3 hours 27 minutes
In this video
we will introduce
What is I am
What are the features of I am
How do we access? I am
How does I am? Work
A W s identity and access management
What is I am
aws I didn t and access management I am
is a Web service
that enables us to provide access control to AWS Resource is
when we first created our AWS account Were able to access all eight of US Service's and resource is in our account
by just using our email address
This is what's known as the route user account
Ed W recommends as best practice
that we not use that account for daily use but rather that we create an I am user account Instead
We should still ensure that we store our route user credentials in a secure place
I am provides us with the following features
shared access to our AWS accounts
This means that we can grant permission to others to administer and use Resource is in our AWS account without sharing our user credentials
we can grant customized permissions different users for specific resource is
secure access to AWS resource is running on Amazon Easy to
We have only mentioned easy to at a high level in previous videos, but essentially E C two is a virtual machine running on the AWS platform.
Using I am weaken securely provide the necessary credentials toe access applications running on the E. C. Two instance
multi factor authentication.
If you have been following along you remember that we enabled m f a o when we set up our u A r a W s account.
This is actually one of the features offered by I am
Identity Federation is a feature where we can permit users who have credentials elsewhere. Think a Facebook account to get temporary access to our AWS account
identity information for assurance.
Again, we have only discussed cloudtrail
at a very high level.
But cloud trail is an AWS auditing service.
Weaken able cloudtrail to work with I am to provide us with logs that will detail who may request for resource is within our AWS account
Free to use
A W s identity and access Management and AWS security Token service are features of R. A. W s account offered at no additional charge.
we will be charged when we access other AWS service is using our I am users or STS temporary credentials.
We will discuss A W s pricing further and future lessons
accessing I am.
We can access. I am in four different ways
by the Management Council.
This will be the primary manner in which we access. I am throughout this course
via AWS command line tools.
AWS provides two sets of command line tools
the AWS command line interface and the AWS tools for Windows Power show
The command line tools would likely be used by more advanced AWS power users and is beyond the scope of our course
by AWS sdk.
AWS provides s decays software development kids
that are made up of libraries and sample code for
popular programming languages and platforms such as Java, python, ruby dot net, IOS, android, et cetera.
Again, this would likely be used by more advanced A W s power users
and is not within the scope for our course.
I am https a p I.
Again a developer might access I am via an application that he or she created
that calls the A W s H T T p s a p I
How does I am? Work I am is a complex topic, but from a high level, we can break down its major components. There are some new terms that we will need to be aware of to gain a good understanding of the I am processes.
contains the user roll group and policy objects
that are stored
in I am
were able to add, edit and remove. Resource is from I
identities. These are I am resource objects that I use for the purpose of identifying and grouping.
These will include users, groups and rolls
These are the I am resource objects that AWS uses for authentication.
These will include users and rolls.
Roles can be assumed by I am users
in our or in a different account
as well as users. Federated threw away my identity service such as Facebook or S AML, which stands for security assertion, markup language
a person or application that uses an entity to sign in and make requests to AWS.
So what is the principle?
Ah, principal is a person or application
that makes request for an action or operation on AWS Resource.
As a principal,
You first sign in as the AWS account route user as the best practice.
We do not use our route user account for our daily work.
Instead, we create I am entities, users and rolls. We can also support Federated users programmatically by,
Let's say, a developer writing a front and application that calls in a w a s a p I
When a principle tries to use the AWS management console
the AWS a p i
or the AWS
that principal sends a request to AWS.
The request includes the following information,
actions or operations the actions or operation
that the principal wants to perform.
This could be an action in the AWS Management Council
or an operation in the AWS CLI or A W A s a P I
resource is a w as resource object
upon which the actions or operations will be performed
as we already discussed the principle is the person or application that used in MT
user a role to send the request
Information about the principal includes the policies that are associated with entity that the principal used to sign in
information about the I P address user agent
s s l N able status,
or perhaps the time of day
data related to the resource that is being requested.
This can include information such as a Dynamos database, table name or a tag on Amazon. Ec2. Instance,
a U. S. Gathers the request information into what it calls a request context,
which is then used to evaluate an authorized requests authentication.
So as a principle, we must be authenticated that is signed into AWS using an I am entity
to send a request to end of us.
Now, some service is such as Amazon s three
Allow a few requests from anonymous users,
but they are the exception to the rule
to authenticate from the council. As a user, you, of course, must sign in with your user name and password.
What is I am
I am is the eight of us? I didn't an Axis management.
It's a Web service that provides access control to aws. Resource is
how can we access? I am
excess. I am via the AWS Management Council
by A W s command line tools,
the AWS Software Development kit
and the AWS. I am H T T P s a p I
Can I use my Facebook account? Gain temporary access to our aws count.
AWS supports the use of Federated Identities to gain temporary access to our AWS accounts.
In this video
we introduced the concept of wood is I am
we learned What are the features of I am
We learned how to access I am
and we took a relatively deep dive into How does I am work
In the next video, we will do more hands on exercises to apply the concepts that we learned in this video.