AWS IAM (Identity and Access Management) – Deep Dive
April 30th, 2018
AWS Training Architect II in Content
This course will give the student an in-depth experience with Identity and Access Management. The course will start off covering basic concepts, such as root account management, and continue to build on this initial foundation. The student can use their own AWS account to follow along with the lessons in configuring a small (fictitious) company with Identity and Access Management. At the end of the course, the student will have gained extensive experience in configuring a company of any size in Identity and Access Managment.
Before beginning any of the lessons for this course, make sure to download the appropriate policy for the given lesson in the Downloads section of the course.
This lesson provides an overview of the Identity and Access Management Deep Dive Course. The student will be given an overview of the course, its key concepts, and the techniques used throughout the course.
About the Training Architect
Introducing the author and his background.
Introduction to IAM Secure Corporation
This lesson details the fictitious corporation for which the student has been hired as a Lead Solutions Architect. The lesson will describe the overall goal of the course, details the employees and groups of the company, and preview the steps needed to get the company on AWS.
Course Features and Tools
This lesson introduces the tools and resources available to the student throughout the course. The student will learn how to create flashcard sets and use existing sets. The student will also be introduced to the downloads available for the course and the Course Scheduler.
AWS Free Tier: Usage Tracking and Billing Widget
This video gives you a walkthrough on how to use the AWS Free Tier Tracking and Billing Widget for you own AWS Account!
Enterprise Wide Account Setup
Account Setup With Root Account
Manage Your Root User
When first creating an AWS account, you'll log in with your email address and a password. This is the root login, and it is best practice to lock away the root account for safe keeping. This lesson will detail the steps necessary to lock away your root account and quickly improve the security of your AWS environment.
Creating an Admin Group and User
This lesson describes how to create an Admin Group and User with full administrator privileges. We will also discuss some best practices for handling the root account credentials. By creating an Admin user, which can be used for the majority of administrative tasks, the root account can be locked away and used only if necessary.
Create Admin Users and Groups from the CLI
This lesson walks through using the Command Line Interface to create an Admin Group, attach an Administrator Access Policy to that group, create a user, and place the user in the admin group. While this lesson performs the same tasks as the previous lesson, it will provide experience configuring IAM from the Command Line Interface.
Tasks That Require Root User
We have taken steps to secure the root account and lock it away unless absolutely necessary. This lesson will detail the tasks that require the root account. The student will be exposed to these tasks and will know where to access the necessary resources and how to perform the tasks.
QUIZ: IAM Account Setup with Root Account
Setup of Company Accounts
Creation of Employee Accounts
In this lesson you will create the employee accounts for IAM Secure Corporation. The student will learn how to create multiple users using the AWS Management Console, how to enable the access types each user needs, and how to prepare the environment for the introduction of Groups and Policies.
Access Key Management for All Users
This lesson details how to manage access keys for all users. Users who need to work with the CLI or APIs need to have access keys. Once created, it is important to understand how to manage access keys. This includes listing access keys for each user, finding the owner of an access key, create/modify/delete access keys, and the rotation of access keys.
Creating IAM Groups for Your Teams
This lesson walks through how to create IAM groups for the various teams in your company. It is highly beneficial to set up your IAM environment using Groups. The groups can be named by job function or department (anything that makes sense). IAM Users can be placed in those groups and policies can be applied to your users as a specific group. This will exponentially ease the burden of managing policies in your IAM environment.
Add Users to Groups
This lesson walks through how to add employees of an IAM Secure Corporation to the appropriate IAM Groups. By placing users into their appropriate groups by job function, you can begin applying policies to each group. Additionally, you can place all of your users into an "All Users" group to easily apply for permissions that you want to grant (or deny) to your entire organization.
Configuring MFA For Users
This lesson will detail Multifactor Authentication and walk through setting up MFA for one user. Multi-Factor Authentication is a best practice IAM security step. By using Virtual MFA or Hardware MFA, you can add a second level of security to help ensure that only authorized users are gaining access to your AWS environment.
QUIZ: IAM Setup of Company Accounts
BONUS Material: Introduction to a Cloud Assessment Learning Activity
Cloud Assessments Learning Activity: Identity and Access Management (IAM)
This is a Cloud Assessments Learning Activity which enables the student to go to Cloud Assessments and work with IAM in a live AWS environment. This is not directly related to the course task of Configuring IAM Secure Corporation, but working with IAM in a live AWS environment is a valuable exercise for the student.
Working With Policies
Identity Based IAM Policies
Policy Overview For IAM Secure Corporation
This lesson details the different kinds of policies that will be used in the course. This is one of the few lessons that are more conceptual and not task oriented. But it sets up the rest of the section which will be task oriented. The student will learn about Identity-Based Policies as well as Resource Based Policies and will be given an overview of how these policies will be applied to IAM Secure Corporation.
