4.3 IAM Lab

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

2 hours 49 minutes
Video Transcription
Hello, everybody. And welcome to this lecture and this lecture We're gonna be getting started with identity access management. That is theater of US service. I am
so as you can see, I am at the management console right now. Go ahead and long in if you are not logged in already. And ah, approach up here on the service's menu and we're gonna go to security, identity and compliance. And right beneath it on the first
one is I am Let's go to open that up.
So basically I am is going to control access to your route and the users that are accessing your eight of us account. Here is a list of things to do under the security status agendas list. Whenever you open up a NATO B s account for the first time, you should see this.
It should have one out of five complete
and basically what you're going to need to dio if you want. You were account to be secure, which I advise you. D'oh
is go ahead and follow these step by step. So
let's begin by activating our multi factor authentication
on the brute account. So whatever you use to log into your account is probably your route accounts. Unless you were configured a user account by organization or something like that,
um so shouldn't be any issue. We're gonna go ahead and click manage and meth A.
So here we are. And it says here you are accessing security credentials Page for a TV For your aid of this account,
the account credentials provides element access to your AWS. Resource is, and then you can learn more by reading. Here,
let's go ahead and continue to security credentials,
and we want to open up multi factor authentication, and we're gonna press activate M f A.
So whenever you are sitting up in my faith, there's three different ways you can go about it. You can use thievery actual M f A A, which is like a mobile application on your phone. You can use a ah you two f security key such as you be key or any compliant you two f device.
And then you can also use a hardware M f A device such as like a token,
something like that. But for this, we're just gonna go ahead and use the virtual M f A. Ah, what I would like you to do whether you have an iPhone or an android phone, open up the APP store and download an application called Google Authenticator.
When you have that ready,
let's go ahead and continue.
So this is gonna walk you through the process of setting up your Google authenticator to your ah m f A for your account. Basically, we're gonna press show the cure code now. No worries. I'm gonna actually delete this so that you guys can't reuse it,
so don't even try.
But, ah, what we're gonna do is you're gonna hold up your phone, you're gonna scan this cure code within the authenticator application, and then it's going to give you a serious of codes. You're gonna have one code which you're gonna copy and enter into here, and then you'll have another code after you've waited a little bit and you're gonna enter that in there
The one all done. Go ahead and press a sign M f A O K. Now you should be all sets. And as we move back to the I am dashboard, you should see a second check mark under the activate M f A. On your route accounts.
Ah, that means that you were successful. If you need to go back and manager, you can drop this menu down and select manage M f A. Moving forward. The next thing on our agenda here is to create an individual. I am user. The reason why we go about doing this is because using the route accounts
really isn't the smartest thing. If you were that, maybe this place or leave access open on your workstation and somebody gained access to the root account of your eight of us accounts,
Well, that basically leaves every single door and window open to the house, and they can do whatever they want.
And that's not good. That deals with security. And that's what we want to be concerned about when we're dealing with, I am. So we're gonna create a managed to user,
and, ah,
that user may or may not have restricted access. In this case, it probably won't. So I also want to secure that user. But I will be able to at least walk you through the process so that you can see how to apply policies and restrict users Thio on Lee. The minimum activity that they need access
or they need to be doing with an eight of us.
Let's go ahead and select Manage users.
And you shouldn't have anything listed here if this is a new account. So we're gonna go ahead and press ad and you the user.
I'm gonna add my name right here,
and I'm going to give myself programmatic access and access to the Obvious Management Council.
So basically, what this means is programmatic access needs that you can access your a devious account using your terminal or your power shell window.
Ah, it'll basically assign you a key idea and secret access key, which is what you're gonna be using to connect
through the terminal now for the cloud practitioner exam. This isn't in the scope of that exam. It's a bit beyond, so we're not gonna be touching on it. But if you were playing and going after an associate level certification, it is a good idea that you get familiar with how to use the programmatic
access keys within your
It'll be a cli
moving onward. The second option for accessing you're a devious account would be the AWS Management Council. That's actually what we're looking at right here is basically just their web gooey. Their Web interface that you're able to log in and manage these service is
for the cloud practitioner exam. That's all we're gonna be using.
The third option is through the AWS sdk, which is not within the scope of this certification exam for consul password. I'm going to leave it auto generated. And then I'm gonna require the new user to create a new password the next time that they log in. Let's go ahead and create a group for our new user.
And here is where you can actually select a job function
or a preexisting
