Time
3 hours 27 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
In this video
00:01
we will introduce
00:03
What is I am
00:07
What are the features of I am
00:15
How do we access? I am
00:20
How does I am? Work
00:27
A W s identity and access management
00:31
What is I am
00:33
aws I didn t and access management I am
00:37
is a Web service
00:39
that enables us to provide access control to AWS Resource is
00:43
when we first created our AWS account Were able to access all eight of US Service's and resource is in our account
00:49
by just using our email address
00:52
This is what's known as the route user account
00:56
Ed W recommends as best practice
00:59
that we not use that account for daily use but rather that we create an I am user account Instead
01:06
We should still ensure that we store our route user credentials in a secure place
01:11
I am provides us with the following features
01:15
shared access to our AWS accounts
01:18
This means that we can grant permission to others to administer and use Resource is in our AWS account without sharing our user credentials
01:27
granular permissions
01:30
we can grant customized permissions different users for specific resource is
01:36
secure access to AWS resource is running on Amazon Easy to
01:42
We have only mentioned easy to at a high level in previous videos, but essentially E C two is a virtual machine running on the AWS platform.
01:52
Using I am weaken securely provide the necessary credentials toe access applications running on the E. C. Two instance
02:00
multi factor authentication.
02:04
If you have been following along you remember that we enabled m f a o when we set up our u A r a W s account.
02:10
This is actually one of the features offered by I am
02:16
Identity Federation.
02:19
Identity Federation is a feature where we can permit users who have credentials elsewhere. Think a Facebook account to get temporary access to our AWS account
02:31
identity information for assurance.
02:36
Again, we have only discussed cloudtrail
02:38
at a very high level.
02:40
But cloud trail is an AWS auditing service.
02:45
Weaken able cloudtrail to work with I am to provide us with logs that will detail who may request for resource is within our AWS account
02:54
Free to use
02:57
A W s identity and access Management and AWS security Token service are features of R. A. W s account offered at no additional charge.
03:07
However,
03:08
we will be charged when we access other AWS service is using our I am users or STS temporary credentials.
03:20
We will discuss A W s pricing further and future lessons
03:24
accessing I am.
03:28
We can access. I am in four different ways
03:31
by the Management Council.
03:35
This will be the primary manner in which we access. I am throughout this course
03:40
via AWS command line tools.
03:44
AWS provides two sets of command line tools
03:49
the AWS command line interface and the AWS tools for Windows Power show
03:54
The command line tools would likely be used by more advanced AWS power users and is beyond the scope of our course
04:05
by AWS sdk.
04:09
AWS provides s decays software development kids
04:14
that are made up of libraries and sample code for
04:17
popular programming languages and platforms such as Java, python, ruby dot net, IOS, android, et cetera.
04:28
Again, this would likely be used by more advanced A W s power users
04:32
and is not within the scope for our course.
04:36
I am https a p I.
04:41
Again a developer might access I am via an application that he or she created
04:47
that calls the A W s H T T p s a p I
04:53
How does I am? Work I am is a complex topic, but from a high level, we can break down its major components. There are some new terms that we will need to be aware of to gain a good understanding of the I am processes.
05:08
Resource is
05:10
contains the user roll group and policy objects
05:15
that are stored
05:15
in I am
05:17
were able to add, edit and remove. Resource is from I
05:23
identities. These are I am resource objects that I use for the purpose of identifying and grouping.
05:32
These will include users, groups and rolls
05:36
entities.
05:39
These are the I am resource objects that AWS uses for authentication.
05:45
These will include users and rolls.
05:48
Roles can be assumed by I am users
05:53
in our or in a different account
05:56
as well as users. Federated threw away my identity service such as Facebook or S AML, which stands for security assertion, markup language
06:08
principles,
06:10
a person or application that uses an entity to sign in and make requests to AWS.
06:15
So what is the principle?
06:18
Ah, principal is a person or application
06:21
that makes request for an action or operation on AWS Resource.
06:27
As a principal,
06:29
You first sign in as the AWS account route user as the best practice.
06:34
We do not use our route user account for our daily work.
06:39
Instead, we create I am entities, users and rolls. We can also support Federated users programmatically by,
06:49
Let's say, a developer writing a front and application that calls in a w a s a p I
06:57
request.
06:59
When a principle tries to use the AWS management console
07:01
the AWS a p i
07:04
or the AWS
07:06
cli
07:09
that principal sends a request to AWS.
07:12
The request includes the following information,
07:15
actions or operations the actions or operation
07:20
that the principal wants to perform.
07:23
This could be an action in the AWS Management Council
07:27
or an operation in the AWS CLI or A W A s a P I
07:31
resource is a w as resource object
07:35
upon which the actions or operations will be performed
07:41
Principle
07:42
as we already discussed the principle is the person or application that used in MT
07:48
user a role to send the request
07:51
Information about the principal includes the policies that are associated with entity that the principal used to sign in
08:00
environment data
08:01
information about the I P address user agent
08:05
s s l N able status,
08:09
or perhaps the time of day
08:11
resource data
08:13
data related to the resource that is being requested.
08:16
This can include information such as a Dynamos database, table name or a tag on Amazon. Ec2. Instance,
08:28
a U. S. Gathers the request information into what it calls a request context,
08:33
which is then used to evaluate an authorized requests authentication.
08:39
So as a principle, we must be authenticated that is signed into AWS using an I am entity
08:46
to send a request to end of us.
08:50
Now, some service is such as Amazon s three
08:52
or Amazon
08:54
STS.
08:56
Allow a few requests from anonymous users,
09:00
but they are the exception to the rule
09:03
to authenticate from the council. As a user, you, of course, must sign in with your user name and password.
09:15
What is I am
09:18
I am is the eight of us? I didn't an Axis management.
09:22
It's a Web service that provides access control to aws. Resource is
09:28
how can we access? I am
09:31
excess. I am via the AWS Management Council
09:35
by A W s command line tools,
09:39
the AWS Software Development kit
09:43
and the AWS. I am H T T P s a p I
09:48
Can I use my Facebook account? Gain temporary access to our aws count.
09:56
Yes.
09:58
AWS supports the use of Federated Identities to gain temporary access to our AWS accounts.
10:07
In this video
10:07
we introduced the concept of wood is I am
10:11
we learned What are the features of I am
10:16
We learned how to access I am
10:20
and we took a relatively deep dive into How does I am work
10:26
In the next video, we will do more hands on exercises to apply the concepts that we learned in this video.

Up Next

Intro to AWS

This Introduction to Amazon Web Services (AWS) course will teach you about Amazon's secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.

Instructed By

Instructor Profile Image
Shaun Balkum
Sr. Network Engineer at Presidio
Instructor