3.1 What is IAM? - Identity and Access Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 27 minutes
Difficulty
Beginner
CEU/CPE
4
Video Transcription
00:00
In this video
00:01
we will introduce
00:03
What is I am
00:07
What are the features of I am
00:15
How do we access? I am
00:20
How does I am? Work
00:27
A W s identity and access management
00:31
What is I am
00:33
aws I didn t and access management I am
00:37
is a Web service
00:39
that enables us to provide access control to AWS Resource is
00:43
when we first created our AWS account Were able to access all eight of US Service's and resource is in our account
00:49
by just using our email address
00:52
This is what's known as the route user account
00:56
Ed W recommends as best practice
00:59
that we not use that account for daily use but rather that we create an I am user account Instead
01:06
We should still ensure that we store our route user credentials in a secure place
01:11
I am provides us with the following features
01:15
shared access to our AWS accounts
01:18
This means that we can grant permission to others to administer and use Resource is in our AWS account without sharing our user credentials
01:27
granular permissions
01:30
we can grant customized permissions different users for specific resource is
01:36
secure access to AWS resource is running on Amazon Easy to
01:42
We have only mentioned easy to at a high level in previous videos, but essentially E C two is a virtual machine running on the AWS platform.
01:52
Using I am weaken securely provide the necessary credentials toe access applications running on the E. C. Two instance
02:00
multi factor authentication.
02:04
If you have been following along you remember that we enabled m f a o when we set up our u A r a W s account.
02:10
This is actually one of the features offered by I am
02:16
Identity Federation.
02:19
Identity Federation is a feature where we can permit users who have credentials elsewhere. Think a Facebook account to get temporary access to our AWS account
02:31
identity information for assurance.
02:36
Again, we have only discussed cloudtrail
02:38
at a very high level.
02:40
But cloud trail is an AWS auditing service.
02:45
Weaken able cloudtrail to work with I am to provide us with logs that will detail who may request for resource is within our AWS account
02:54
Free to use
02:57
A W s identity and access Management and AWS security Token service are features of R. A. W s account offered at no additional charge.
03:07
However,
03:08
we will be charged when we access other AWS service is using our I am users or STS temporary credentials.
03:20
We will discuss A W s pricing further and future lessons
03:24
accessing I am.
03:28
We can access. I am in four different ways
03:31
by the Management Council.
03:35
This will be the primary manner in which we access. I am throughout this course
03:40
via AWS command line tools.
03:44
AWS provides two sets of command line tools
03:49
the AWS command line interface and the AWS tools for Windows Power show
03:54
The command line tools would likely be used by more advanced AWS power users and is beyond the scope of our course
04:05
by AWS sdk.
04:09
AWS provides s decays software development kids
04:14
that are made up of libraries and sample code for
04:17
popular programming languages and platforms such as Java, python, ruby dot net, IOS, android, et cetera.
04:28
Again, this would likely be used by more advanced A W s power users
04:32
and is not within the scope for our course.
04:36
I am https a p I.
04:41
Again a developer might access I am via an application that he or she created
04:47
that calls the A W s H T T p s a p I
04:53
How does I am? Work I am is a complex topic, but from a high level, we can break down its major components. There are some new terms that we will need to be aware of to gain a good understanding of the I am processes.
05:08
Resource is
05:10
contains the user roll group and policy objects
05:15
that are stored
05:15
in I am
05:17
were able to add, edit and remove. Resource is from I
05:23
identities. These are I am resource objects that I use for the purpose of identifying and grouping.
05:32
These will include users, groups and rolls
05:36
entities.
05:39
These are the I am resource objects that AWS uses for authentication.
05:45
These will include users and rolls.
05:48
Roles can be assumed by I am users
05:53
in our or in a different account
05:56
as well as users. Federated threw away my identity service such as Facebook or S AML, which stands for security assertion, markup language
06:08
principles,
06:10
a person or application that uses an entity to sign in and make requests to AWS.
06:15
So what is the principle?
06:18
Ah, principal is a person or application
06:21
that makes request for an action or operation on AWS Resource.
06:27
As a principal,
06:29
You first sign in as the AWS account route user as the best practice.
06:34
We do not use our route user account for our daily work.
06:39
Instead, we create I am entities, users and rolls. We can also support Federated users programmatically by,
06:49
Let's say, a developer writing a front and application that calls in a w a s a p I
06:57
request.
06:59
When a principle tries to use the AWS management console
07:01
the AWS a p i
07:04
or the AWS
07:06
cli
07:09
that principal sends a request to AWS.
07:12
The request includes the following information,
07:15
actions or operations the actions or operation
07:20
that the principal wants to perform.
07:23
This could be an action in the AWS Management Council
07:27
or an operation in the AWS CLI or A W A s a P I
07:31
resource is a w as resource object
07:35
upon which the actions or operations will be performed
07:41
Principle
07:42
as we already discussed the principle is the person or application that used in MT
07:48
user a role to send the request
07:51
Information about the principal includes the policies that are associated with entity that the principal used to sign in
08:00
environment data
08:01
information about the I P address user agent
08:05
s s l N able status,
08:09
or perhaps the time of day
08:11
resource data
08:13
data related to the resource that is being requested.
08:16
This can include information such as a Dynamos database, table name or a tag on Amazon. Ec2. Instance,
08:28
a U. S. Gathers the request information into what it calls a request context,
08:33
which is then used to evaluate an authorized requests authentication.
08:39
So as a principle, we must be authenticated that is signed into AWS using an I am entity
08:46
to send a request to end of us.
08:50
Now, some service is such as Amazon s three
08:52
or Amazon
08:54
STS.
08:56
Allow a few requests from anonymous users,
09:00
but they are the exception to the rule
09:03
to authenticate from the council. As a user, you, of course, must sign in with your user name and password.
09:15
What is I am
09:18
I am is the eight of us? I didn't an Axis management.
09:22
It's a Web service that provides access control to aws. Resource is
09:28
how can we access? I am
09:31
excess. I am via the AWS Management Council
09:35
by A W s command line tools,
09:39
the AWS Software Development kit
09:43
and the AWS. I am H T T P s a p I
09:48
Can I use my Facebook account? Gain temporary access to our aws count.
09:56
Yes.
09:58
AWS supports the use of Federated Identities to gain temporary access to our AWS accounts.
10:07
In this video
10:07
we introduced the concept of wood is I am
10:11
we learned What are the features of I am
10:16
We learned how to access I am
10:20
and we took a relatively deep dive into How does I am work
10:26
In the next video, we will do more hands on exercises to apply the concepts that we learned in this video.
Up Next