AWS : Developer : AWS ::: IAM ::: Section 4 ::: IAM & AWS CLI
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
sections 1 through 11 all the fundamentals on AWS
AWS CLI : https://docs.aws.amazon.com/cli/latest/reference/
Code Samples for Python
The following pages contain code samples that demonstrate how to access AWS services from code that is written in the Python programming language using the Boto3 library.
https://docs.aws.amazon.com/code-samples/latest/catalog/code-catalog-python.html
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Section 1: Course Introduction - AWS Certified Developer Associate :
3. Create your AWS Account
4. AWS Account Activation Troubleshooting
Section 3: Getting started with AWS
Brief History .
8. AWS Cloud Overview - Regions & AZ
Region is a cluster of data centers
Availability Zones are something what goes into the Region. Each region has many availability zones.
We will see in detail of the below slide in detail in this middle of this course.
Now how about we do a tour of the console.
9. Tour of the Console & Services in AWS
You can check out the regions on the top right hand side.
You must choose a region which is geographically close to you.
Resources are scoped to a region for most AWS services. And you will know if it is regional service or not by looking at the top right hand corner. Most services in AWS are regional .
The other thing that you can look for is Global Infrastructure services in AWS . You
can click on AWS regional which will tell you which services are
available in specific region. If you are in Africa and you do not have a
specific service in your region. You can switch to another region by
choosing the right hand corner of the screen.
10. About the UI changes in the course :
Section 4: IAM & AWS CLI
11. IAM Introduction: Users, Groups, Policies
In IAM we are going to create our users and assign them to a Group.
Groups can only contain users and it cannot contain Groups .
So why do we create users and why do we create groups. Users and Groups can be assigned with JSON documents . Because we want to allow them to use our AWS accounts and to allow them to do so we need to give them permissions.
Users
and Groups can be assigned what they can a JSON document called
policies. An IAM policy . So it looks just like this . This is not
programming this is just describing in plain English . What a users is
allowed to do or what a Group and all the users in that group is allowed
to do . In this example we allow people to use this service and do
describe on it.
By this JSON document we are allowing our users to use some AWS services.
These policies will define permissions of our users . In AWS you don't allow every one to do everything that would be Catastrophic
Lets explore the IAM console. In IAM users and groups are created in Global fashion.
The first thing we are doing is to create an IAM user.
Add Users
Now while you want to create a user , as you click on the account name over here we are using the root user . And the root user has all the permission you want in your account you can do anything you want and therefore it is a very dangerous account to use.
The better way is to create an Administrator account , Which we are going to create right now.
We are setting a custom password for this is stephens account . so we do not require a password reset
Click Next Permissions .
Now we need to add the user into the group .
Click Create Group -- And this group is going to be called as the Admin group .
So any user added to this group will inherit the permission associated with that Group . Permissions are defined through policies. And the one policy which we are going to attach it to the Admin group is "AdministratorAccess"
You need to download the CSV specially , if you have auto-generated the password . You can even sent the email by clicking on the Send email button on to the user .
Now lets explore what we have created, Under User Groups
Under user groups I will find the Groups Admin
And If I click on it I will find there is one user inside the group admin
click
on permissions tab, you can see there is a policy name attached to the
group which is inherited by the user stephane -- AdimistratorAccess
If you click on the user stephene or go to the left and click on users.
We have our users and we have our group now lets see how we can login. Our account ID is here .
Dashboard .
And
account alias is below which can be used to login to your account
faster. Since remembering the number is difficult you can click create
and give it a name .
You have AWS account.
Account
sign-in is there is the link to login. And if i use the above link It
should be pasted on the Incognito window or a new browser. So he is
exploring it on the browser.
You can differentiate which user you have logged into.
This will tell you that you are an IAM user.
13. IAM Policies :
Let discuss IAM policies , there a group of users in developer group and you attach a policy on the group level. In that case the policy will get applied to every single member of the Group. Single users you can provide an In-Line policies.
