July Release Confetti
150+ New Hands-on Training in Aws, Linux, Azure
Red Hat, Devops, and More
Learn More

AWS IAM (Identity and Access Management) - Deep Dive

Training Architect
course instructor image
Craig Arcuri
Craig Arcuri is passionate about Cloud Computing and particularly Amazon Web Services. Craig's background includes Systems and Network Engineering, Software Engineering, Technical Leadership and Project Management. Craig currently holds four Amazon Web Services certification (Solutions Architect, SysAdmin, and Developer at the Associate level as well as the Solutions Architect Professional certification).

Course Introduction

Introduction

Course Introduction

00:02:31

About the Training Architect

00:01:13

Introduction to IAM Secure Corporation

00:03:57

Course Features and Tools

00:04:52

AWS Free Tier: Usage Tracking and Billing Widget

00:03:56

Enterprise Wide Account Setup

Account Setup With Root Account

Manage Your Root User

00:11:05

Creating an Admin Group and User

00:15:59

Create Admin Users and Groups from the CLI

00:18:57

Tasks That Require Root User

00:10:14

QUIZ: IAM Account Setup with Root Account

00:15:00

Setup of Company Accounts

Creation of Employee Accounts

00:12:05

Access Key Management for All Users

00:12:54

Creating IAM Groups for Your Teams

00:11:51

Add Users to Groups

00:07:17

Configuring MFA For Users

00:04:56

QUIZ: IAM Setup of Company Accounts

00:15:00

BONUS Material: Introduction to a Cloud Assessment Learning Activity

Cloud Assessments Learning Activity: Identity and Access Management (IAM)

00:01:39

Learning Activity: Introduction to AWS Identity and Access Management (IAM)

00:30:00

Working With Policies

Identity Based IAM Policies

Policy Overview For IAM Secure Corporation

00:10:07

Implementing IAM Policies For All Users

00:09:57

Implementing IAM Policies For Specific Users/Groups

00:13:56

Enable Users to Configure Their Own Credentials and MFA

00:14:30

Using Managed Access Policies to Create a Limited Administrator

00:09:11

Granting Limited Permissions With Inline Policies

00:09:31

QUIZ: IAM Identity Based Policies

00:15:00

Using Policies To Access Resources

Overview of Using Policies to Control S3 Bucket Access

00:08:45

Configuration of IAMSecure Corp S3 Bucket Folder Structure

00:09:58

Attaching Policies to Groups For S3 Bucket Access

00:14:40

Using Policies to Grant Users Specific S3 Bucket Permissions

00:11:48

Accessing S3 Buckets From Outside the Account

00:08:12

Creating Policies With The Visual Editor

00:16:48

QUIZ: IAM Using Policies to control S3 Bucket access

00:15:00

QUIZ: IAM Resource Policies and the Visual Editor

00:15:00

IAM Roles and Advanced Concepts

Understanding and Applying IAM Roles

Strategies for IAM Roles

00:09:57

Resource Level Permission for EC2 Instances via Roles

00:08:52

Cross-Account Access

00:09:30

Web Identity Federation

00:09:59

Providing Access to AWS Accounts Owned by Third Parties

00:07:03

QUIZ: IAM Roles

00:15:00

IAM Advanced Concepts

The Confused Deputy Problem

00:08:22

Sharing CloudTrail Log Files Between AWS Accounts

00:06:18

EC2 Instance Profiles

00:12:08

Delegate Access to the Billing Console

00:07:19

Calling AssumeRole From Python

00:10:57

Creating IAM Users and Groups with CloudFormation

00:15:54

QUIZ: IAM Advanced Concepts

00:15:00

IAM Best Practices and Troubleshooting

Best Practices and Troubleshooting

Best Practices

00:12:47

General Troubleshooting of IAM

00:08:40

Troubleshooting Policies

00:12:03

Troubleshooting Policies 2 (with Intro to AWS Auto Scaling)

00:16:43

Troubleshooting IAM Roles and EC2

00:15:48

QUIZ: IAM Troubleshooting and Best Practices

00:15:00

Course Conclusion

Final Steps

What's Next?

00:01:40

Get Recognized!