Implementing IAM Policies For All Users
Overview of creating policies for all users across your organization. Creating an IAM Group for All Users in your organization can enable you to grant or deny specific permissions to everyone in an AWS environment. The student will learn to create a policy which will deny requests that are made from an IP address outside of a specified range (company IP range).
Implementing IAM Policies For Specific Users/Groups
This lesson will discuss policies which can be implemented for specific users and groups in your organization and walks through attaching these policies to your groups. The student will learn how to create policies, and use AWS Managed Policies, to grant permissions based on Group/Job Function.
Enable Users to Configure Their Own Credentials and MFA
This lesson will walk through the configuration to enable users to configure their own MFA device. As an organization grows, it can be helpful to allow users to configure their own credentials (such as accessing key rotation), and utilize and manage multi-factor authentication.
Using Managed Access Policies to Create a Limited Administrator
This lesson will walk through using policies to grant a user limited administrator permissions. There may be instances where you want an Administrator to have a limited set of permissions that they can grant. An appropriate use case for this would be bringing in a team of consultants and designating one consultant as an Administrator. Using the best practice of least privilege can be advantageous to understand how to configure a Limited Administrator.
Granting Limited Permissions With Inline Policies
This lesson uses an inline policy to allow one user to access the Policy Simulator Console. There will be times when you want to grant permissions to only one user. An Inline Policy will meet this requirement because it can be attached to a single user. Additionally, if the user is deleted, then the inline policy will be deleted.
QUIZ: IAM Identity Based Policies
Using Policies To Access Resources
Overview of Using Policies to Control S3 Bucket Access
This lesson is more conceptual than task oriented and details the use of policies to control S3 Bucket access. This rest of this section will be task-oriented, but it is important to understand the concepts that will be applied in the rest of this section. In addition to S3 Bucket Policies, access to S3 Buckets can be granted using Identity-Based Policies and applying them to specific users or groups.
Configuration of IAMSecure Corp S3 Bucket Folder Structure
In this lesson, the student will be walked through creating an S3 Bucket and the bucket folder structure for IAM Secure Corp. Although S3 Buckets are not hierarchical in nature, their folder structure appears to be hierarchical when viewed in the AWS Management Console. The student will learn how to set up this structure in preparation for applying policies to the users and groups who will be accessing the folders.
Attaching Policies to Groups For S3 Bucket Access
This lesson walks through the task of attaching Policies to IAM Secure Corp Groups For S3 Bucket Access. The most commonly known way of granting access to S3 Buckets is via Bucket Policies. But Identity Based Policies can be used as well, and they are ideal when granting permissions to an S3 Bucket based on Group/Job Function.
Using Policies to Grant Users Specific S3 Bucket Permissions
This lesson walks through the task of implementing policies to grant users specific S3 bucket permissions. Attaching Policies to Groups is a great way to manage permissions by job function. But there are bound to be outliers where you want to grant S3 Folder access to only specific users. This is the perfect use case for attaching inline policies to specific users. This student will learn this technique in this lesson.
Accessing S3 Buckets From Outside the Account
This lesson walks through using S3 Bucket policies to give S3 Bucket access to a second AWS account. The student will learn how to create a trust between two AWS Accounts. This trust will enable cross-account access to an S3 Bucket in the primary account. A common use case for this technique is if you need to give a sub-contractor team with an AWS Account access to an S3 Bucket in your company account.
Creating Policies With The Visual Editor
This lesson walks through using the IAM Policy Visual Editor to create policies. The Visual Editor is relatively new (November 2017), but can be a crucial tool in creating and troubleshooting IAM Policies. The student will learn how to use the Visual Editor in creating policies, and also learn the full powers of the Visual Editor in troubleshooting issues with IAM Policies.
QUIZ: IAM Using Policies to control S3 Bucket access
QUIZ: IAM Resource Policies and the Visual Editor
IAM Roles and Advanced Concepts
Understanding and Applying IAM Roles
Strategies for IAM Roles
This lesson gives an overview of various ways that IAM Roles can be used. This is a conceptual lesson which sets up the rest of the task-oriented lessons in this section. The student will learn about creating roles to attach to EC2 Instances, roles for Cross-Account access, Web Identity Federation, and for 3rd Parties.
Resource Level Permission for EC2 Instances via Roles
This lesson walks through the task of creating an IAM Role which will be attached to an EC2 instance at launch time. Applications on EC2 Instances often need to access AWS Resources. The student will learn how to configure a role for the purpose, attach the role to an EC2 instance at launch time, and enable access to an S3 Bucket from the EC2 Instance. The techniques learned in this lesson can be applied to delegate access to other types of resources using IAM Roles.
