Saturday, June 24, 2017

AWS : IAM : Basics

  • IAM is global in nature, its not region specific
  • Default region for a new account is Oregon
  • Every user can have its own custom login URL , by default it’s a long number, can use an alias ( from a global namespace ) => 
  • After creating an alias can i signin using normal link ? Ans No… also One root user has one custom login URL… like
  • Best practice not too login via root + activate MFA on it.
  • 'Access key id' & 'secret access key' are used to programmatically access the AWS , it cant be used to access console.
  • IAM doesn't allow bio metric access
  • Default level of access for a newly created user is 'no access to any AWS service'
Best Practices for root account
  • delete your root access keys
  • activate MFA 
  • create individual IAM users
  • Use Group to assign permission
  • Use password policy
Group vs Role
A Role allows or denies a service to service access. for example can create one to allow EC2 to access S3 then you dont need a username and password.

Power User Access
Allows full access to all AWS services except for management of groups within IAM.
Its not full access to all  AWS services & resources.

Administrator Access
Root user has Administrator Access

Ques : How many active keys can 1 user have ?
Ans 2
Why : Keys have expiration time , so u generate two : while old one is still active replace it with the new one. Nothing breaks.

Keys best practices
●    Remove or don’t generate access keys for root user.
●    Use diff keys or IAM roles for diff applications.
●    Rotate keys
●    Remove unused keys
●    Use aws credentials file or env variables rather than hardcoding access keys in scrpt. (even if u get my script u dont get my keys)

  • Permission can be assigned to group and users both. Not a good practice to assign to user. You can override a ‘group permission’ for a user or ‘add extra permission’ to that user by  overriding or adding permission to that particular user.
  • One user can belong to two groups. Permissions are stacked up then.
  • No Way to nest groups inside other groups. Instead put one user in multiple groups.
  • For changed permission to take effect, user doesn’t have to logout and login.
  • Note AWS permissions are not related to any OS permissions like of EC2.
    almost everything in AWS is case sensitive.

No comments: