Module 3

AWS Shared responsibility model

All about Security Principals, Securing Access and IAM

IAM Terminology

Term (IAM)
Definition

Resource

User, group, role, policy and identity-provider objects stored in IAM

Entity

IAM resource objects that are used by AWS for authentication (users and roles)

Identity

IAM resource objects that can be authorized in policies to perform actions and access resources (user, group, or role)

Pricipal

Person or application that can sign in and make requests to AWS

An AWS Key is needed for the AWS CLI and to make programmatic calls to AWS

Best Practices

  • Follow the principle of least privilege.

  • Enable Multifactor authentication (MFA)

  • Require human users to access AWS by using temporary credentials.

  • Rotate access keys for use cases that require long-term credentials.

  • Use strong, complex passwords

  • Secure local credentials.

  • Use AWS Organizations.

  • Enable AWS CloudTrail.

  • Protect the root user

IAM Roles

  • Charities

    • Provides temporary security credentials

    • Isn't uniquely associated with one person

    • Can be assumed by a person, application or service

    • It is often used to delegate access

  • Use cases

    • An application that runs on Amazon Elastic Compute Cloud (Amazon EC2)

    • Cross-account access for an IAM user

    • Mobile application

IAM Policies and Permissions

Two types of policies:

  • Identity-based: Attach to an IAM user, group or role

  • Resourced-based: Attach to an AWS resource

These can be used at the same time, are formatted in JSON, allow or deny, follow least privilege.

Example of a resource-based policy

Practice

Last updated

Was this helpful?