AWS IAM (Identity Access Management) allows you to create the new users ,
groups and delegates the roles to users and groups using policy
documents. AWS policy documents are written in simple JSON (JavaScript
Object Notation) language and it’s easy to understand. The policies are
readily available and we are not expected to write JSON (JavaScript
Object Notation) scripts. This article will walk you through creating
the new users account , groups and attaching polcies to groups. It will
also demonstrates that how to attach the policies to the individual
users and groups. In the IAM setup part, the following actions needs to
be completed to enable all 5 security features to the AWS account.
Delegate your root access keys (It will be marked as green as part of account setup)
Activate MFA on your root account (Completed – Refer part 4 )
Create individual IAM users (Part 5 )
Users group to assign permissions (Part 5 )
Apply an IAM policy (Part 5 )
Let’s begin the AWS LAB.
1. Login to AWS console and Navigate to IAM from security & identity tab. (Refer Part 4) Security Status – IAM – AWS
Click on Manage users.
2.Click on Add user tab. add-user-console-aws
3. Enter the user name . Click on “Add another user” link to add multiple users at same time. enter-the-iam-users-names
4. Select the access type for users. You have option to auto-generate the account password and force to change at first login. select-the-access-type-for-new-users
5. We shall create the group later. Just click on “Next” to review the accounts. click-next-to-review
6. Review the accounts and click “Create Users” to create the account. review-the-accounts-and-create-users
7.Download the CSV file which contains the user secret access keys
and passwords. There is no way to fetch those keys and passwords once
you close the wizard. You might need to re-generate it from root account
if you lost the credentials. download-users-credentials-and-secret-access-key
8.Here is the list of users which we have created. users-list- AWS IAM
We have successfully created users on AWS IAM.
9. Let’s begin to mange the groups. manage-groups-AWS IAM
10.Click on Create New group tab . aws-iam-groups
11. Enter the group name. enter-the-new-group-name-iam-aws
12.We will attach the policies later if required. skip attach-policy
13. Review and create the group. review-and-create-the-group-iam-aws
14. Here is the newly created group. iam-aws-group-listing
We have successfully created new group on AWS IAM.
Adding users to GROUP:
Let’s add the newly created users to group UASUPPORT.
1. Select the group and click on group action. Select “Add users to group”. add-users-to-group
2. Select users which are need to be part of “UASUPPORT” group and click on “Add users” select-users-for-group
3. Here you can see that all three users are added to the group. users-added-in-group
Attach polices to group:
Attaching policies to group is best practice instead of directly
attaching to individual users. That’s the reason we have skipped
attaching the policy while creating the users. Let’s see how we can
attach the administrator policy to group UASUPPORT.
1.Click on Policies. Search for “AdminstratorAccess” policy and select it. From the “Policy Actions” menu , click on Attach . attach-policy-administrator-access
2.Select group and click on “Attach policy”. attach-policy-to-group
3.Here you can see that group “UASUPPORT” has been successfully
attached policy “Administrator Access” . Now all the users under that
group will equivalent to root users. policies-listing Let’s have a closer look on policy documents.
1.Click on the policy name (AdministratorAccess). just-look-at-the-json-coding-policy
2. Just click on Attached Entities to see where these policy is used. policy-attached-entities
Apply IAM Password Policy:
Let’s configure the password policy. apply-an-IAM-password-policy
Click on Manage password policy which will take you to the below
screen. You can configure according to your requirement. I have
highlighted my changes in the password policy. iam-password-policy
Just go back to IAM dashboard and look at the security status. You should see something like below. security-status-green
We have successfully setup AWS IAM . You could test the user login
credentials using direct URL which we have customized earlier . In the
upcoming article, we will dig in to S3 (AWS Storage servcie).