ah group that already came baked in within your AWS account when he first signed upward. And basically, if you review here, it kind of goes based on, you know, different service is that are available within it obvious council such as Athena or chime Um, a smart popular ones to be dynamodb easy to,
And it can give you, you know, some restricted access, like read on Lee
or Power User, which isn't quite full access, but still fairly accessible. And if you want to read a little bit more about the description of the role. You just look over here on the description, you can find out more information. So on their power user,
basically, it provides full access to the Amazon easy to container registry repositories, but does not allow repositories, deletion or policy changes. So for this account, we're actually going to assign administrator access because I do not want to be restricted and on their group name, I'm going to type in
Well, go ahead and select, create groups,
and then we're gonna move on to tags.
Now, other tags you can type in
things like name and then for the value you can add a value.
This isn't necessary.
But it does help with organizing your users and your groups
as you grow your organization and transition more people onto the platform. So keep in mind, this is a great way to keep up with the organization.
But for this scope, I'm actually not going to add attack. So we just go ahead and press review and here is gonna give you the summary of everything that I've done and tells you the group it tells you the managed policy says there's no tags and we're gonna go ahead and create the user.
And there you go. It gives you access Key I d the secret access key, the password and email long and instructions allowing you to send an email directly to the user who you just create this account for? One thing to note is that the access key I. D and Secret access key should be saved.
This isn't something that you're going to get again. However, if you do happen to lose access to your secret access key,
maybe you forgot it or you throw me to the file.
All you have to do is ah generate a new one, and then you should be able to access some of the same users. So if you do lose access, you're not totally lost. All you have to do is generate a new access key for the existing user. Um, if you would like, you can actually download a C S V.
For that file I got to do is press download and it downloads the file for you.
And all this information will be within that credential file.
So now that we're done here, go ahead and press close
and we're gonna head back to the dashboard. So as you can see, we've actually knocked out two of the
other check marks on our list. And the only thing we have to do is apply in I am password policy.
So let's see what is involved with that. It says here use it has word policy to require your I am users to create strong passwords. Answer. Rotate their passwords regularly. You want to learn more, you compress here.
Well, go ahead and press manage password policy.
And within here you can actually add the different, ah requirements that you want to add for each user when they creates
a new password for their account. So
we could say we want the credentials to be 12 characters and length.
You want one upper case? At least one lower case, one number one alpha numeric.
And we can't add password expression. You can answer the amount of days there. I'm not gonna do that for this account,
and you can also prevent reuse and the number of passwords to remember. You could say five
or whatever and then it'll basically remember the last five passwords that that user created, preventing them from reusing that password again. But once again, not gonna do that.
Um, we'll go ahead and
apply the password policy. They give us more information. They also tell you where this is active at.
By the way, while we're reviewing regions, I wanted to take a moment and notes.
That's the I am service
is actually global. If you see a PPE here on the right hand corner,
if I were to drop this down, all this is great out. That is because I am doesn't require a specific region. It's something that you can access from any region.
One thing to know when you're using a DBS service is is that some regions do not offer certain service is like others do. Uh, usually the ones in the UK the ones in the in the United States. They're not restricted. So you're gonna have access to the majority of all the service is that lets you know as you move over in tow, the
Asia Pacific region
or South America region. You may run into some restrictions where some of the service's are not available, especially the newer ones that are within development.
So just keep that in mind
But as far as the scope of the Cloud practitioner exam, the I am service is global. That is one of the few that is global. And, ah, you cannot select a region because it has already selected a school. So I just wanted to make sure I threw that out there.
Well, go ahead and apply the password, Policy says successfully updated the password policy,
and we'll go back to the dashboard. And as you can see, we have hit our five check marks and we are done for I am.
One thing I also want to add is that if you are creating more users, you can actually have them log in to your console your your corporate consul, specifically,
by using this link. Now you can actually customize it by renaming it so that it's easier to remember I have to do is press customized
and it here. What I'll do is I'll say, cyber very
See CP So a certified cloud practitioner
So yes creates. And now, as you can see, this is the New York. Well, if I were to copy this,
I can just
copy and paste
and well, uh,
now you have the account idea Alias. You can just enter in your I am user name and I am password and you'll be in the console and no time. I hope this was very helpful. I will see you guys in the next lecture.
Up Next
AWS Certified Cloud Practitioner

This AWS Cloud Practitioner training will prepare students to pass the related certification exam. In this course, students will learn the foundational principles of the AWS cloud platform to develop a solid understanding of the AWS cloud.

Instructed By