00:00:46

Details

This course will give the student an in-depth experience with Identity and Access Management. The course will start off covering basic concepts, such as root account management, and continue to build on this initial foundation. The student can use their own AWS account to follow along with the lessons in configuring a small (fictitious) company with Identity and Access Management. At the end of the course, the student will have gained extensive experience in configuring a company of any size in Identity and Access Managment.


Before beginning any of the lessons for this course, make sure to download the appropriate policy for the given lesson in the Downloads section of the course. 

Study Guides

Policy for Implementing IAM Policies For All Users

This is a custom policy to deny requests based upon an ip address range. Alter the policy to contain a range of addresses for which you want to allow requests (The ip range should encompass the ip address of your testing device). Requests from outside this ip address range will be denied. You will be able to successfully test this policy using 2 devices, one within the range and one outside of the range.

Policy for Enable Users to Configure Their Own Credentials and MFA

This policy denies all permissions except those required for IAM users to manage their own credentials and MFA devices. By implementing this policy you will give user the ability to manage their own credentials.

Policy #1 for Using Managed Access Policies to Create a Limited Administrator

This policy can be used in the lesson to grant limited administrator access. Please note that on line 37 of this policy you must replace ############ with your AWS Account number.

Policy #2 for Using Managed Access Policies to Create a Limited Administrator

This policy is used in the lesson to give the Limited Administrator S3 Bucket access.

Policy for Granting Limited Permissions With Inline Policies

This is an inline policy used in the lesson, attached to a specific user (Cenzo), to grant access to the IAM Policy Simulator. The policy is tested in the lesson by navigating to the Policy Simulator at: https://policysim.aws.amazon.com/home/index.jsp?#

Policy #1 for 'Using Policies to Grant Users Specific S3 Bucket Permissions'

This is a Customer Managed Policy used in the lesson to enable access to list buckets and root level folders.

Policy #2 for 'Using Policies to Grant Users Specific S3 Bucket Permissions'

This policy is used in the lesson to enable access to the QA folder. Note that this policy can be reused to grant access to any of the folders in the iamsecurecorp bucket by simply changing the folder name in the ARN on line 29 of this policy.

Policy for 'Accessing S3 Buckets From Outside the Account'

This Bucket Policy is used in the lesson to grant access to the iamsecurecorp bucket from outside the account. On line 8 of this policy, you would enter the AWS account number of the account you want to give S3 Bucket access.

Policy for 'Cross-Account Access'

This policy will be used to enable cross-account access. In line 6 of this policy you need to replace ############ with the 2nd account you are using if you are following along with this lesson.

Policy for 'The Confused Deputy Problem'

When working along with this lesson, you create the role called 3rdParty. During the creation of the role, you would paste in the code from this policy when you are editing the trust relationship. In line 7 of this policy, you need to replace ############ with the account ID of the account you are using for the 3rd Party account. In line 20 of this policy, you need to replace ############ with the account ID of your primary AWS account.

Bucket Policy for 'Sharing CloudTrail Log Files Between AWS Accounts'

This is a Bucket Policy for the bucket iamsecurelogs. It enables sharing log files between accounts. Replace the ############ in line 21 with your primary AWS account number. Replace the ############ in line 22 with your secondary AWS account number.

Policy #1 for 'Delegate Access to the Billing Console'

This is the policy used to grant full access to the Billing Console.

Policy #2 for 'Delegate Access to the Billing Console'

This policy grants read only access to the Billing Console.

Python script for 'Calling AssumeRole From Python'

This Python script is used in the lesson to access an S3 Bucket from an EC2 instance that has been launched with a role.

CloudFormation Template for 'Using CloudFormation For IAM Configuration'

This CloudFormation template is used in the lesson to create users and a group.

Policy for 'Troubleshooting Policies'

This policy is used in the lesson to demonstrate create a policy to deny permissions.

IAM Deep Dive CLI Commands

This document contains all of the AWS Command Line Interface (CLI) commands used throughout the course. The commands are grouped by lesson (not all lessons use the CLI so this is not a complete list of lessons).

Instructor Deck

Community

Looking For Team Training?

Learn More