Lesson 3: Identity and Access Management

(IAM)

1
 ©Simplilearn. All rights reserved

IAM
©Simplilearn.
 Overview
Overview of AWS All rights reserved
IAM

3
 IAM enables you to securely control user access to all AWS services and resources.

The key features of

IAM:
Admin User
Multi Factor Authentication 8 1 Shared Access to your
(MFA) Account

Password Users7 UsersIAM Users

2
Granular
Policy Permissions

6
Payment Card Industry (PCI) Data
IAM
3 Secure Access to AWS
Security Standard (DSS) Compliance Resources

Identity Information for 5 4

Identity
Assurance Federation

3
Grant permission to users to access and use resources in your AWS account without sharing your
password.

Admin
User

User User User

s s s

4
 Granular permissions allow different Read Write
permissions to various users to manage Access
Volum
their access to AWS, such as:
e
Developme Admin
nt Tea
• User access to specific m
Access
services
• Specific permissions for
actions
• Specific access to resources
Instance Instance
s
+ s

Volum
e

.
5
Securely allocate credentials that applications on EC2 instances require to access other AWS
resources.

S3
Bucket

IAM
Application on EC2
Database Storage

6
Allows users with external accounts to get temporary access to AWS
resources

7
Log, monitor, and track what users are doing with your AWS
resources.

Account A

IAM Admin User

–
Full Control

Account Account
B C
S3
Bucket

IAM IAM
User Log Log Log User
s s s

AWS AWS AWS

CloudTrail CloudTrail CloudTrail

8
Payment Card Industry (PCI) and Data Security Standard (DSS)
compliant

9
Two-Factor Authorization for users and resources to ensure absolute security using MFA
devices

User ID +
Password

MFA Devices
Code

10
IAM allows you to define password strength and rotation
policies.

11
 ©Simplilearn. All rights reserved

IAM Policies
 ©Simplilearn. All rights reserved
Description of IAM
Policies

13
 An IAM policy
is:

A document that defines one or

more
permissions
Attached to users, groups, and
roles

Written in JavaScript Object Notation

(JSON)

S
elected from a pre-defined AWS list of
policies, or you can create your own
policy

13
AWS has many predefined policies which allow you to define granular access to AWS
resources.

There are around 200 predefined policies available for you to choose from.

14
 AdministratorAccess policy provides full access to AWS services and
resources.

Admin
User

15
AmazonEC2FullAccess policy provides AWS Directory Service user or groups full access to the
Amazon
EC2 services and resources.

User
s

Amazo Elastic Amazon Auto

n Load CloudWatc Scalin
EC2 Balancer h g

16
AmazonS3ReadOnlyAccess policy provides read-only access to all buckets using the AWS Management
Console.

READ ONLY

User
s

17
AWS policies are written using JavaScript Object Notation
(JSON).

Policy-wide information:

Version–Date this policy was

created

One or more individual

statements:

Effect–Allow permission
Action–3 list bucket Resource–
Name of the S3 bucket

18
Knowledge
Check

19
KNOWLEDG
E
What does JSON stand
CHECK for?

a JavaScript Orientated
Notation
b JavaScript Object
Notation
c JavaScript Object
Notes
d JavaScript Open
Notation

20
KNOWLEDG
E
What does JSON stand
CHECK for?

a JavaScript Orientated
Notation
b JavaScript Object
Notation
c JavaScript Object
Notes
d JavaScript Open
Notation

The correct answer is b.

JSON stands for JavaScript Object Notation and is used to write IAM
Policies.

21
KNOWLEDG
E
In a JSON policy, what does the "effect" statement
CHECK define?

a Whether the user is granted or denied

permission
b The commands a user can
perform
c The resources a user can run a command
against
d Whether the user needs to use MFA to
authenticate

22
KNOWLEDG
E
In a JSON policy, what does the "effect" statement
CHECK define?

a Whether the user is granted or denied

. permission
b The commands a user can
. perform
c The resources a user can run a command
. against
d Whether the user needs to use MFA to
. authenticate

The correct answer is a.

The Ȋeffectȋ statement defines what the effect will be when the user requests access—either
allow or deny.

23
KNOWLEDG
E
What permissions would the AmazonEC2FullAccess policy give a
CHECK user?

a Full Access to permissions to only EC2

instances
b Full Access to all AWS resources including
EC2
c Full Access permissions to Amazon EC2 and only Elastic Load
Balancing
d Full access to Amazon EC2, Elastic Load Balancer, and Amazon
CloudWatch

24
KNOWLEDG
E
What permissions would the AmazonEC2FullAccess policy give a
CHECK user?

a Full Access to permissions to only EC2

instances
b Full Access to all AWS resources including
EC2
c Full Access permissions to Amazon EC2 and only Elastic Load
Balancing
d Full access to Amazon EC2, Elastic Load Balancer, and Amazon
CloudWatch

The correct answer is d.

