AWS Identity and Access Management (AIM)
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 10 | |
Author | ||
License | CC Attribution 3.0 Germany: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/63080 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | |
Genre |
1
2
3
4
5
6
8
10
00:00
NeuroinformatikIdentity managementData managementIdentity managementXMLComputer animation
00:16
Identity managementView (database)AliasingInformation securityKey (cryptography)AuthenticationUniform resource locatorLink (knot theory)Video game consoleGroup actionPasswordRotationData managementInterface (computing)ZugriffskontrollePoint cloudBlock (periodic table)Electronic mailing listSelf-organizationRule of inferenceFunction (mathematics)Boundary value problemData typeLoginMultiplicationDivisorIntegrated development environmentExecution unitMaizeCodeSynchronizationGastropod shellScripting languageGamma functionGraphical user interfaceSoftware repositoryDirected setEvent horizonService (economics)Group actionKey (cryptography)MathematicsLoginService (economics)AuthorizationIdentity managementSoftware developerMereologyPasswordLink (knot theory)Integrated development environmentType theoryOnline helpInformation securityVideo game consoleDatabaseElectric generator2 (number)Computer animation
05:19
Self-organizationIdentity managementData managementData typeGroup actionElectronic visual displayBoundary value problemService (economics)Rule of inferenceEvent horizonPoint cloudGastropod shellView (database)Video game consoleGamma functionLocal GroupComputer configurationFunction (mathematics)Maxima and minimaMilitary operationElectronic mailing listInformation securityScripting languageBookmark (World Wide Web)Graphical user interfaceHTTP cookieBackupLambda calculusLink (knot theory)AliasingUniform resource locatorSign (mathematics)Interface (computing)AuthenticationControl flowAttribute grammarElasticity (physics)PasswordRotationZugriffskontrolleBlock (periodic table)Product (business)Type theoryQueue (abstract data type)Statement (computer science)Element (mathematics)Formal grammarSample (statistics)InformationFile formatWechselseitige InformationSound effectLattice (group)Data recoveryGame controllerTime domainGUI widgetMessage passingGateway (telecommunications)EmailWindowZoom lensFormal languageExpressionCondition numberTerm (mathematics)ArmText editorOnline helpComputer fileRevision controlWritingBuildingMountain passWeb pageEndliche ModelltheorieExpandierender GraphIdentity managementGroup actionMathematicsFile formatMaxima and minimaObject (grammar)Computer iconService (economics)Gateway (telecommunications)Lambda calculusElectronic mailing listFront and back endsStatement (computer science)Data managementState of matterLatent heatDifferent (Kate Ryan album)Software developerDirection (geometry)Revision controlKey (cryptography)Computer animationProgram flowchart
15:10
NeuroinformatikJSONXMLUML
Transcript: English(auto-generated)
00:12
Let's talk about identity and access management, IAM. Here we can see IAM dashboard.
00:22
Service IAM is the main service that corresponds to permissions, what have people, your customers, if you want to provide customers,
00:42
or your developers to the AWS Management Console. Three main parts of IAM is users, roles, and policies.
01:04
Let's talk about users. Users, an IAM user, is an identity with long-term credentials that is used to interact with AWS in an account. For example, I have, therefore, user.
01:21
It's just my user, just name of user. So it has IAM when it was created, access key, and we can generate second access key,
01:41
but I have only one access key to this user, connected to this user. After that, we can see here permissions, groups. User can be a member in a group.
02:01
So a user group is a collection of IAM users. Use groups to specify permissions for a collection of users. A user can be a member of up to 10 groups at IAM. So for example, you can create user group developers
02:21
for example, without permissions to IAM, then you can have group database administrators, and they will have only access to database. Then you have tags.
02:40
Tags is a key value pairs that you can add to AWS resource to help identify, organize, or search for resources. Also, tags is important when you want to check in cost explorer,
03:01
but IAM is free of charge, so here tags is more for organize and for search. Then we have security credentials. This user is not allowed
03:20
to log in via console, so this console password is not enabled, but here console sign-in links are generated because it's just our account ID and sign in AWS.amazon.com slash console.
