This presentation AWS IAM (Identity and access management) will help you understand what is AWS security, types of security, what is IAM, why we need IAM, how IAM works, components & features of IAM and you will also see a demo on how to create S3 bucket using MFA feature. AWS cloud provides a secure virtual platform where users can deploy their applications. Compared to an on-premises environment, AWS security provides a high level of data protection at a lower cost to its users. There are many types of security services but some of them are widely used and IAM is one among those. AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. Now, lets deep dive into this presentation AWS IAM tutorial to understand what is IAM and how does it work.
Below topics are explained in this AWS IAM presentation:
1. What is AWS security?
2. Types of AWS security
3. WHy IAM?
4. What is IAM?
5. How IAM works?
6. Components of IAM
7. Features of IAM
8. Demo - Create an S3bucket using MFA feature
This AWS certification training is designed to help you gain an in-depth understanding of Amazon Web Services (AWS) architectural principles and services. You will learn how cloud computing is redefining the rules of IT architecture and how to design, plan, and scale AWS Cloud implementations with best practices recommended by Amazon. The AWS Cloud platform powers hundreds of thousands of businesses in 190 countries, and AWS certified solution architects take home about $126,000 per year.
This AWS certification course will help you learn the key concepts, latest trends, and best practices for working with the AWS architecture – and become industry-ready AWS certified solutions architect to help you qualify for a position as a high-quality AWS professional.
The course begins with an overview of the AWS platform before diving into its individual elements: IAM, VPC, EC2, EBS, ELB, CDN, S3, EIP, KMS, Route 53, RDS, Glacier, Snowball, Cloudfront, Dynamo DB, Redshift, Auto Scaling, Cloudwatch, Elastic Cache, CloudTrail, and Security. Those who complete the course will be able to:
1. Formulate solution plans and provide guidance on AWS architectural best practices
2. Design and deploy scalable, highly available, and fault tolerant systems on AWS
3. Identify the lift and shift of an existing on-premises application to AWS
4. Decipher the ingress and egress of data to and from AWS
5. Select the appropriate AWS service based on data, compute, database, or security requirements
6. Estimate AWS costs and identify cost control mechanisms
Learn more at: https://www.simplilearn.com/
2. What’s in it for you?
What is AWS Security?
Types of Security
Why IAM?
What is IAM?
How IAM works
Components of IAM
Features of IAM
Demo - Create a S3 bucket using MFA feature
1
2
3
4
5
6
7
8
4. What is AWS security?
• AWS cloud provides a secure virtual platform where users can deploy their applications
• Compared to on-premises environment, AWS security provides a high level of data protection at a
lower cost to it’s users
Secure
Environment
No upfront cost
Lower cost than on-
premises
5. Types of AWS security
There are many types of security services but some of the widely used services by AWS are:
6. Types of AWS security
IAM KMS Cognito WAF
There are many types of security services but some of the widely used services by AWS are:
7. Types of AWS security
IAM KMS Cognito WAF
There are many types of security services but some of the widely used services by AWS are:
Let’s get started with AWS IAM
8. Why IAM?
At a corporate
It isn’t safe to share
confidential data over the
phone or internet
BEFORE AWS
9. Why IAM?
Employees using
Slack
Note: Slack is an online tool which lets users communicate and share documents on the web
“Hosting Slack in AWS makes
us more confident that our
data is safe and secure”
AFTER AWS
“The fact that we can rely on the
AWS security posture to boost
our own security is really
important for our business. AWS
does a much better job at
security than we could ever do
running a cage in a data center.”
