masterElmar/AWS-CCP-Notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Modify] Complete IAM Notes

Browse Source
This commit is contained in:
Kanani Nirav
2024-10-09 20:47:50 +09:00
parent 2c80d9df87
commit d6318dab70
1 changed files with 113 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
sections/iam.md
View File

@@ -13,6 +13,17 @@
- [IAM Security Tools](#iam-security-tools)
- [IAM Guidelines \& Best Practices](#iam-guidelines--best-practices)
- [Shared Responsibility Model for IAM](#shared-responsibility-model-for-iam)
- [Multi-Factor Authentication (MFA)](#multi-factor-authentication-mfa)
- [Benefits of MFA](#benefits-of-mfa)
- [MFA Devices Options in AWS](#mfa-devices-options-in-aws)
- [How Can Users Access AWS?](#how-can-users-access-aws)
- [Whats the AWS CLI?](#whats-the-aws-cli)
- [Key Features of AWS CLI:](#key-features-of-aws-cli)
- [Example Commands:](#example-commands)
- [Whats the AWS SDK?](#whats-the-aws-sdk)
- [Key Features of AWS SDK:](#key-features-of-aws-sdk)
- [Example Usage (Python boto3 SDK):](#example-usage-python-boto3-sdk)
- [IAM Section Summary](#iam-section--summary)
## What Is IAM?
@@ -159,3 +170,105 @@
| Protect physical data centers and global infrastructure. | Manage and secure IAM user accounts and access keys. |
| Maintain the availability of IAM service. | Implement strong password policies and enable MFA. |
| Provide IAM managed policies for common scenarios. | Ensure IAM permissions are correctly configured and follow the principle of least privilege. |
## Multi-Factor Authentication (MFA)
- **MFA** adds an extra layer of protection on top of a username and password.
- With MFA enabled, when a user signs in, they must provide:
1. Their **password** (something they know).
2. An **authentication code** from their MFA device (something they have).
- Even if a users password is compromised, MFA can prevent unauthorized access.
### Benefits of MFA
- Enhances account security by requiring a second form of authentication.
- Reduces the risk of credential compromise and unauthorized access.
- AWS recommends enabling MFA for all IAM users, especially for root accounts and privileged users.
- Main benefit of MFA: if a password is stolen or hacked, the account is not compromised
## MFA Devices Options in AWS
AWS supports several types of MFA devices:
| **MFA Device Type** | **Description** |
|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
| **Virtual MFA Device** | Uses apps like Google Authenticator or Authy. Generates a time-based one-time password (TOTP) on a smartphone or tablet. |
| **Hardware MFA Device** | Physical devices like Gemalto tokens that generate time-based codes. |
| **U2F Security Key** | USB devices supporting the Universal 2nd Factor (U2F) standard. Typically used for browser-based sign-ins. |
| **AWS Multi-Factor Authentication (MFA)** | AWS offers its own MFA solutions integrated with IAM to easily configure and manage MFA devices for users. |
## How Can Users Access AWS?
AWS provides multiple ways for users to access resources:
| **Access Method** | **Description** |
|--------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **AWS Management Console** | A web-based user interface for interacting with and managing AWS resources visually. Best for beginners and infrequent tasks. |
| **AWS Command Line Interface (CLI)** | A unified tool to interact with AWS services using commands in your terminal. Suitable for automation and developers. |
| **AWS Software Development Kits (SDKs)** | Language-specific APIs for programmatically accessing AWS services using programming languages like Python, JavaScript, Java, Ruby, etc. |
| **AWS CloudFormation** | A service to define and provision AWS infrastructure using code (Infrastructure as Code IaC). Allows creating stacks and automating deployment configurations. |
| **AWS Mobile Console** | Provides mobile access to manage AWS services on-the-go. |
## Whats the AWS CLI?
- **AWS CLI (Command Line Interface)** is a unified tool to manage AWS services through your terminal or command prompt.
- It allows you to issue commands and automate tasks across multiple AWS services.
- Supports both Windows, macOS, and Linux.
- Direct access to the public APIs of AWS services
### Key Features of AWS CLI:
1. **Command automation**: Write scripts to automate frequent AWS tasks.
2. **Access to all services**: Interact with any AWS service and manage resources from the command line.
3. **Profile management**: Manage multiple AWS accounts using different named profiles.
4. **JSON and YAML output**: Format CLI responses for better readability or integration with other tools.
### Example Commands:
```bash
# List all S3 buckets in your account
aws s3 ls
# Describe EC2 instances in a specific region
aws ec2 describe-instances --region us-west-2
```
## Whats the AWS SDK?
- AWS SDK (Software Development Kit) allows developers to interact with AWS services using various programming languages.
- Supports languages like Python (boto3), JavaScript (aws-sdk), Java, .NET, Ruby, PHP, and more.
- SDKs provide simplified APIs, making it easier to work with AWS services programmatically without dealing with low-level API calls.
### Key Features of AWS SDK:
- API abstraction: Higher-level abstractions simplify complex operations like S3 object uploads or DynamoDB queries.
- Cross-service integration: SDKs help integrate multiple AWS services together within applications.
- Authentication: Easily manage credentials and authenticate requests using IAM roles or user access keys.
- Retry logic: Handles transient network issues with built-in retry logic.
### Example Usage (Python boto3 SDK):
```Python
import boto3
# Create an S3 client
s3 = boto3.client('s3')
# List all S3 buckets
response = s3.list_buckets()
print('S3 Buckets:', [bucket['Name'] for bucket in response['Buckets']])
```
## IAM Section Summary
- **Users**: Mapped to a physical user, has a username and password for AWS Management Console access.
- **Groups**: Contains users and allows applying common permissions to multiple users.
- **Policies**: JSON document that defines permissions for users, groups, or roles.
- **Roles**: Assign to AWS services (e.g., EC2, Lambda) for accessing other resources without credentials.
- **Permissions**: Allow or deny actions on AWS resources, defined using policies.
- **MFA**: Multi-Factor Authentication for an additional layer of security beyond username and password.
- **Password Policy**: Enforce password complexity, rotation, and reuse rules for IAM users.
- **AWS CLI**: Command-line tool to interact with AWS services and automate tasks.
- **AWS SDK**: Use programming languages (e.g., Python, JavaScript) to manage AWS services programmatically.
- **Access Keys**: Key pairs used to authenticate when accessing AWS using the CLI or SDK.
- **Audit Tools**: IAM Credential Report lists user credentials; Access Advisor shows service permissions usage.