AWS Cloud Developer Associate Certification

1. IAM, VPC & AWS Free Tier Account

Index

1. Introduction
2. Best practice for root accounts
3. IAM Groups

1. Introduction

An IAM user is an entity that represents a person or service

1. Can be assigned:
   • An access key ID and secret access key for programmatic access to the AWS API, CLI, SDK, and other development tools
   • A password for access to the management console
2. By default users cannot access anything in your account
3. The account root user credentials are the email address used to create the account and a password
4. The root account has full administrative permissions and these cannot be restricted

• Best practice for root accounts:
  1. Ø Don’t use the root user credentials
  2. Don’t share the root user credentials
  3. Create an IAM user and assign administrative permissions as required
  4. Enable Multi-Factor Authentication (MFA)
  5. IAM users can be created to represent applications and these are known as “service accounts”
  6. You can have up to 5000 users per AWS account
  7. Each user account has a friendly name and an Amazon Resource Name (ARN) which uniquely identifies the user across AWS
  8. You should create individual IAM accounts for users (best practice not to share accounts)
  9. A password policy can be defined for enforcing password length, complexity etc. (applies to all users)

IAM Groups

1. Groups are collections of users and have policies attached to them
2. A group is not an identity and cannot be identified as a principal in an IAM policy
3. Use groups to assign permissions to users
4. Use the principal of least privilege when assigning permissions
5. You cannot nest groups (groups within groups)

IAM Roles

1. Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests
2. With IAM Roles you can delegate permissions to resources for users and services without using permanent credentials (e.g. user name and password)
3. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls

IAM Policies

1. Policies are documents that define permissions and can be applied to users, groups and roles
2. ØPolicy documents are written in JSON (key value pair that consists of an attribute and a value)
3. All permissions are implicitly denied by default
4. The most restrictive policy is applied
5. The IAM policy simulator is a tool to help you understand, test, and validate the effects of access control policies
6. The Condition element can be used to apply further conditional logic

Authentication Methods

IAM Access Keys

1. combination of an access key ID and a secret access key
2. These can be used to make programmatic calls to AWS when using the API in program code or at a command prompt when using the AWS CLI or the AWS PowerShell tools
3. You can create, modify, view or rotate access keys
4. When created IAM returns the access key ID and secret access key
5. The secret access is returned only at creation time and if lost a new key must be created
6. Ensure access keys and secret access keys are stored securely
7. Users can be given access to change their own keys through IAM policy (not from the console)
8. You can disable a user’s access key which prevents it from being used for API calls

Multi-Factor Authentication in AWS

• Something you know:
• Something you have:

AWS Security Token Service (STS)

TODO- STS(user) vs ROLE(sefvice)

1. The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users)
2. By default, AWS STS is available as a global service, and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com
3. All regions are enabled for STS by default but can be disabled
4. The region in which temporary credentials are requested must be enabled
5. Credentials will always work globally

AWS Global Infrastructure