-Richard Crowley,
Director of Operations, Slack
10. What is IAM?
• AWS Identity and Access Management (IAM) is a web service for securely controlling access to
AWS resources
• It enables you to create and control services for user authentication or limiting access to a
certain set of users on your AWS resources
AWS
resources
Secure
access
Set
permissions
Admin
11. How IAM works
The IAM workflow includes the following elements:
Resources
Principal RequestAuthentication Authorization
Actions
1 2 3 4
5 6
12. How IAM works
2
3
4
5
Resources Authorization
Request
Actions
Authentication
• An action on an AWS resource can be
performed by a principal
• A user or a role can be a principal
Principal
AWS
resources
Principal
1
13. How IAM works
1
2
3
4
5
Resources Authorization
Request
Actions
Authentication
• Authentication is a process of confirming the
identity of the principal trying to access an
AWS product
• To authenticate from console, API or CLI,
you must provide your credentials or
required keys
Confirms the identity
Principal
14. How IAM works
1
2
3
4
5
Resources Authorization
Request
Actions
Authentication
When a principal attempts to access the AWS
Console, API or CLI, he sends a request to AWS
Request
Principal
15. How IAM works
1
2
3
4
5
Resources Authorization
Request
Actions
Authentication
Here, IAM uses information from the request
context to check for matching policies and
determine whether to allow or deny the request
Request
Check for policies Allow request
Deny request
Principal
16. How IAM works
1
2
3
4
5
Resources Authorization
Request
Actions
Authentication
• After authenticating and authorizing the
request, AWS approves the action
• Using actions, you can view, create, edit and
delete a resource
Action
AWS
resources
Principal
17. How IAM works
1
2
3
4
5
Resources Authorization
Request
Actions
Authentication
AWS Resources
EC2
S3
IAM
• A set of actions can be performed in a related
resource of your AWS account
• Suppose, a request is created by a user to
perform an unrelated action then the request
gets denied
• For example, if you attempt to delete an IAM
role and request to access an EC2 instance for
that role then the request gets denied
Principal
23. Components of IAM – User
• With IAM, you can securely manage access to AWS services
• You can create an IAM user when there is a new employee to your corporate
Note: Each IAM user is associated with only one AWS account
AWS services and resources
Secure
24. Components of IAM – Group
• A collection of IAM users is an IAM group
• You can use IAM groups to specify permissions for multiple users, so that any permission applied to
the group, are applied to it’s users as well
IAM Group
Specify
permissions
25. Components of IAM – Group (Example)
This diagram is an example of groups created for a
small company
Bobby
Suman
Brad
Jimmy
Harry
Cathy
Allen
BellaMark
Group:
Admins
Group:
Developers
Group:
Test
John
AWS
Account
26. Components of IAM – Group (Example)
This diagram is an example of groups created for a
small company
AWS
Account
Bobby
Suman
Brad
Jimmy
Harry
Cathy
Allen
Bella
John
Mark
Group:
Admins
Group:
Developers
Group:
Test
Set
permission to
a group
1
Permission
applied to all
users
automatically
2
New user
Note: Suppose a new user joins your organization and needs administrator privileges, then adding that user to a
relevant group will automatically set permissions
27. Components of IAM – Policies
• An IAM policy sets permission and controls the access to AWS resources
• Policies are stored in AWS as JSON documents
• Permissions specify who can have access to the resources and what actions they can perform
For Example, it Allows an IAM user to access
one of the buckets in Amazon S3
IAM Policy
28. Components of IAM – Policies (Example)
Task: To give Paul (Developer) access to Amazon S3
29. Components of IAM – Policies (Example)
Note: Give user name or group name
The policy would contain the following statements:
• Who
• What actions
• Which AWS resources
• When
• Whether
Paul
Task: To give Paul (Developer) access to Amazon S3
30. Components of IAM – Policies (Example)
Note: GET/PUT – Upload and Read access
The policy would contain the following statements:
• Who
• What actions
• Which AWS resources
• When
• Whether
Paul
Can get/put objects in S3
Task: To give Paul (Developer) access to Amazon S3
?