03:46
Then we can enable a multi-factor authorization for this user, and here we can specify access key. This access key and secret access key after generating, we can use in our AWS world
04:02
to use these credentials to operate with this user to take some changes in our AWS account. For example, now I have user,
04:30
Terraform user enabled, so we can check this ID, for example, my environment variable, so I can show you AWS,
04:45
and they have access key ID, and we can see that is the same key. So now I am using exact this user, and also this was done via AWS. Okay, so now I can try to type AWS S3,
05:04
and I will get all these S3 buckets. Then we go to permissions and try to delete, to remove all these policies from this user.
05:20
Some changes can take up to 15 seconds, but let's try immediately, almost. It's still working, so we have, yeah. Some changes take some time. And now we are not enabled,
05:41
we are this user to check buckets in our account. So for example, then we want to grant permissions to this user. We can go to and click add permissions, for example, now we are able to add permissions existing one
06:06
or create inline policy, inline policy only will be connected to this user, and the inline policy can be reusable. So then let's try to add existing permissions,
06:21
and we have here user group, backend developers with some permissions, and with one user there, and also with some policy. We can copy permission from existing permissions, from existing policies or from existing users,
06:42
or we can attach policy directly. Here we have permission policies, and this icon in this predefined policy by AWS, and also we can see here the AWS manager policy, and also how many attached entities to this policy,
07:07
so the state of access has users and some roles. But we are looking for SU,
07:22
and we want to just SU don't get. Let's try to add, and try to check our list of buckets again. It's not working yet, try once more, and it works.
07:43
So here it is how you can control permissions to your user. Let's talk about roles, and IAM role is an identity you can create that has specific permissions with credentials
08:02
that are valid for short durations. Roles can be assumed by entities that you trust. So for example, we have also here list of roles.
08:21
We don't have any predefined roles, so we have just roles that we have created, or some services created it for us when we create some, for example, when we create API gateway,
08:42
and we don't go to here to roles and create this role. While creating API gateway, service API gateway will create this role in IAM service, and create a role for himself.
09:02
The main difference between users and roles, you don't have access key ID and secret access key here, but if you want to work with Lambda, you have to grant permissions to Lambda using roles. So for example, we have here some Lambda role,
09:25
let's check it. Here we have all the same permissions, here all the same as this user, then we have trust relationship,
09:42
we have same access key value pairs, access a user, which shows us what are the services for this role in human readable format, and revolve session.
10:03
We can revolve all sessions for this role. Then we have edit here, click edit here on summary, and sometimes maybe we need to change session duration,
10:26
in max it can be four hours, but after that you have to regenerate your temporary permissions, your temporary credentials to work with this role further.
10:43
And let's talk about policies. Policy is an object in AWS that defines permission. So after creating policy, we can attach it to groups, user groups,
11:01
to users or to roles. We have customer-managed policies, and somewhere here, AWS-managed policies here. All the same, this icon means it's AWS-managed policy.
11:22
Let's try to create policy by hitting this button, create policy. And let's try to, we can create this policy using this editor, or via JSON format.
11:42
Also, my personal recommendation is to use AWS policy generator. You can select IAM policy, then we have to choose reallow or deny, and then we want to choose AWS service,
12:04
let's try SRE bucket, and we, for example, want to list all buckets. So here policy is human readable format, and we want to list all my buckets here,
12:23
and on what resource we want to allow this action. So, for example, I want to list all my buckets. So here I put a star and click add statement. So we have here adverse format policy action.
12:47
If we click generate policy, we will have full policy document. This format, we can just copy it and paste it here. We have version, version always the same,
13:02
and we have here the statement. And statement also have a seed, this is just the name of your statement, so it can be anything. So like this, I will list SRE.
13:28
Then we have actions. If you want multiple action, we can add like this. And, for example, add next action, create bucket.
13:43
And I must again specify that statement. We have create bucket here. I can copy it and paste it here. After that, I can go to the next page. I have here like a summary of permissions,
14:05
and I have to add policy name, for example, SRE list and create bucket.
14:21
And the hit create policy model. And my policy is created. Let's try to search it. I have here hidden list, and, for example, I want to add to my user, telephone user,
14:40
and by hitting add permissions here, attach policy directly, search for my permission, click here, check box, next, check details and permission summary and add permissions. And my permission will be appeared here,
15:02
and it appears here. So now I'm expand permissions of this telephone user.