AWS Identity Access Managment
Published on 01/12/2019
2 min read
Allows you to manage users and their level of access to the AWS Console. It's important to understand for administration.
- centralized control of AWS account
- Granular Permissions
- multi-factor auth
- Identity Federation (Facebook, LinkedIn, etc)
Provide temporary access for users/devices and services, where necessary.
- i.e. to store things in dynamoDB or S3.
- Users - End Users (think people)
Groups - A collection of users under one set of permissions.
- i.e. System Admen, Finance, etc.
Roles - You create roles and can then assign them to AWS resources.
- i.e. you have an EC2 instance, then you give it the Role in order to access S3. Then that EC2 instance can write files directly to S3. This avoids having to set up username and passwords for the EC2 instance.
Policies - A document that defines one (or more) permissions.
- You 'attach' policies to Users, Groups, and Roles.
- IAM doesn't have a Region, it just says Global. Meaning, Users, Groups and Roles you create will be available all across the world, irrespective of region.
- The IAM users sign-in link at the top contains your account number.
- The "root account" is the email you used to sign up to AWS.
- Enable "multifactor authentication", using virtual device, which requires that a compliant application be installed on your phone or pc.
- downloaded "Google Authenticator" app for iOS and scanned code, entered keys. It was successfully set up.
- create a group, attach policies (permissions documents), then add user to that group.
- Each user has an "Access key ID" and a "Secret access key", these credentials are used to programmatically interact (command line interface) with services (i.e. EC2, S3).
- When logging into the console, you use "username" and "password".
- You can add permissions to an individual user, pretty straight forward.
- If you lose access to a users 'secret access key', you can deactivate a previous access key and generate a new one.
- Allows for granular control over 'allowable' passwords, i.e., must have one Uppercase letter, one symbol and be 10 chars long.
- a way to grant permissions to entities that you trust. (i.e. An IAM user in different account, application code running in an EC2 instance that needs to write to S3, etc.)
- click on username dropdown, then select "my billing dashboard". Select "Budgets" from the menu on the right, click 'create budget' button, then follow prompts.