Identity and Access Management (IAM) allows you to manage users and their levels of access to the AWS Console.

Terms you will see in this chapter:

  • Users - Refers to the end user.
  • Group - A collection of users under a set of permissions ex. HR, Sales, etc.
  • Role - A person, or resource can be assigned a role.
  • Policies - A document that defines one or more permission. This is attached to users, groups, and roles. It is written in JSON in key-value pair.

This is the policy for Admin Access:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Here is a list of things you can set up in IAM:

  • Centralized control to you AWS account
  • Shares access to your AWS account
  • Granular permissions
  • Identity Federation (log in with AD, FB, etc.
  • MFA - 2FA
  • Temp access for users/devices and services where necessary
  • Set up and manage own password rotation policy
  • Integrates with many different AWS services.
  • Supports PCI DSS compliance.

More facts:

  • No region, its global. You can see this on the top right, it will say global instead of a specific region.
  • You should only log in with a user you created and added to a group. Never use root account as your primary log in to make changes.
  • Giving admin access gives full access as root, so be careful who you give admin access.
    • AdministratorAccess: provides full access to all AWS services and resources
    • PowerUserAccess: provides full access to all AWS services and resources, but does not allow management of Users and groups
    • ViewOnlyAccess: provides read-only access to all AWS services.
  • When generating a private key make sure to download it and back it up. Private keys are only seen once, if it's lost you will have to regenerate access and private keys again.
  • IAM password policy allows you to set rules on what the password should consist of. Ex. rotation, special chars, length, etc.
  • Billing alerts and alarm is that if a billing goes over a certain threshold you get an alert.
  • Root Account is what you have when you signup, by default it as complete admin access. New users are the opposite.
  • New users have access and secret key when created, it can be used to communicate to AWS via command line, SDK or API.
  • Always have MFA on your root account.

 

That is all you need to know for the IAM section of the AWS Certified Solutions Architect -  Associate 2018 exam. If you have any questions or comments please leave them below and i'll get back to you.