This article will walk you through the
Amazon AWS dashboard along with setting up IAM (Identity Access
Management ). It has legacy and modern dashboards which can be set by
users at their convenient. I will be using latest dashboard during this
tutorial. Once you have signed in to AWS console , you need to setup IAM
to enable more security features to your account. The root account is
simply the account created when first setup your AWS account and it has
complete Admin access. So its essential to enable security features like
MFA (Multi-Factor-Authentication) and configuring additional root users
on that account. IAM consists users, groups , polices documents and
roles. This is similar to users management on any Unix or windows
operating system.
Let’s walk you through the virtual LAB.
AWS – Web Console
1.Login to Amazon AWS console using email account.
sign-in-to-amazon-aws-console
2. Once you have logged in , setup the near by AWS region for better
performance. By default, AWS selects Oregon region and I have set it to
“Asia Pacific (Mumbai)” which is near to my location. select-near-by-region
3. Here is the AWS console Home Page. You could only see “solutions”
are displaying in home console instead of AWS services when you compare
to old console. amazon-console-home-page
4. To see all the AWS services, click on “All services” which is
below to the search bar. You could also click on “Services” from menu to
see the available AWS services. amazon-aws-all-services-link
5. Click on “IAM” from “Security & Identity” tab to enable
security features to the root account. The below video will help you
understand how IAM works and why it’s so important in AWS .
Setup IAM (Identity Access Management)
Action items:
Customize the direct Console URL.
Enhance Account Security.
Customize the direct Console URL
1. Here is the “IAM” Management console for brand new AWS accounts.
AWS offers the direct console access to access every account. You can
set the preferred URL for your account. Click on “customize” to setup
new URL for direct console. iam-console-link-customize
2. Enter new custom URL part. New-direct-console-url
3. Here is the new direct console URL for your AWS account. new-direct-console-url
Enhance Account Security:
Action items :
Activate MFA on your root account
Create individual IAM users
Users group to assign permissions
Apply an IAM policy
Activate MFA on your root account:
1. Select “Activate MFA on your root account” tab and Click on Manage MFA . manage-mfa-aws
2. Select the MFA type as virtual. Hardware MFA device require physical RSA token or similar to that. select-virtual-mfa-device-aws
3. Follow the link to see the supported devices for virtual MFA. Click on Next to step to continue. manage-mfa-devices
4. Here is your QR. qr-codes-AWS
5. Here is the supported MFA applications for AWS. supported-virtual-mfa-applications
5. Take your smart phone and install “Google Authenticator” . If you have Android smart phone, download fro google play.
6. Choose SCAN QR in google authenticator and scan the QR code which is displaying in your laptop. (Refer Step 4)
7. Enter the Authentication code 1 from Google Authenticator app. qr-code-and-enter-authentication-code-1-2
You must enter code2 which is next available random codes from google authenticator. Once it’s done, Activate Virtual MFA.
8. On Successful activation, You will get message like below. mfa-device-successfully-setup
9. Refresh the screen to see the latest security status. Security Status – IAM – AWS
We will continue the following actions demonstrations on upcoming articles.
Amazon AWS offers free tier account to
experience their services for one year without any charges . The
customers who have doubt about amazon offerings , they can simply
sign-up and start testing the capability of AWS. You could also test
your applications using free tier account. But you needs to be very
careful on the resource usage. When you elapse the free resource usage
limit, amazon will simply charge you from credit card without giving any
warning. You have to keep eye on resource usages and billing . There is
a way to configure the billing alerts which we will see later part of
AWS tutorial.
This article also guides you to create free tier amazon AWS account.
Here is the some of the important services which is available on AWS free tier account.
Compute
Storage & Content Delivery
Database
Analytics
Mobile Services
Internet of Things
Developer Tools
Management Tools
Security & Identity
Application Services
Limitation of AWS Free Tier account:
There is a limitation with free tier account when it comes to resource utilization. Compute: amazon-aws-free-tier-compute
[box type=”warning” align=”” class=”” width=””]Only Cent OS, Debian
& Ubuntu operating systems instances are eligible to run on Free
tier account. All the Windows variants are not eligible for the free
tier[/box]
Analytics: amazon-aws-free-tier-analytics
The other free tier services also have some sort of restriction on free tier AWS account. You can find more information on Amazon AWS website.
