Course 2 IAM & AWS CLI

合集 - AWS(5)

1.AWS introduction2023-06-252.Course 1 Getting started with AWS2023-06-28

3.Course 2 IAM & AWS CLI 2023-06-28

4.Course 2.2 IAM & AWS CLI2023-06-295.Course 3 EC2 Fundamentals2023-06-29

收起

IAM: Users & Groups

• IAM = Identity and Access Management, Global service
• Root account created by default, shouldn't be used or shared
• Users are people within your organization, and can be grouped

IAM: Permisions

• Users are Groups can be assigned JSON documents called policies
• Theses policies define the permisions of the users
• in AWS you apply the least privilege principle: don`t give more permissions than a user needs

IAM Policies inheritance

IAM Policies Structure

• Consists of

  • Version: policy language version, always include "2012-10-17"
  • ID: an identifier for the policy(optional)
  • Statement: one or more individual statements(required)

• Statements consists of

  • SID: an identifier for the statement(optional)
  • Effect: whether the statement allows or denies access(Allsow, Deny)
  • Principal: accountuser/role to which this policy applied to
  • Action: list of actions this policy allows or denies
  • Resource: list of resources to which the actions applied to
  • Condition: conditions for when this policy is in effect(optinal)

IAM - Password Policy

• Strong passwords = higher security for your account
• in AWS, you can setup a password policy:
  • Set a minimum password length
  • Require specific character types:
    • including uppercase letters
    • lowercase letters
    • numbers
    • non-alphanumeric characters
  • Allow all IAM users to chagne their own passwords(password expiration)
  • Prevent password re-use

Multi Factor Authentication - MFA

• Users have access to your account and can possibly change configurations or delete resources in your AWS account
• You want to protect your Root Accounts and IAM users
• MFA = password you know + security device you own
• Main benefit of MFA:
  if a password is stolen or hacked, the account is not compromised

MFA devices options in AWS

1. Virtual MFA device

   1. Google Authenticator(phone only)
   2. Authy(multi-device)
      Support for multiple tokens on a single device

2. Universial 2nd Factor(U2F) Security Key

   • YubiKey by Yubico(3rd party)
     Support for multiple root and IAM users using a single security key

3. Hardware key Fob MFA Device

4. Hardware Key Fob MFA Device for AWS GovCloud(US)