be properly identified and then the authorizations can be applied so you can actually do what you want to do. If we scroll down under security, identity and compliance, we can see identity and access management. Opening the tool, on the left, we can manage users. Users are an entity that would log on to the AWS cloud, so we could add users, i.e. administrators really, and then define the policies that each administrator was allowed to have. The policies that can be attached to users and groups are listed under policies. What we're looking at is managed policies. These are policies that Amazon has created for us. We can copy them and customize them, or we can create a policy from scratch. If I go into create policy using the visual editor, let's choose a service to take a look at the possibilities. Let's say you wanted to actually manage EC2 instances, scrolling down, we can see EC2. The actions for what I would like to do with EC2 instances are allow actions. Notice on the right, I could switch to deny permissions, but I'm going to start with allow permissions. Obviously, if I was an administrator, I might want all EC2 actions or would I? I could go into list and you can see there is a few choices as to what actually could be granularly applied. Scrolling down, we can see the same is for reading, tagging and writing EC2 instances. When we look at permission management, we can see there's a lot of tasks that administrators would carry out creating network interfaces i.e. the permissions or deleting network interface permissions, so lots of choices to control every aspect of the AWS cloud with policies. Going back to the console, we can look at defining a group of IAM users. We don't have any groups in this account right yet, but I could create a group, assign permissions i.e. policies to the group, and then add users to the group, much like most networking operating systems. If I wanted to provide application security for applications running on EC2 instances, I could create a role. Clicking role I could through and define, okay, an EC2 instance, then I could define my permissions. Let's say I wanted to give access to S3 buckets, maybe just read only access. So I select that actual policy, click Next. I could add in tags describing what I'm creating, but I'll select review and give a role name. Let's give it s3_access as the name and we'll create the role. Now, what have I really done? I've set up a policy, but I now have to attach it to somewhere in the AWS ecosystem. So how I could do that is go over to services, selecting EC2 instances, and once the console opens, selecting instances. For this example, we'll launch an instance. We'll use a default AMI, Linux 2, we'll pick a basic size and under configure instance details, we can take a look at the interesting aspect of adding insecurity as the system is built. Scrolling down, we can see an option for an IAM role, and we going to add in s3_access. What this means is that when the application on this EC2 instance wants to access S3 storage, it can use this role, talk to the security token service and get access. So IAM security handles security for the applications that you're going to run, the administrators that are going to administrate your applications, and also the groups of administrators that are going to do administration of your application's tasks. The policies that you create will determine what all of these entities can do.
- Design principals
- Identity and Access Management (IAM)
- Protecting AWS credentials
- Identifying threats
- Auditing security
- Infrastructure protection
- Protecting data at rest and in transit
- Responding to security incidents
- Managing incident response