526互联

AWS Certificate SAA - Course 2 IAM & AWS CLI

发布时间 2023-06-28 11:20:23作者: MY93

IAM: Users & Groups

  • IAM = Identity and Access Management, Global service
  • Root account created by default, shouldn't be used or shared
  • Users are people within your organization, and can be grouped

IAM: Permisions

  • Users are Groups can be assigned JSON documents called policies
  • Theses policies define the permisions of the users
  • in AWS you apply the least privilege principle: don`t give more permissions than a user needs

IAM Policies inheritance

IAM Policies Structure

  • Consists of

    • Version: policy language version, always include "2012-10-17"
    • ID: an identifier for the policy(optional)
    • Statement: one or more individual statements(required)

  • Statements consists of

    • SID: an identifier for the statement(optional)
    • Effect: whether the statement allows or denies access(Allsow, Deny)
    • Principal: accountuser/role to which this policy applied to
    • Action: list of actions this policy allows or denies
    • Resource: list of resources to which the actions applied to
    • Condition: conditions for when this policy is in effect(optinal)

IAM - Password Policy

  • Strong passwords = higher security for your account
  • in AWS, you can setup a password policy:
    • Set a minimum password length
    • Require specific character types:
      • including uppercase letters
      • lowercase letters
      • numbers
      • non-alphanumeric characters
    • Allow all IAM users to chagne their own passwords(password expiration)
    • Prevent password re-use

Multi Factor Authentication - MFA

  • Users have access to your account and can possibly change configurations or delete resources in your AWS account
  • You want to protect your Root Accounts and IAM users
  • MFA = password you know + security device you own
  • Main benefit of MFA:
    if a password is stolen or hacked, the account is not compromised

MFA devices options in AWS

  1. Virtual MFA device

    1. Google Authenticator(phone only)
    2. Authy(multi-device)
      Support for multiple tokens on a single device

  2. Universial 2nd Factor(U2F) Security Key

    • YubiKey by Yubico(3rd party)
      Support for multiple root and IAM users using a single security key

  3. Hardware key Fob MFA Device

  4. Hardware Key Fob MFA Device for AWS GovCloud(US)