视频来源:B站《AWS 认证解决方案架构师 助理级 SAA-C03》
一边学习一边整理老师的课程内容及试验笔记,并与大家分享,侵权即删,谢谢支持!
附上汇总贴:AWS助理架构师认证培训 | 汇总_热爱编程的通信人的博客-CSDN博客
IAM Introduction Users, Groups, Policies
IAM: Users & Groups
- IAM = Identity and Access Managemernt, Global service
- Root account created by default, shouldn't be used or shared
- Users are people within your organization, and can be grouped
- Groups only contain users, not other groups
- Users don't have to belong to a group, and user can belong to multiple groups
IAM: Permissions
- Users or Groups can be assigned JSON documents called policies
- These policies define the permissions of the users
- In AWS you apply the least privilege principle: don't give more permissions than a user needs
IAM Policies
IAM Policies inheritance
IAM Policies Structure
- Consists ofVersion: policy language version, always include "2012-10-17"ld: an identfier for the policy (optional)Statement: one or more individual statements (required)
- Statements consists ofSid: an identifier for the statement (optional)Effect: whether the statement allows or denies access (Allow, Deny)Principal: account/user/role to which this policy applied to Action: list of actions this policy allows or deniesResource: list of resources to which the actions applied toCondition: conditions for when this policy is in effect (optional)
IAM MFA Overview
IAM - Password Policy
- Strong passwords = higher security for your account
- In AWS, you can setup a password policy:Set a minimum password length Require specific character types:including uppercase letterslowercase lettersnumbersnon-alphanumeric characters Allow all lAM users to change their own passwords Require users to change their password after some time (password expiration)Prevent password re-use
Multi Factor Authentication - MFA
- Users have a access to your account and can possibly change configurations or delete resources in your AWS account
- You want to protect your Root Accounts and IAM user
- MFA = password you know + security device you own
- Main benefit of MFA:
if a password is stolen or hacked, the account is not compromised
MFA devices options in AWS
AWS Access Keys, CLI and SDK
How can users access AWS?
- To access AWS, you have three options:AWS Management Console (protected by password + MFA)AWS Command Line Interface (CLI): protected by access keys AWS Software Developer Kit (SDK) - for code: protected by access keys
- Access Keys are generated through the AWS Console
- Users manage their own access keys
- Access Keys are secret, just like a password. Don't share them
- Access Key ID ~= username
- Secret Access Key ~= password
Example (Fake) Access Keys
- Access key ID: AKIASK4E37PV4983d6C
- Secret Access Key: AZPN3zojWozWCndlj hB0Unh8239albzbzO5fqqkZq
- Remember: don't share your access keys
What's the AWS CLI?
- A tool that enables you to interact with AWS services using commands in your command-line shell
- Direct access to the public APls of AWS services
- You can develop scripts to manage your resources
- It's open-source https://github.com/aws/aws-cli
- Alternative to using AWS Management Console
What's the AWS SDK?
- AWS Software Development Kit (AWS SDK)
- Language-specific APls (set of libraries)
- Enables you to access and manage AWS services programmatically
- Embedded within your application
- SupportsSDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++)Mobile SDKs (Android, iOS, ...)loT Device SDKs (Embedded C, Arduino, ...)
- Example: AWS CLI is built on AWS SDK for Python
IAM Roles for AWS Services
IAM Roles for Services
- Some AWS service will need to perform actions on your behalf
- To do so, we will assign permissions to AWS services with IAM Roles
- Common roles:EC2 Instance RolesLambda Function RolesRoles for CloudFormation
IAM Security Tools
IAM Security Tools
- IAM Credentials Report (account-level)a report that lists all your account's users and the status of their various credentials
- IAM Access Advisor (use-level)Access advisor shows the service permissions granted to a user and when those services were last accessedYou can use this information to revise your policies.
IAM Best Practices
IAM Guidelines & Best Practices
- Don't use the root account except for AWS account setup
- One physical user = One AWS user
- Assign users to groups and assign permissions to groups
- Create a strong password policy
- Use and enforce the use of Multi Factor Authentication (MFA)
- Create and use Roles for giving permissions to AWS services
- Use Access Keys for Programmatic Access (CLI/SDK)
- Audit permissions of your account with the lAM Credentials Report
- Never share IAM users & Access Keys
IAM Summary
IAM Section - Summary
- Users: mapped to a physical user, has a password for AWS Console
- Groups: contains users only
- Policies: JSON document that outlines permissions for users or groups
- Roles: for EC2 instances or AWS services
- Security: MFA + Password Policy
- Access Keys: access AWS using the CLI or SDK
- Audit: IAM Credential Reports & IAM Access Advisor