Module 3
AWS Shared responsibility model

All about Security Principals, Securing Access and IAM
IAM Terminology
Resource
User, group, role, policy and identity-provider objects stored in IAM
Entity
IAM resource objects that are used by AWS for authentication (users and roles)
Identity
IAM resource objects that can be authorized in policies to perform actions and access resources (user, group, or role)
Pricipal
Person or application that can sign in and make requests to AWS

Best Practices
Follow the principle of least privilege.
Enable Multifactor authentication (MFA)
Require human users to access AWS by using temporary credentials.
Rotate access keys for use cases that require long-term credentials.
Use strong, complex passwords
Secure local credentials.
Use AWS Organizations.
Enable AWS CloudTrail.
Protect the root user
Plz protect the root user :-)

IAM Roles
Charities
Provides temporary security credentials
Isn't uniquely associated with one person
Can be assumed by a person, application or service
It is often used to delegate access
Use cases
An application that runs on Amazon Elastic Compute Cloud (Amazon EC2)
Cross-account access for an IAM user
Mobile application
IAM Policies and Permissions
Two types of policies:
Identity-based: Attach to an IAM user, group or role
Resourced-based: Attach to an AWS resource
These can be used at the same time, are formatted in JSON, allow or deny, follow least privilege.


Example of a resource-based policy

Practice



Last updated
Was this helpful?