This lesson walks through the task of setting up cross-account access using a role. The student will learn how to create access policies which can be attached to a Role. The role can then be delegated to a second account to provide cross-account access. This will prepare the student for the common scenario where they need to configure cross-account access between Dev and Prod accounts.
Web Identity Federation
This lesson walks through the inner workings of Web Identity Federation using the AWS Web Identity Federation Playground. The student will learn about the inner workings of configuring web identity federation including viewing data in request/response headers.
Providing Access to AWS Accounts Owned by Third Parties
This lesson details the steps to give AWS access to 3rd parties and also details some of the issues that may be encountered, specifically the Confused Deputy Problem. Granting access to your AWS account for a 3rd Party is a common scenario that the student will learn how to perform. But the student will also learn about some of the security pitfalls introduced if the configuration is not performed in a best practice manner.
QUIZ: IAM Roles
IAM Advanced Concepts
The Confused Deputy Problem
This lesson describes the pitfalls of providing AWS access to 3rd parties without requiring the optional External ID. Sometimes making mistakes is the best learning tool. The student will learn from the mistake of not requiring an External ID for a 3rd Party without the repercussions of doing it in a live environment. The student will also learn how to properly configure access for a 3rd Party using the External ID.
Sharing CloudTrail Log Files Between AWS Accounts
This lesson walks through the creation of an S3 Bucket to store CloudTrail log files from two separate AWS accounts. This will entail modifying an S3 Bucket policy to accommodate two AWS accounts. A common scenario would be for a company with a Dev account and a Prod account. Sharing CloudTrail Log files will enable consolidation of this data into one common location.
EC2 Instance Profiles
This lesson details Instance Profiles and creating them from the command line. It is important to understand when attaching a role to an EC2 Instance from the IAM Management Console, that the item in the drop-down is an Instance Profile and not a Role. When a Role is created in the Management Console, the Instance Profile is given the same name. By creating Instance Profiles from the CLI, there is more flexibility in naming the Instance Profile (it can be named differently than the Role), and also in attaching a different role to the Instance Profile.
Delegate Access to the Billing Console
This lesson walks through delegating access to the Billing Console and subsequently creating policies and attaching them to groups to grant billing access. By default, only the root account has access to the Billing Console. The student will learn how to use the root account to grant other accounts (typically Management) access to the Billing Console.
Calling AssumeRole From Python
In a previous lesson, the student learned how to attach a role to an EC2 Instance to enable the instance to interact with an S3 Bucket. This lesson takes it a step further and demonstrates a more practical example. The user will learn how to use the Python scripting language on the EC2 Instance to interact with the S3 Bucket. Although not a thorough investigation of Python, the lesson will show how to use the software on an EC2 Instance to interact with S3 via Roles.
Creating IAM Users and Groups with CloudFormation
There are times when it would be helpful to mass produce users and groups. A common scenario for this would be onboarding a large group of employees or sub-contractors. This lesson will show the student how to configure multiple users at once using CloudFormation and place those users into groups.
QUIZ: IAM Advanced Concepts
IAM Best Practices and Troubleshooting
Best Practices and Troubleshooting
IAM is a crucial part of AWS and it is important to use best practices when configuring IAM. This course is demonstrated using Best Practices, but it is helpful to have a catalog or checklist of Best Practice. The lesson will review Best Practices utilized in the course as well as demonstrate a few more held back for this lesson.
General Troubleshooting of IAM
It is unrealistic to think that configuring IAM will be free of difficulties. This lesson will detail the general troubleshooting techniques used for IAM, as well as the most common issues and techniques for correcting them. The lesson can serve as a catalog for troubleshooting common IAM issues.
Policies are at the heart of configuring IAM, and their proper configuration and maintenance are crucial to IAM functioning properly. This lesson will expose the student to the techniques and tools available to troubleshoot IAM Policies. The IAM Policy Visual Editor is a recent addition (November 2017) and can be an excellent tool to configure policies and pinpoint and troubleshoot any issues with policies.
Troubleshooting Policies 2 (with Intro to AWS Auto Scaling)
This lesson continues with Troubleshooting IAM Policies and provides an introduction to newly released AWS Autos Scaling. In attempting to work with AWS Auto Scaling, some permission issues occur which require troubleshooting the permissions in place for an Admin user. After the troubleshooting issues are resolved, an introduction to AWS Auto Scaling and its configuration will enable the student to begin using it.
Troubleshooting IAM Roles and EC2
IAM Roles, and EC2 Instances which can be launched with IAM Roles, are closely linked. This lesson will expose the student to troubleshoot Roles and also troubleshooting roles in their interaction with EC2 Instances.
QUIZ: IAM Troubleshooting and Best Practices
This video details next steps that can be taken by the student after completing the Identity and Access Management Deep Dive.
Now that you have completed this course, get recognized for your accomplishment. Connect with Anthony James on LinkedIn and post your certificate of completion to share your accomplishment with the world.