3.1 What is IAM? - Identity and Access Management

00:00

In this video

00:01

we will introduce

00:03

What is I am

00:07

What are the features of I am

00:15

How do we access? I am

00:20

How does I am? Work

00:27

A W s identity and access management

00:31

What is I am

00:33

aws I didn t and access management I am

00:37

is a Web service

00:39

that enables us to provide access control to AWS Resource is

00:43

when we first created our AWS account Were able to access all eight of US Service's and resource is in our account

00:49

by just using our email address

00:52

This is what's known as the route user account

00:56

Ed W recommends as best practice

00:59

that we not use that account for daily use but rather that we create an I am user account Instead

01:06

We should still ensure that we store our route user credentials in a secure place

01:11

I am provides us with the following features

01:15

shared access to our AWS accounts

01:18

This means that we can grant permission to others to administer and use Resource is in our AWS account without sharing our user credentials

01:27

granular permissions

01:30

we can grant customized permissions different users for specific resource is

01:36

secure access to AWS resource is running on Amazon Easy to

01:42

We have only mentioned easy to at a high level in previous videos, but essentially E C two is a virtual machine running on the AWS platform.

01:52

Using I am weaken securely provide the necessary credentials toe access applications running on the E. C. Two instance

02:00

multi factor authentication.

02:04

If you have been following along you remember that we enabled m f a o when we set up our u A r a W s account.

02:10

This is actually one of the features offered by I am

02:16

Identity Federation.

02:19

Identity Federation is a feature where we can permit users who have credentials elsewhere. Think a Facebook account to get temporary access to our AWS account

02:31

identity information for assurance.

02:36

Again, we have only discussed cloudtrail

02:38

at a very high level.

02:40

But cloud trail is an AWS auditing service.

02:45

Weaken able cloudtrail to work with I am to provide us with logs that will detail who may request for resource is within our AWS account

02:54

Free to use

02:57

A W s identity and access Management and AWS security Token service are features of R. A. W s account offered at no additional charge.

03:07

However,

03:08

we will be charged when we access other AWS service is using our I am users or STS temporary credentials.

03:20

We will discuss A W s pricing further and future lessons

03:24

accessing I am.

03:28

We can access. I am in four different ways

03:31

by the Management Council.

03:35

This will be the primary manner in which we access. I am throughout this course

03:40

via AWS command line tools.

03:44

AWS provides two sets of command line tools

03:49

the AWS command line interface and the AWS tools for Windows Power show

03:54

The command line tools would likely be used by more advanced AWS power users and is beyond the scope of our course

04:05

by AWS sdk.

04:09

AWS provides s decays software development kids

04:14

that are made up of libraries and sample code for

04:17

popular programming languages and platforms such as Java, python, ruby dot net, IOS, android, et cetera.

04:28

Again, this would likely be used by more advanced A W s power users

04:32

and is not within the scope for our course.

04:36

I am https a p I.

04:41

Again a developer might access I am via an application that he or she created

04:47

that calls the A W s H T T p s a p I

04:53

How does I am? Work I am is a complex topic, but from a high level, we can break down its major components. There are some new terms that we will need to be aware of to gain a good understanding of the I am processes.

05:08

Resource is

05:10

contains the user roll group and policy objects

05:15

that are stored

05:15

in I am

05:17

were able to add, edit and remove. Resource is from I

05:23

identities. These are I am resource objects that I use for the purpose of identifying and grouping.

05:32

These will include users, groups and rolls

05:36

entities.

05:39

These are the I am resource objects that AWS uses for authentication.

05:45

These will include users and rolls.

05:48

Roles can be assumed by I am users

05:53

in our or in a different account

05:56

as well as users. Federated threw away my identity service such as Facebook or S AML, which stands for security assertion, markup language

06:08

principles,

06:10

a person or application that uses an entity to sign in and make requests to AWS.

06:15

So what is the principle?

06:18

Ah, principal is a person or application

06:21

that makes request for an action or operation on AWS Resource.

06:27

As a principal,

06:29

You first sign in as the AWS account route user as the best practice.

06:34

We do not use our route user account for our daily work.

06:39

Instead, we create I am entities, users and rolls. We can also support Federated users programmatically by,

06:49

Let's say, a developer writing a front and application that calls in a w a s a p I

06:57

request.

06:59

When a principle tries to use the AWS management console

07:01

the AWS a p i

07:04

or the AWS

07:06

cli

07:09

that principal sends a request to AWS.

07:12

The request includes the following information,

07:15

actions or operations the actions or operation

07:20

that the principal wants to perform.

07:23

This could be an action in the AWS Management Council

07:27

or an operation in the AWS CLI or A W A s a P I

07:31

resource is a w as resource object

07:35

upon which the actions or operations will be performed

07:41

Principle

07:42

as we already discussed the principle is the person or application that used in MT

07:48

user a role to send the request

07:51

Information about the principal includes the policies that are associated with entity that the principal used to sign in

08:00

environment data

08:01

information about the I P address user agent

08:05

s s l N able status,

08:09

or perhaps the time of day

08:11

resource data

08:13

data related to the resource that is being requested.

08:16

This can include information such as a Dynamos database, table name or a tag on Amazon. Ec2. Instance,

08:28

a U. S. Gathers the request information into what it calls a request context,

08:33

which is then used to evaluate an authorized requests authentication.

08:39

So as a principle, we must be authenticated that is signed into AWS using an I am entity

08:46

to send a request to end of us.

08:50

Now, some service is such as Amazon s three

08:52

or Amazon

08:54

STS.

08:56

Allow a few requests from anonymous users,

09:00

but they are the exception to the rule

09:03

to authenticate from the council. As a user, you, of course, must sign in with your user name and password.

09:15

What is I am

09:18

I am is the eight of us? I didn't an Axis management.

09:22

It's a Web service that provides access control to aws. Resource is

09:28

how can we access? I am

09:31

excess. I am via the AWS Management Council

09:35

by A W s command line tools,

09:39

the AWS Software Development kit

09:43

and the AWS. I am H T T P s a p I

09:48

Can I use my Facebook account? Gain temporary access to our aws count.

09:56

Yes.

09:58

AWS supports the use of Federated Identities to gain temporary access to our AWS accounts.

10:07

In this video

10:07

we introduced the concept of wood is I am

10:11

we learned What are the features of I am

10:16

We learned how to access I am

10:20

and we took a relatively deep dive into How does I am work