Creating the Amazon AWS Free-Tier account:
Creating Amazon AWS free tier account is very simple.
sign-up-aws-account
2. Create the account password. enter-name-account-password
3. Enter your billing address . enter-contact-information-and-create-account
4. Enter your credit card information. You will not be charged unless your usage exceeds the free tier limits. enter-credit-card – info
5. Enter PAN card details and continue. enter-pan-details
6. Enter you mobile number for identity verification and click on call me now. identity-verification
7. You will be getting automated voice call from Amazon webservices
to enter the 4 digit PIN which you will get on the screen. (Once you
click on “Call Me Now button, it display 4 digit PIN) identity-verification
8. Select the basic support plan which is free. Amazon Support Plans
9. Your registration is completed successfully. You should be able to login to the AWS console now. AWS registration-complete
Let’s start the amazon AWS journey with IAM service. IAM (Identity
Access Management) is web service which provides the access to Amazon
AWS console and helps you securely control access to AWS resources for
your users. If you would like to start learning about AWS , IAM is the
first component which is exposed at the beginning of AWS journey.
Identity Access Management allows you to manage users and their level of
access to the AWS console. It is important to understand IAM and how it
works for administrating a companies AWS account in real life. You use
IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).
AWS – IAM
IAM provides/supports:
Centralized Control of AWS account
Integrates with Many different AWS Services
Granular Permissions
Identity Fedraration which includes Active Directroy/ LDAP.
Multifactor Authentication
Provide temporary access for users/devices and services where necessary
Allows you to set up your own password rotation policy
Shared Access to your AWS account
Supports PCI DSS compliance.
You need to understand few terms about IAM . This is not different
from what we have seen in Unix account management/ Windows AD account
management.
Users
An IAM user is an entity that
you create in AWS to represent the person or service that uses it to
interact with AWS. A user in AWS consists of a name and credentials. aws-iam-users Groups:
An IAM group is a collection of IAM
users. Groups let you specify permissions for multiple users, which can
make it easier to manage the permissions for those users. A Collection
of users under one of permissions or access to specific set of up
resources. IAM – Groups Roles:
An IAM role is similar to a
user, in that it is an AWS identity with permission policies that
determine what the identity can and cannot do in AWS. However, instead
of being uniquely associated with one person, a role is intended to be
assumable by anyone who needs it. You create roles and can then assign
them to AWS resources. aws-iam-roles Polices:
To assign permissions to a user, group, role, or resource, you create a policy,
which is a document that explicitly lists permissions.Policies are
documents that are created using JSON. A policy consists of one or morestatements, each of which describes one set of permissions. IAM – Policy
Hope you have basic idea about the
Amazon AWS IAM . Off-course reading the theory will not give you any
sort of confidence on AWS. In the upcoming article ,we will see that how
to get access to free Amazon AWS account . You need to provide the
credit card details in an order to get the AWS account even though
single instance is free for one year.
AWS stands for Amazon web services which offers public cloud to their
customers (Established in 2006). This project has been started to target
small organization, startup companies, short term projects and for
companies who don’t want to invest money for IT infrastructure. AWS is
one of the fastest growing public cloud in the world. Currently, AWS at
their peak because more and more organizations are outsourcing their IT
to amazon AWS (which includes many fortune 500 companies). Most of the
industries are trying to reduce the IT cost and IT companies are forced
to reduce the support cost by doing automation and IOT. As a result of
this , system administrator might loose their job if they continue to
work on legacy hardware and technologies . It’s a right time to look new
opportunities in cloud and cloud related technologies. Amazon AWS is
the market leader in the public cloud and the AWS skilled engineers
demand is growing rapidly.
Amazon has setup multiple data-centers on different geographic locations and these are called “Region” . In each region , they have setup multiple data-centers and these are called “Availability zone”
in AWS world. In-case, if we have failure on one availability zone, the
other datacenter will be available to take over. That’s the reason,
less than 50 minutes per month or 9 hrs in a year downtime SLA is able
to meet by amazon.
