Please enable JavaScript.
Coggle requires JavaScript to display documents.
IAM (Identity Access Mgmt) TE Note (IAM (Identity Access Management Role,…
IAM (Identity Access Mgmt) TE Note
IAM (Identity Access Management Role
STS
defintion
A web service that assign temp security credential to IAM user and federated user
USed case
federation ?
You can manage your user identities in an external system outside of AWS and grant users who sign in from those systems access to perform AWS tasks and access your AWS resources.
Example of federation are Active directory federation service using active directory, well-known third party identity provider such as Facebook, Google, or any OpenID Connect (OIDC) 2.0 compatible provider
secret and access key ?
The keys are used to sign API requests and pass in the token as an additional parameter, which AWS uses to verify that the temporary access keys are valid.
feature
IAM entity(to user or resource) that has specific permission
No long term credential
Temporary credential
default is 1 hour, can be set up to max 36 hours
rotation is automatic
a few times a day
can be changed immediately on running EC2 and affect immediately
permission policy is not attached to user; but is to role
can restrict permission which Ec2 can access the role using API
Can be assumed 3 methods
1.Console
CLI
SDK (using assumeroleAPI)
6 USed case
c2:IAM created to a user to temporary access S3
c3: IAM user (not root)in account B want to access account A S3 bucket
c1: The Python application (SDK) is installed on the EC2 instance. need to. access an S3 bucket
config using role in Ec2 and not SDK
Eliminate the need to store AWS access keys to every Ec2
dangerous
Role create temporary credential to the Phyton tp access S3
temporary credential is not store in EC2
Mobile app that want to access AWS resources but not want to store key in their app
provide access to external authenticated user (via facebook. gmail)
Users in your coporate directory to access AWS resources
can be assumed by 4 trusted identity ????
user
AWS resource example Ec2
to access any other resources suich as DynamoDB, RDS, S3
SAML 2.0 federaiton users
3.2 Can sign in app using Microsoft AD
3.1 Is an open standard for exchange identity
Web identity such as Cognito
4.1 can create a user directory, and add sign-up and sign-in to your mobile app or web application.
4.2 federate through a third-party SAML or social idp
definition
Assign to users, mobile app or service that normally don't require to access the AWS resrouces
Alow you to delegate access to these users without long term credential
Assume definition
Means your are calling using STS AssumeRole
In another word
AssumRole, Assumerolewithwebidentity, assumeRolewithSAML
can't make direct request to the service
limitation
n EC2 instance can only be associated with a single IAM Role and you can only do that when you create the instance.
Can not add IAM role to a group
1000 roles per account (Compared to 5000 IAM users per account)
relogin ?
yes, if expire. can change to 12 hour
federation
trusted relationship between External Identiity provider and AWS
get temporary access to your AWS account
by assuming the role to gain access
Comes with validality period
No credential will need to be created
Credential is auto generated
federated user
External userID
IAM principal
entity that can access AWS resources
Example: user, role and root account
IAM policy will be associated with the principal to specify the privilege
Best practise
1) Use condition in your policy
2) Use logging. Available in
Cloudtrail, cloudfront, coudwatch, S3 and AWS config
AWS config
assess, audit, and evaluate the configurations of your AWS resources based on desired config
defintion: Montior activity
3) Use access level to review IAM permission
4 category
1)List
determine whether an object exists
Ex: list bucket
2)Read
view the content
3) Write
Create. delete and modify objects
4) full access
definition
allow us to create multiple User ID under 1 single AWS Acc
root Acc will have highest privilege
Best practise is not use root acc
credential
2 type
long term credential
Will be assigned to user ID
2 temporarycredential
Using role config
password
For AWS console Access
Access key and secret key
for CLI and SDK (software development kit)