31. Components of IAM – Policies (Example)
Note: “*” can have access to all the buckets
The policy would contain the following statements:
• Who
• What actions
• Which AWS resources
• When
• Whether
Paul
Can get/put objects in S3
Bucket=“*”
Task: To give Paul (Developer) access to Amazon S3
32. Components of IAM – Policies (Example)
Note: Permissions will expire on the given date
The policy would contain the following statements:
• Who
• What actions
• Which AWS resources
• When
• Whether
Paul
Can get/put objects in S3
Bucket=“*”
Until March 2, 2019
Task: To give Paul (Developer) access to Amazon S3
33. Components of IAM – Policies (Example)
The policy would contain the following statements:
• Who
• What actions
• Which AWS resources
• When
• Whether
Paul
Can get/put objects in S3
Bucket=“*”
Until March 2, 2019
Allow
Note: Whether to allow or deny permission
Task: To give Paul (Developer) access to Amazon S3
34. Components of IAM – Policies
Sample - S3 Public read only Policy
{
"Version": "2017-10-17",
"Id": "S3-Account-Permissions",
"Statement": [{
"Sid": “AddPublicReadPermissions",
"Effect": "Allow",
"Principal":“*”,
"Action": "s3:*",
"Resource": ["arn:AWS:s3:::bucket/*"
]
}]
}
Who can Access it
What action can a user take
Give permissions(Allow/Deny)
Specify Actions(Read/Write/Delete)
Specify the resource
35. Components of IAM – Policies
Types of policies
Managed Policies
It is a default policy that you
attach to multiple entities
(users, groups and roles) in
your AWS account
Inline Policies
You create and manage your
own policy that is embedded
directly into a single entity
(user, group or role)
36. Components of IAM – Roles
• An IAM role is a set of permissions that define what actions are allowed and denied by an entity in AWS
console
• It is similar to a user
• A role in IAM can b accessed by any entity (an individual or AWS service)
Define
permissions
AWS Services
User
37. Components of IAM – Roles (Example)
Create a role and give
access to S3’s “file” bucket
Bucket
38. Components of IAM – Roles (Example)
Create a role and give
access to S3’s “file” bucket
Bucket
With the role, a user
launches an EC2 instance
EC2
instance
39. Components of IAM – Roles (Example)
Create a role and give
access to S3’s “file” bucket
Bucket
With the role, a user
launches an EC2 instance
EC2
instance
From the instance,
application retrieves role
credentials
Online Application
40. Components of IAM – Roles (Example)
Create a role and give
access to S3’s “file” bucket
Bucket
With the role, a user
launches an EC2 instance
EC2
instance
From the instance,
application retrieves role
credentials
Using the role
credentials,
application gets S3’s
files
View S3’s file in
Application
Online Application
44. Features of IAM
Shared access to your
AWS account
Granular permissions
1
2
3
Secure access to AWS
resources for applications
running on EC2
45. Features of IAM
Shared access to your
AWS account
Granular permissions
Secure access to AWS
resources for applications
running on EC2
Multi-factor
authentication (MFA)
1
2
3
4
51. Demo - Create a S3 bucket using MFA feature
To create a S3 bucket for a company where each user can create their own READ and WRITE data with Multi-Factor
Authentication
Problem statement
52. Demo - Multi-Factor Authentication
For example, It refers to the oTP
when you try to log in to your Gmail
account
IAM
Your OTP is
2346
Please provide one time
password to login
Gmail
Multi-Factor Authentication (MFA) is an additional level of security process provided by AWS
Here, a user’s identity is confirmed for AWS login only after performing two levels of verification
53. Demo - Multi-Factor Authentication
First step of
security
Last step of
security
Log in
mFA code
Select MFA device
in IAM sErvice
Login to google
indicator app
Scan the barcode
******
The MFA device
was successfully
associated
Result
Example:Virtual
MFA device
Multi-Factor Authentication (MFA) is an additional level of security process provided by AWS
Here, a user’s identity is confirmed for AWS login only after performing two levels of verification
54. Demo - Multi-Factor Authentication
First step of
security
Last step of
security
Log in
mFA code
Select A MFA device
in IAM User
use indicator app
on your smartphone
Scan the barcode
******
The MFA device
was successfully
associated
Result
Example:Virtual
MFA device
Multi-Factor Authentication (MFA) is an additional level of security process provided by AWS
Here, a user’s identity is confirmed for AWS login only after performing two levels of verification
IAM
55. Demo - Multi-Factor Authentication
Log in
First step of
security
Last step of
security
mFA code
Select MFA device
in IAM sErvice
Login to google
indicator app
Scan the barcode
******
The MFA device
was successfully
associated
Result
Example:Virtual
MFA device
Multi-Factor Authentication (MFA) is an additional level of security process provided by AWS
Here, a user’s identity is confirmed for AWS login only after performing two levels of verification
IAM
56. Demo - Create a S3 bucket using MFA feature
To create a S3 bucket for a company where each user can create their own READ and WRITE data with Multi-Factor
Authentication
To create policies and assign permissions for a user and a group
• Provide access (read and write) to the developer group
• Provide a policy where a user is allowed to read or denied to write an object in S3 bucket
Problem statement
Task