Course

AWS Cloud
Practitioner
MaxCloud
02
Class
AWS IAM
Amazon EC2
Amazon EBS
 AWS IAM

● AWS Identity and Access Management (IAM) is a service that helps you securely control
access to AWS resources.

● With IAM, you can centrally manage permissions that control which AWS resources
users can access

● You use IAM to control who is authenticated (signed in) and authorized (has
permissions) to use resources.
 IAM user, groups, policies

● User: Is an entity that you create in AWS. Represents the human user or workload who
uses the IAM user to interact with AWS.

● Groups: is a collection of IAM users. You can specify permissions to a group and these
permissions will apply to all users in the group.

● Policies: You manage access in AWS by creating policies and attaching them to IAM
identities (users, groups, or roles). Permissions in the policies determine whether the
action is allowed or denied.
 AWS Access keys

● Access keys consist of an access key ID and secret access key, which are used
to sign programmatic requests that you make to AWS.

Example:

Access Key: AKIAIOSFODNN7EXAMPLE

Secret Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 Multi-factor authentication (MFA)
● MFA adds extra security because it requires MFA mechanism in addition to
their regular sign-in credentials when users access to AWS websites or services

● You can enable MFA for the AWS account root user and IAM users.

FIDO security Virtual MFA Hardware TOTP

key device token

DEMO: https://www.youtube.com/watch?v=7Gy1Ps_vC80
 IAM policies
{
● Effect: The effect can be Allow or Deny. "Statement": [
{
● Action: The action is the specific API "Effect": "effect",
action for which you are granting or "Action": "action",
denying permission. "Resource": "arn",
"Condition": {
"condition": {
● Resource: The resource that's affected by
"key": "value"
the action. }
}
● Condition: Conditions are optional. They }
can be used to control when your policy is ]
in effect. }
 IAM policies - Conditions
● Lets you specify conditions for when a policy is in effect.
"Condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}

● Example

"Condition" : { "StringEquals" : { "aws:username" : "johndoe" }}

"Condition": {"StringLike": {"s3:prefix": ["janedoe/*"]}}

"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}

 AWS Policy Generator

https://awspolicygen.s3.amazonaws.com/policygen.html
 IAM Roles

● Is an IAM identity that you can create in your account that has specific permissions.

● A role is assumable by anyone who needs it. Also, does not have standard long-term
credentials (password or access keys) associated with it. Instead, when you assume a
role, it provides you with temporary security credentials for your role session.

● You can use roles to delegate access to users, applications, or services that don't normally
have access to your AWS resources.

IAM Role
 IAM Identity Center
● AWS IAM Identity Center is the recommended AWS service for managing human user
access to AWS resources

● It is a single place where you can assign your workforce users, also known as workforce
identities, consistent access to multiple AWS accounts and applications.

● With IAM Identity Center, you can create or connect workforce users and centrally
manage their access across all their AWS accounts and applications.

● You can choose one of the following as your identity source:

○ Identity Center directory (Default)
○ Active Directory (AWS Managed Microsoft AD directory or your self-managed directory in
Active Directory (AD).)
○ External identity provider (Okta or Microsoft Entra ID)
 Grant least privilege access

● It's a best practice to grant only the access that identities require to perform specific
actions on specific resources under specific conditions.

● Use group and identity attributes to dynamically set permissions at scale, rather than
defining permissions for individual users.
Muchas
Gracias