IAM Users and Groups
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
19 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
20
Video Transcription
00:00
>> Hey everybody, and welcome back.
00:00
In this lesson, we're going to go ahead
00:00
and start off with users and groups.
00:00
Let's go ahead and talk about the learning objectives.
00:00
Learning objectives are going to need to
00:00
understand what IAM is at a high level.
00:00
Then we're going to be talking about
00:00
the different account types that there are and
00:00
get a little deeper into users and
00:00
groups than I alluded to in the last lecture.
00:00
AWS, Identity,
00:00
and Access Management, otherwise known as IAM,
00:00
it is the identity management solution
00:00
or service within AWS.
00:00
To give you some contexts,
00:00
IAM is something that you have to
00:00
have when you're working in AWS.
00:00
It doesn't matter what you're doing with AWS,
00:00
you can be spitting up the server,
00:00
you could be playing around with
00:00
Machine Learning services like Amazon Polly.
00:00
You could be messing around with
00:00
serverless technology or honestly,
00:00
just using it as a storage solution.
00:00
It doesn't matter what service you use,
00:00
you're going to still be
00:00
using Identity and Access Management.
00:00
It's just one of those core services that
00:00
opens up as soon as you create the account.
00:00
What I mean by that is you're actually
00:00
given a root account which believe it or not,
00:00
you can manage from identity and access management.
00:00
Even if you didn't want to make your account secure,
00:00
you're still leveraging the IAM service
00:00
regardless of how secure,
00:00
how customized you want to make your environment in AWS.
00:00
That's to give you an idea of what IAM is,
00:00
it's something that handles your permissions.
00:00
If you're the only person using your AWS account,
00:00
you're still going to be using IAM.
00:00
If you're going to have a team of
00:00
40 people that are going to be
00:00
using the same AWS account,
00:00
they're still using IAM to manage all of those users.
00:00
It doesn't matter if they're accessing the web console,
00:00
like what we'll be doing here in this course or
00:00
if they're using their IDE Environment,
00:00
their Development Environment on their desktop,
00:00
and they're remotely interacting with the services in
00:00
their AWS accounts are in this shared AWS account.
00:00
It doesn't matter if the application is the one doing the
00:00
interacting with the AWS account,
00:00
IAM still has a role in all of those things.
00:00
It manages the access,
00:00
it manages the identity,
00:00
it manages the resources,
00:00
and what permissions are provided to whom,
00:00
all of that stuff, that's what this is all about.
00:00
Like I said, IAM comes with a root account,
00:00
which is what you're given when you first
00:00
start your AWS account.
00:00
There's no way around that,
00:00
you're going to have a root account.
00:00
Now, it's bad practice to use
00:00
the root account unless it's a backup situation like you
00:00
forgot your credentials for
00:00
your main admin accounts
00:00
and so you need to go back to the root account.
00:00
Or if you need to deal with
00:00
certain billing situations or if you're
00:00
looking to get rid of your AWS account,
00:00
those are some instances when
00:00
the root account would be advantageous to use.
00:00
That being said, it's
00:00
advised that when you open up an AWS account,
00:00
the first thing you do before you start working in it,
00:00
is to set up a separate user account within IAM.
00:00
You can give that one global admin permissions,
00:00
basically god-writes to do
00:00
whatever they want to do in the account.
00:00
But that is still more safe than using the root account.
00:00
I'll be showing you how to do that in
00:00
this course as we go along in
00:00
this module. But keep that in mind.
00:00
As you're going along and
00:00
you're setting up your AWS account,
00:00
your IAM environment,
00:00
if you have additional users that you're going to
00:00
be bringing on board to
00:00
work with you in your Cloud environment,
00:00
you're going to need to be
00:00
creating a separate user accounts.
00:00
Remember, it's bad practice to share your credentials,
00:00
so we want to create a separate user account for them.
00:00
Now, there's no additional charge for that,
00:00
AWS does not limit how many users you
00:00
can have to your account,
00:00
so you can add as many as you need to.
00:00
But one thing that you'll
00:00
want to do is you'll want to create
00:00
those users under the user area in your IAM environment,
00:00
and then you can group them.
00:00
Let's say you have three developers,
00:00
you have two QA engineers,
00:00
you have a few business analysts.
00:00
You can set up groups for those users that have
00:00
similar permissions and have
00:00
the permissions set at the group level,
00:00
not the user levels that you can
00:00
administer and manage the permissions
00:00
and change the permissions a lot easier.
00:00
If somebody gets a promotion
00:00
or if somebody moves from one role to another,
00:00
you can just move the user over to
00:00
the other group and the permissions automatically follow.
00:00
Let's give you an example.
00:00
Let's say Suzy moves from accounting
00:00
over into web development.
00:00
Well, she's not going to need
00:00
the accounting access to the bills,
00:00
to the POs,
00:00
to the invoicing, all of that stuff
00:00
if she's now working in the IT field,
00:00
she's not going to need access to
00:00
the accounting information.
00:00
Following the principle of least privilege
00:00
and making sure that the environment is secure,
00:00
what we could do is just move
00:00
Suzy's user over from one group to another.