This role provides an AWS Directory Service user or group with full access to Amazon EC2
services and the associated services and resources: Amazon Elastic Compute Cloud, Elastic
Load Balancing, Amazon CloudWatch, and Auto Scaling.
Users are defined as the people or systems that use your AWS
resources.

people Systems

IAM
users

AWS resources

Admi End System

n Users s

AWS
resources

26
 AWS provides numerous ways to provide secure user access to your AWS
resources:
Email address and
Key pairs
•They consist of a public and private password
key •They are created when you sign
•A private key is used to create a up
digital to use AWS
signature •They are used to sign in to AWS
•AWS uses the corresponding public web pages
key to validate the signature
IAM user name and
password
•They allow multiple individuals or
Security applications access to your AWS
Access keys credential account
•They consist of an access key and a s •Individuals use their user names
secret and passwords to sign in
access key
•They use access keys to sign
programmatic requests Multi-Factor Authentication
(MFA)
•With AWS MFA enabled, users are
prompted for a user name and password
and for an authentication code from an
MFA device
27
If you were the AWS administrator of your company, which of the following options would you use to
grant
user access to the AWS account?

A B

28
Knowledge
Check

29
KNOWLEDG
E
What will automatically be generated when you create a new
CHECK user?

a Access Key ID and Secret Access

Key
b MFA token and
password
c Secret Key and Encrypted
Key
d Access Token and Access
Key

30
 ©Simplilearn. All rights reserved

KNOWLEDG
E
What will automatically be generated when you create a new
CHECK user?

a Access Key ID and Secret Access

. Key
b MFA token and
. password
c Secret Key and Encrypted
. Key
d Access Token and Access
. Key

The correct answer is a.

New users have an Access Key ID and Secret Access Key ID generated, which are viewable only
at the time the IDs are created.

31
KNOWLEDG
E
What is the first step when you set up an AWS
CHECK account?

a Use CloudTrail to configure your

account
b Setup a role that has the same name as your
company
c Setup an account with your company email
address
d Create a JSON policy to define who in your company can
log in

32
KNOWLEDG
E
What is the first step when you set up an AWS
CHECK account?

a Use CloudTrail to configure your

account
b Setup a role that has the same name as your
company
c Setup an account with your company email
address
d Create a JSON policy to define who in your company can
log in

The correct answer is c.

The first step is to create an account using your company email address. This account will be the root
account.
AWS defines a group as a collection of users that inherit the same set of
permissions.

34
AWS defines a group as a collection of users that inherit the same set of
permissions.

Admi
n

Develope Admin
rs s
Mike Jane Marc
Ann Sara
Jim

Amazon AWS
EC2 Elastic
Beanstalk
35
Knowledge
Check

36
KNOWLEDG
E
How does AWS define a
CHECK group?

a A collection of roles that share similar policy

documents
b A collection of users that all inherit the same set of
permissions
c An entity that controls secure access to EC2
resources
d A resource to use when setting up
MFA

37
KNOWLEDG
E
How does AWS define a
CHECK group?

a A collection of roles that share similar policy

documents
b A collection of users that all inherit the same set of
permissions
c An entity that controls secure access to EC2
resources
d A resource to use when setting up
MFA

The correct answer is b.

An IAM group is a collection of IAM users. You can use groups to specify permissions for a
collection of users, which can make those permissions easier to manage for those users.
 ©Simplilearn. All rights reserved

IAM Roles
 ©Simplilearn. All rights reserved
Description of IAM
Roles

45
 IAM Roles
are:

AWS identities with permission Very similar to

users
policies that determine the
access available to the
identities Not password protected and do
not require access keys
Assumed by anyone who
requires
them

40
Roles are used to provide access to users, applications, and services that do not have permissions
to use
AWS resources.
AWS Account

2. Developer launches an instance witinhstthaencreolwe ith the role

EC2 Instance

Application
3. App retrieves 4. App gets
role photos
crerdoleenctiraelds usuinsgintghethr
efrnotimalsthe eolreole
Instance
insftraonmcethe crecdreednetinatl
Profile
instance isals

Role: Get-
Amazon S3
pics
bucket
photos

1. Admin creates role

1. Admin creates a role that
grants access to the
that
grants
access to the photos
photos
bucke
bucket
t

41
Knowledge
Check

42
KNOWLEDG
E
How do you assign permissions to an IAM user, group, or
CHECK role?

a Using a security
group
b Using a permissions
document
c Using a policy
document
d Using Identity
Federation

43
KNOWLEDG
E
How do you assign permissions to an IAM user, group, or
CHECK role?

a Using a security
group
b Using a permissions
document
c Using a policy
document
d Using Identity
Federation

The correct answer is c.

