IAM – Identity Access Management

• What IAM offers?
  • Centralized control for AWS account
  • Shared Access to AWS account
  • Granular Permissions
  • Identity Federation (FB, Google, etc)
  • Multi-Factor Authentication
  • Temp access for devices/users
  • Setup password rotation policy
  • IAM DB Authentication. Connect EC2 with RDS
• The root account is the account created on the first setup. Complete admin access.
• IAM is universal. The region is always Global. 
• New Users have NO permissions
  • They get Access Key ID / Secret Access Keys. Those keys are viewed once. If lost, you need to regenerate them.
• When creating a user you choose:
  • Programmatic access (Access Key ID / Secret Access Keys)
  • Password 
  • Or both
• It is possible to not add a user to a group, but assign policies directly.
• Admin User > Power User (Power User cannot manage IAM groups/users)

Key terms

• Users 
• Groups (Collection of users)
• Policies (JSON Documents, gives permissions to user/groups)
  • Any permissions that are not explicitly allowed, are denied.
  • Explicitly deny > everything else.
  • Only the attached policies have an effect. Creating a policy only has no effect.
  • When you attach multiple policies, AWS joins them.
• Roles (Preset of policies for a service. Allow an AWS service to talk with another AWS service. They are Universal.)
  • Examples: IAM user in another account. Application code running on an EC2 instance that needs to perform actions on AWS resources.An AWS service that needs to act on resources in your account to provide its features. Users from a corporate directory who use identity federation with SAML.

AWS Directory Service 

• Family of Services. Connect AWS resources with Microsoft on-prem services

AWS Single Sign-on – SSO

• Keyword: SAML

AWS STS – Security Token Service

• Use to create and provide trusted users with temporary security credentials that can control access to your AWS resources.
• Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.

AWS Secret Manager

• AWS service that makes it easier for you to manage secrets. (DB credentials, passwords, third party API keys)

AWS Organizations

• Single-payer. Create/invite accounts.
• Use Service Control Services (SCP) to enable/disable AWS services for an account or for an Organization Unit. 
  • Example: Disable EC2 for the finance team.
• Consolidated Billing
  • One bill per AWS account. Track charges. Volume pricing discount

AWS Resource Access Management – RAM

• Use it when you have multiple accounts or AWS Organization.
• Use it to create resources centrally and then delegate them to multiple accounts.
• The second account cannot delete the items on the first account (the one which shared them)

How to centrally manage AWS resources?

• AWS Organizations
• AWS Resource Access Manager RAM

---