Region – Geographic location.
AZ – Availability zone (Nothing but a Data-center )
It’s always to recommended to choose the
region which is near to the customer location to avoid the latency.
Lets have some look on the existing regions and availability zone on
important locations. Here you can see that each region has multiple
availability zones and N-number of Edge location.
north-america-dc-amazon
Europe-middle-east-Africa-amazon-dc
Asia-pacific-amazon-dc
Amazon AWS offers:
Compute:
Amazon EC2
Amazon EC2 Container Registry
Amazon EC2 Container Service
AWS Elastic Beanstalk
AWS Lambda
Auto Scaling
Elastic Load Balancing
Amazon VPC
Storage & Content Delivery:
AWS offers a complete range of cloud
storage services to support both application and archival compliance
requirements. Select from object, file, and block storage services as
well as cloud data migration options to start designing the foundation
of your cloud IT environment.
Amazon S3
Amazon CloudFront
Amazon EBS
Amazon Elastic File System
Amazon Glacier
AWS Import/Export Snowball
AWS Storage Gateway
Database
AWS offers a wide range of database
services to fit your application requirements. These database services
are fully managed and can be launched in minutes with just a few clicks.
AWS database services include Amazon Relational Database Service
(Amazon RDS), with support for six commonly used database engines.
Amazon RDS
AWS Database Migration Service
Amazon DynamoDB
Amazon ElastiCache
Amazon Redshift
Networking
AWS networking products enable you to
isolate your cloud infrastructure, scale your request handling capacity,
and connect your physical network to your private virtual network. AWS
networking products work together to meet the needs of your application.
For example, Elastic Load Balancing works with Amazon Virtual Private
Cloud (VPC) to provide robust networking and security features.
Amazon VPC
AWS Direct Connect
Elastic Load Balancing
Amazon Route 53
Analytics
AWS offers a comprehensive set of
services to handle every step of the analytics process chain including
data warehousing, business intelligence, batch processing, stream
processing, machine learning, and data workflow orchestration. These
services are powerful, flexible, and yet simple to use, enabling
organizations to put their raw data to work quickly and easily.
Amazon EMR
AWS Data Pipeline
Amazon Elasticsearch Service
Amazon Kinesis
Amazon Machine Learning
Amazon Redshift
Amazon QuickSight
Enterprise Applications
AWS offers on-demand enterprise applications in few clicks.
Amazon WorkSpaces (Desktop computing service)
Amazon WorkDocs (Enterprise storage service)
Amazon WorkMail (Email Service )
Internet of Things
AWS
IoT allows you to easily connect devices to the cloud and to other
devices. AWS IoT supports HTTP, WebSockets, and MQTT, a lightweight
communication protocol specifically designed to tolerate intermittent
connections, minimize the code footprint on devices, and reduce network
bandwidth requirements.
AWS IoT
Mobile Services
AWS provides a range of services to help
you develop mobile apps that can scale to hundreds of millions of
users, and reach global audiences. With AWS, you can quickly and easily
add mobile features to your app, including user authentication, data
storage, content delivery, backend logic, analytics dashboards, and push
notifications – all from a single, integrated console.
AWS Mobile Hub
Amazon API Gateway
Amazon Cognito
AWS Device Farm
Amazon Mobile Analytics
AWS Mobile SDK
Amazon SNS
Developer Tools
AWS CodeCommit
AWS CodeDeploy
AWS CodePipeline
AWS Command Line Tool
Management Tools
AWS provides a broad set of services
that help IT administrators, systems administers, and developers more
easily manage and monitor their AWS infrastructure. Using these
fully-managed services, you can automatically provision, configure, and
manage your AWS resources at scale. You can also monitor infrastructure
logs and metrics using real-time dashboards and alarms. AWS also helps
you monitor, track, and enforce compliance and security.
