Scribd
Upload
47 views

AWS Global Infra, IAM - Done

The document provides an overview of AWS identity and access management (IAM) concepts including regions, availability zones, edge locations, IAM users, groups, policies, roles, identity providers, billing alarms, and policy documents. It also includes exercises for creating IAM users and groups, attaching policies, configuring access keys, using AWS CLI with temporary security credentials, and tips for the IAM exam.

Uploaded by

Fazir M Fahmy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
47 views

AWS Global Infra, IAM - Done

The document provides an overview of AWS identity and access management (IAM) concepts including regions, availability zones, edge locations, IAM users, groups, policies, roles, identity providers, billing alarms, and policy documents. It also includes exercises for creating IAM users and groups, attaching policies, configuring access keys, using AWS CLI with temporary security credentials, and tips for the IAM exam.

Uploaded by

Fazir M Fahmy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

AWS Global Infrastructure

Region, Availability Zone vs Edge location


Region - Distinct geographical area that consists of two or more Availability Zones.

Availability Zone - One or more data centers close to each other, that counted as one
Availability zone.

Edge location - Endpoint which used for caching content.


2

IAM - AWS Identity and Access Management

AWS Identity and Access Management (IAM) is a global service that helps you
securely control access to AWS resources. You use IAM to control who is
authenticated (signed in) and authorized (has permissions) to use resources.

When you first create an AWS account, you begin with a single sign-in identity that
has complete access to all AWS services and resources in the account. This identity
is called the AWS account root user and is accessed by signing in with the email
address and password that you used to create the account. It is strongly
recommended that you do not use the root user for your everyday tasks, even the
administrative ones. Instead, adhere to the best practice of using the root user only
to create your first IAM user. Then securely lock away the root user credentials and
use them to perform only a few account and service management tasks.

Key terminology
3

Exercise
● Create an IAM user
● Create a policy with appropriate permissions
● Create a group and attach the policy to the group
● Finally, add the IAM user to the group

Create an IAM user


Create a new user under user > add user

● Set user name


● Access type
○ Programmatic access ✅
○ AWS Management Console access ✅
● Console password - custom
● Require password reset - ❎
● Add user to group - not now
● Review and create user
● Make sure to download the credentials file as we will need them when
accessing through CLI or SDK.

Create a policy
Create a custom policy under policies > create policy

● Service - select a service (EC2)


● Actions - set actions (List/Read)
● Resources - set resources (All resources)
● Review and create policy

Create a group
Create a group under groups > create new group

● Set group name


● Attach appropriate policies
● Review and create group

Finally add users to group by selecting the group and group actions > add users to
group
4

AWS CLI access to S3 bucket


Log in to your EC2 and enter “aws configure” at the prompt.

● Enter the access key for the user


● Enter secret access key
● Set a default region name (us-west-1)
● Set output format as none by hitting enter

AWS CLI commands

● aws s3 ls - List all buckets


● aws s3 ls s3://msciam - List the content inside the bucket
● aws s3 cp s3://msciam/AWS_IAM.txt ./s3_file.txt - Download the S3 file to
local
● aws s3 cp hello.txt s3://msciam - Upload the local file to S3
● aws s3api put-object-acl --bucket msciam --key hello.txt --acl public-read - Set
public read permission for the file

IAM role
An IAM role is similar to a user, in that it is an AWS identity with permission policies
that determine what the identity can and cannot do in AWS. However, instead of
being uniquely associated with one person, a role is intended to be assumable by
anyone who needs it. Also, a role does not have standard long-term credentials
(password or access keys) associated with it. Instead, if a user assumes a role,
temporary security credentials are created dynamically and provided to the user.

Create a role
Create a new role under roles > create role

● Select type of trusted entity (AWS service)


● Choose the service that will use this role (EC2)
● Attach permissions policies (AmazonS3FullAccess)
● Review and create role

Now you can attach that role to an EC2 instance and access the AWS resources
using AWS CLI.

Identity Providers
If you already manage user identities outside of AWS, you can use IAM identity
providers instead of creating IAM users in your AWS account. With an identity
provider (IdP), you can manage your user identities outside of AWS and give these
5

external user identities permissions to use AWS resources in your account. This is
useful if your organization already has its own identity system, such as a corporate
user directory. It is also useful if you are creating a mobile app or web application
that requires access to AWS resources.

Billing Alarm
● Login as root user
● Billing > Billing preferences > Receive Billing Alerts > Turn on
● CloudWatch > Billing > Create Alarm
○ Metric Name: EstimatedCharges
○ Threshold: EstimatedCharges > 1 USD
○ Actions: Send message to SNS topic

Policy document - JSON format


● Effect - Allow/Deny
● Principle - Account, user, role, federation user which you would like to allow or
deny access to. If you are creating this policy to attach to a user or role, you
can’t include this element.
● Action - List of actions that the policy allows or denies.
● Resource - Resources to which the actions apply.
● Conditions - Additional conditions are optional.
6

Exam tips

IAM users sign-in link:

https://<account_id/alias>.signin.aws.amazon.com/console

https://mscaws.signin.aws.amazon.com/console

Read:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

Temporary Security Credentials:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

You might also like