Therefore an IAM policy consists of an IAM number
ID : how to identify that policy, optional
Statements :
Sid : Is a statement ID, identifier for the statement
Principle :
14. IAM Policies Hands On
Okay lets play with IAM policies. If we go into my User Groups using the root account . my group admin consist one user Stephen . You will remove the permission.
As IAM user go to user. ans refresh the page this will tell the user permission is missing
You can go into Users -- Attach Permissions
Go to policies .
Action is * which means any action, Resource is * which mean any resource . We can go into Policy Summary as well .
Click on JSON
Go to Policies -- Create Policy
15. IAM MFA Overview
16. IAM MFA Hands On
So we are going to setup a password policy for our account -- Account Settings on the left Click on Change Password Policy
17. AWS Access Keys, CLI and SDK
There are three different options to access AWS.
What is AWS SDK -- this is language specific for each language you have a different SDK.
18. AWS CLI Setup on Windows
Google -- Install AWS CLI version 2
Msi installer
aws --version
19 : is Mac Installed -- skipped it
20. AWS CLI Setup on Linux
$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
The above will download the installer
unzip awscliv2.zip
sudo ./aws/install
21. AWS CLI Hands On
Lets see how to create Access Keys. Click on My user and . Do not use your root account to create security credentials.
The next what I am going to do is configure my AWS CLI
Let see how it works
$ aws iam list-users
And this will list all the users in my account.
Next I want to show you what happens if we remove permission from our users.
Go to Groups -- admins -- remove
Again if i go back to my user . it does not have the permission.
So the CLI permissions are the same what you get from IAM console.
22. AWS CloudShell: Region Availability
AWS CloudShell: Region Availability
In the next lecture, I demo AWS CloudShell.
It
is not yet available in all regions, and you can find the region list
here:
https://docs.aws.amazon.com/cloudshell/latest/userguide/faq-list.html#regions-available
At the time of writing this...
Currently, AWS CloudShell is available in the following AWS Regions:
US East (Ohio)
US East (N. Virginia)
US West (Oregon)
Asia Pacific (Mumbai)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
Europe (Frankfurt)
Europe (Ireland)
Please switch to one of these regions if you want to do the next (optional) hands-on.
23. AWS CloudShell
I will like to share an alternative to using the terminal to issue commands against AWS. And this is using Cloud-Shell.
Click on the > symbol.
Cloud Shell is basically a terminal inside the console of AWS.
If you want to take a look at a particular region you can use the --region command but by default you the default region would be your region.
The files you create on the cloud shell will stay on
24. IAM Roles for AWS Services
The
last component of IAM roles. Some AWS services that we launch through
out this course might need to perform action on our behalf on our
account . These IAM roles will be just like a user but . But they are
not intended to be used by Physical people . But instead they will be
used by AWS services .
some
times your EC2 instance may want to perform some actions on AWS and to
do so you need to give permissions to your EC2 instance to do so we need
to create an IAM instance and together they are going to make one
entity.
What are seeing now is a High level overview . We will be creating the IAM role but we will not be using until the next session.
We are going to create an EC2 instance role . On the left hand side you have Roles click on Roles . And this is going to be a Role in AWS services.
All these services you see are ones for which we can create roles.
Choose EC2 service
Now what is the EC2 is gets to do
For example i can attach a permission to my role .
IAMReadyOnlyAccess to the role
Finally we will give it a name
And If I click on the role.
26. IAM Security Tools
Lets talk about the security tools we have in IAM,
So we can create an IAM credentials report and this is at your Account Level
We are already talking about the Least Privieleged principle . with Access Advisor.
27. IAM Security Tools Hands On
Let create a credentials report. Bottom Left -- Click on Credentials Report . And click on download report
Next we are going to look at IAM Access Advisor
Click on Users on the left . Access for Users
There some Services which are not used for a while and can be candidates for removal .
28. IAM Best Practices
29. IAM Summary :
Section 5: EC2 Fundamentals : This I will document later - This has been learned multiple times.
To be Continued..
Section 6: EC2 Instance Storage
Comments
Post a Comment