A policy document written in JSON is used to assign

permissions.

44
 ©Simplilearn. All rights reserved

IAM Best Practices

 ©Simplilearn. All rights reserved
Overview of the IAM Best
Practices

52
 The benefits of creating individual IAM
users:

Unique credentials for

Control permissions at an everyone
individual level

Easier to rotate credentials

No shared accounts

Easier to identify security

breaches

46
 When creating IAM policies, granting ȋleast privilege,ȋ means
that:

It's more
You only It’s easier to
secure to start You protect
grant grant
with minimum your
required permissions
permissions assets
permissions than revoke
them

47
 Use permissions with groups to minimize the
workload

Easy to assign new permissions

•It is easier to assign a new permission
to a group than to assign it to many
individual users.

Simple to reassign permissions

•It is simpler to reassign permissions if
a user has a change in responsibilities.

48
Use additional conditions such as MFA and Security Groups to ensure only the intended users get
access.

192.168.1.10
IP Address
1
192.125.15.11
IP Address
2
User 192.115.11.12
IP Address Production
s 3
Server
Security
Group

49
 Account
AWS has several features to log user
A
actions.
• Logs
• AWS
IAM Admin User
Cloudtrail –
Full Control

Account Account
B C
S3
Bucket

IAM IAM
User Log Log Log User
s s s

AWS AWS AWS

CloudTrail CloudTrail CloudTrail

50
Ensure that all your users have strong passwords and they rotate their passwords
regularly.

51
IAM Roles remove the need for your developers to store or pass credentials to AWS
EC2.
AWS Account
2. Developer launches an
insintasntacnecweitwhitthhethreolreole

EC2 Instance

Applicatio
3. App retrieves 4. App gets
n
role photos
crecdreednetinatlis usuinsgintghethr
aflsrom the eolreole
insftraonmcethe Instance crecdreednetinatl
instance Profile isals

Role: Get-
Amazon S3
pics
bucket
photos

1. Admin creates
raorloelethtahtat
gragnratsntasccaecscsestso
ttohethpehpohtoostos
bubcukeckt et

52
To reduce the potential for misuse, run a credential report to identify users that are no longer in
use and can be removed.

53
Knowledge
Check

54
KNOWLEDG
E
What does MFA stand
CHECK for?

a Multi-Faced
Access
b Multi-Factor
Administration
c Mission Factored
Authentication
d Multi-Factor
Authentication

55
KNOWLEDG
E
What does MFA stand
CHECK for?

a Multi-Faced
Access
b Multi-Factor
Administration
c Mission Factored
Authentication
d Multi-Factor
Authentication

The correct answer is d.

For increased security, AWS recommends that you configure multi-factor authentication
(MFA) to help protect your AWS resources. MFA adds extra security because it requires users
to enter a unique authentication code from an approved authentication device or SMS text
message when they access AWS websites or services.
KNOWLEDG
E
What AWS tool is used to track, monitor, and log IAM user
CHECK activity?

a CloudFormatio
n
b Inspector

c CloudWatc
h
d CloudTrail

57
KNOWLEDG
E
What AWS tool is used to track, monitor, and log IAM user
CHECK activity?

a CloudFormatio
. n
b Inspecto
. r
c CloudWatc
. h
d CloudTra
. il

The correct answer is d.

CloudTrail is used to track user activity. CloudFormation allows you to manage resources with
templates, CloudWatch monitors application activity, and Inspector analyzes application
security.
As the admin for your company’s AWS account, you need to assign permissions to four
new users:

Two users require One user requires One user requires read-
full administration only
access to EC2. access to all AWS resources. access to S3.

Use AWS Best Practices when configuring the user access; so ensure you use
groups.

67
• AWS Identity and Access Management (IAM) allows you to securely control access to AWS services
and resources for your users.
• Policies are written in JSON and allow you to define granular access to AWS resources.
• Users are the people or systems that use your AWS resources, like admins, end users, or systems,
which
need permissions to access your AWS data.
• Groups are a collection of users that inherit the same set of permissions and can be used to reduce
your user management overhead.
• IAM roles can be assumed by anyone who needs them, and they do not have an access keys or
passwords associated with them.
• AWS has a list of IAM best practices to ensure your environment is secure and safe.

69