AWS IAM


  1. IAM allows you to manage users and their level of access to the AWS
  2. It is important to understand IAM and how it works, both for the exam and for administrating a company's AWS account in real life
Key Features of IAM

Identity Access Management (IAM) offers the following features:
  1. Centralized control of your AWS account
  2. Shared Access to your AWS account
  3. Granular permissions
  4. Identity Federation (including Active Directory, FB, Linkedin, etc.) - same user ID and pwd of these can be used to login AWS account
  5. Multifactor Authentication
  6. Provides temporary access for users/devices and services where necessary
  7. Allows you to set up your own password rotation policy
  8. Integrates with many different AWS services
  9. Supports PCI DSS compliance - ex: for using credit card details, compliance is required+
Key Terminology for IAM

Users
End users such as people, employees of an organization, etc.

Groups
A collection of users. Each user in the group will inherit the permission of the group

Policies
Policies are made up of documents, called Policy documents. These documents are in a format called JSON and they give permissions as to what as user/group/role is able to do

Roles
You can create roles and assign them to AWS resources

Note: 
  • IAM is universal. It does not apply to regions at this time.
  • The "root account" is simply the account created when first setup your AWS account. It has complete admin access.
  • New users have no permissions when first created
  • New users are assigned Access Key ID and Secret Access Keys when first created.
  • These are not the same as a password. You cannot use the Access Key ID & Secret access key to login to the console. You can use this to access AWS via the APIs and command line, however.
  • You can only get to view these once. If you lose them, you have to regenerate them. So, save them in a secure location.
  • Always set us Multifactor Authentication on your root account.
  • You can create and customize your own password rotation policies.
  • Power users access allows access to all AWS services except for the management of groups and users within IAM
  • Policy documents are written in JSON format
Sample question :

- You are a solutions architect working for a large engineering company who are moving their existing legacy hardware to AWS. You have configured their first AWS account and you have set up IAM. Your company will be primarily based out of West Germany, however, they will have a small subsidiary operating out of South Korea and you will need an AWS environment configured there as well. Which of the following statements is true;

Ans: You will need to configure the users and policy documents only once, as these are applied globally

- You have a client who is considering moving to AWS services and do not yet have an account. What is the first thing the company should do to set up an AWS Account?

Ans: set up an account using their company's email address

You are a security administrator working for a hotel chain. You have a new member of staff who has started as a systems administrator and they will need full access to the AWS console. You have created the user account and generated the access key id and the secret access key. You have moved this user into the group where the other administrators are and you have provided the new user with their secret access key and their access key id. However, when they go to log in to the AWS console, they cannot sign in. What could be the cause of this?

Ans: You cannot log in to the console using Access Key ID and Secret Access Key, instead you must generate the password for the user and supply the user with this password, as well as the unique link to sign in to the AWS console 





Comments

Post a Comment

Popular posts from this blog

SAP Datasphere Architecture

Image
  SAP has retained all of the functionality of SAP Data Warehouse Cloud (SAP DWC), while adding new functionality that improves the discovery, modelling and distribution of enterprise data. This evolution has had no impact on the workload of SAP DWC customers. The update is performed automatically, so no migration is required. This will be the case for all new functionalities Accessing and using diverse data from different information systems and locations such as cloud providers, on-premise systems and different data sources has always been a complex challenge for organisations. The processing that this data undergoes in order to centralise it and return it afterwards (extraction, transformation, export, etc.) leads to the loss of its business context. SAP Datatsphere gives its customers the benefit of an enterprise data fabric architecture that harmonises critical data (SAP and non-SAP) in a single way and rapidly delivers meaningful data with business context and logic. SAP Datasphe
Read more

SAP Datasphere Data Integration - Part 1 - Introduction and Integration using Remote Tables

Image
SAP Datasphere provides a large set of default connections to access data from a wide range of sources, source from SAP as well as non-SAP sources or partner tools, residing in an cloud as well as on-premise environment. Connections are defined in a separate view which can be found in the main navigation window of the left. Connections are individual objects in SAP Datasphere. They are created and maintained per SAP Datasphere Space which means only members of a specific Space are able to make use of the related connections. These connections can be then be used within the different tools (like SQL View Builder, Graphical View Builder or Data Flow) for creating your data models. SAP Datasphere can integrate with both SAP or Non-SAP Source systems and it can be either cloud or on-premise. We have multiple connection types in SAP Datasphere. Each connection type supports a defined set of features. Depending on the connection type and the connection configuration, a connection can be used
Read more

SAP Datasphere Spaces

Image
  A space is a secure area created by an Administrator, in which members can acquire, prepare, and model data. The Administrator allocates disc and in-memory storage to the space, set its priority, and can limit how much memory and how many threads its statements can consume. If the administrator assigns one or more Space Administrators as members of the space, they can then assign other members, create connections to source systems, secure data with data access controls, and manage other aspects of the space. Spaces are virtual work environments with their own data bases. Spaces are decoupled, but are open for flexible access, thus allowing your users to collaborate without having to worry about sharing their data. To model your data and create stories, you need to start off with a space. You can decide how much and what kind of storage you need, as well as how important your space is compared to other spaces. You also add space members and set up connections here. Each spaces can be
Read more