IAM allows you to manage users and their level of access to the AWS Console.
+ centralized control your AWS account
+ shared access to your AWS account
+ granular permissions
+ identity federation (including Active Directory, Fb, Linkedin, etc)
+ multifactor authen
+ provide temp access for users/devices and services
+ allows you to set up your own pw rotation policv
+ integrates with many AWS services
+ support PCI DSS Compliance
+ Users - end users (think people)
+ Groups - a collection of users with one set of permissions
+ etc - HR group, IA group, Comms group
+ Roles - assign them to AWS resources, don't need to set up username and pw for that instance
+ Policies - a document that defines one (or more permissions)
Create users, save their AWS credentials and set a password for each. You can make max of 5 users at a time. By default, users do not have permissions to do anything. You need go grant them permissions.
Permissions are granted with policies.
Last thing to do for the lab is to config a role. The best way to understand a role is to start using EC2. A Role allows resources within AWS to access other resources within AWS without creating access keys, passwords, secret keys.
Create a role called S3-Admin-Access. There are service roles:
+ for services
+ for cross-account access
+ for identitty provider access
+ json code
+ by version
+ statement can be nested, has key:value pair
+ give yourself administrator access
Launch an instance - AWS Linux AMI
Click on AWS Linux AMI, which comes with preconfigured programs and software ready to go.
Click on the tier you want. You can start wit2.micro for testing.
subnet - corresponds to different availability zones
auto-assign public IP - use subnet setting
IAM role - created this in previous lab and named it S3-Admin-Access
advanced details - script anytime you first start your instance
#!/bin/bash/
yum update -y
volume type - root, sometimes refer to as the root device volume. where the OS is going to be installed
device - or the mount point, where the device will be mounted
size - 8GB by default. free tiered customers can get up to 30GB free.
IOPS - input output per seconds
Delete on Termination - checked by default, when you terminate the volume, it will delete it
Encrypted - Not Encrypted, root device volume is not encrypted by default. you can add an additional disk and you can encrypt it. however, you cannot encrypt the root device. you need to install another service to encrypt your OS like window bitlock for example.
You can have up to 10 tags maximum. Tagging is a key-value pair. Great for organizing.
Example:
+ Name: WebServer
+ Developer: Test
+ StaffID: 12345
+ DepartmentCode: 1001-10
Good for billing, to monitor what instance use what resources.
+ very important step
+ acts like a firewall
Create a new security group, call it Web-DMZ.
Add SSH, HTTP, HTTPS.
+ for ssh - use my IP address
+ HTTP and HTTPS, use 0.0.0.0 which is for everywhere
Click "Launch" and create a new key pair. Save the key pair in a safe location. This is for loggin into the terminal to access your instance.
Ssh into the instance. Upgrade privileges to root by typing "sudo su" command.
Termination project is turned off by default. You have to turn it on.
EBS-backed instances - default action is for