00:00
That's one way that we can stay secure.
00:00
The way that this is all done is through permissions.
00:00
IAM has this thing called permissions,
00:00
and this is what it looks like in a JSON format.
00:00
Now for the AWS Solution
00:00
Architect Associate Certification Exam,
00:00
you're going to want to understand how to read this.
00:00
Now, don't be alarmed if you're
00:00
not a developer or if you don't really read code,
00:00
this isn't actually as difficult as it seems.
00:00
There's a lot of great resources out there to help you
00:00
understand IAM permissions JSON.
00:00
As a matter of fact,
00:00
if you just search AWS IAM permissions in Google,
00:00
the very first link that you'll likely find is from
00:00
the AWS documentation that will
00:00
help you understand how to read through this.
00:00
Just to help you out,
00:00
I will add a link in the description so you can find
00:00
that in leverage sets for your needs as well.
00:00
To quickly summarize here,
00:00
so we have users and groups, sorry,
00:00
we've talked about that, how
00:00
we are going to be applying these.
00:00
These permissions are going to be
00:00
applied to the users and to the groups.
00:00
Now, why would you want to do either or?
00:00
Well, sometimes the user may not fall under
00:00
a particular group because he's an individual or
00:00
she's an individual and there's no other group there and
00:00
there's no need to have a group developed.
00:00
Well, you can assign
00:00
the permissions for that particular user.
00:00
Or if you have many users that
00:00
fall under a similar job category,
00:00
you can set it up at the group level as well.
00:00
Regardless of whether you're doing one or the other,
00:00
the IAM permission JSON looks the same.
00:00
It's still JSON and
00:00
it's going to look very much like this.
00:00
Now, let's take a quick look at what this says.
00:00
We have the effect Allow,
00:00
so the alternative would be Disallow.
00:00
The action would be S3,
00:00
so this is regarding an S3 bucket.
00:00
We can have here the action ListAllMyBuckets.
00:00
Now, whoever this permission is applying
00:00
to is able to see all of the available buckets there.
00:00
That does not mean they're able to open it,
00:00
but they are able to see what exists.
00:00
Now the resource, here's the ARN number,
00:00
and they gave us a little bit of information here,
00:00
the confidential data and the S3.
00:00
We can see another IAM statements
00:00
which is Allow GetObject.
00:00
Now you can actually retrieve
00:00
the object that's located within the bucket.
00:00
It gives you a little bit of
00:00
the path of where that resource is at.
00:00
This is really just to give you an understanding of
00:00
what this looks like and what this is going to be.
00:00
Whatever you are working with JSON documents for IAM,
00:00
this is what this is going to look like.
00:00
If you're on your exam and you see
00:00
a question that's relating to
00:00
IAM statements and permissions,
00:00
they're actually going to give you
00:00
this type of picture here.
00:00
It'll look like this and they'll ask you a question like,
00:00
what does this JSON statement mean?
00:00
You have to pick through the multiple-choice
00:00
and select the one that makes the most sense.
00:00
Getting familiar with this is very important.
00:00
The last thing that I wanted to know here
00:00
is that you want to use
00:00
the permissions in order to
00:00
define your least privileged principle.
00:00
For those of you that are new to security
00:00
and are perhaps new to the Cloud as well,
00:00
this privileged principle applies to not just the Cloud.
00:00
It is a common cybersecurity practice that we use.
00:00
It basically just means that we want to
00:00
restrict the level of access,
00:00
the read or writes,
00:00
doesn't matter what access.
00:00
What that means is what you can
00:00
retrieve and what you can correct,
00:00
or what you can make changes to.
00:00
Providing a least privilege would be saying,
00:00
Joe only needs this level of
00:00
access because that's enough access
00:00
for him to do his job.
00:00
Now, how do you determine that?
00:00
Well, the best way to determine that is
00:00
by talking to the managers and discussing with them,
00:00
what access does this job description need access to?
00:00
If it's like a developer who's going
00:00
to be working in the Cloud, well,
00:00
you can believe that they're going to be
00:00
needing access to some technical resources,
00:00
but they may not need access to production.
00:00
For example, they may just need access to
00:00
the development and maybe the test environment.
00:00
They may not need Read And Write access,
00:00
they may just need Read Access to the test environment,
00:00
and Read And Write access to the development environment.
00:00
I'm just giving you some examples here.
00:00
These are some ideas to
00:00
help you understand the principle of least privilege,
00:00
which is really the idea that only provide
00:00
what's necessary for the user
00:00
to do their job, and that's it.
00:00
Make sure you keep on top of that,
00:00
which is why we have IAM that helps you with that.
00:00
To summarize, we did an overview of what IAM is,
00:00
went a little bit more into
00:00
the conversation on talking about that.
00:00
We discussed functionality of users and groups,
00:00
and we discussed user permissions
00:00
and how they can be used.
00:00
I hope you found this helpful.
00:00
I'll see you in the next lesson.
Up Next
Setting Up MFA
5m
IAM Roles
35m
Similar Content
