So far, you have learned about the basics of cloud computing and its advantages. You have also been introduced to AWS and had a quick overview of its services. We have discussed the AWS Global Infrastructure and its support plans for customers looking to use the services offered. We have also emphasized the importance of AWS accounts and how they help you gain isolated and secure access to the wide range of AWS services within which you can build your cloud solutions. We also identified the architectural reasons behind having multiple AWS accounts and using AWS Organizations to centrally manage all your accounts.

You have also learned how to set up your first AWS Free Tier account, which will enable you to start configuring resources on the platform.

In this chapter, we will look at the AWS Identity and Access Management (IAM) service. This is a critical foundational service designed to secure access to your AWS account. AWS IAM is an...

At this point, you should have a single AWS Free Tier account that you can log in to using your chosen email address and password combination. This email address that you have used to create the account is also known as the root user. The root user is the person who created the account and holds the keys to the kingdom. This privileged user must be guarded well, and knowledge of its credentials (passwords and so on) should not be given to anyone who is not authorized to use it. The root user should also not be used for day-to-day operations. You can create additional user accounts (what we call IAM users) to perform daily tasks. We'll look at IAM users shortly in this chapter.

The AWS IAM console

To access any AWS service, including the IAM service, you can either use the web-based management console, the command-line interface (CLI), or AWS SDKs if you are writing code. We will start with the AWS Management Console. Log in to your AWS...

One of the first things you want to do is configure MFA for your root user account. Normally, when you log in to an AWS account, you simply provide a username and password. You are probably aware that you must choose a highly complex password – one that has lowercase letters, uppercase letters, numbers, and symbols, and must be randomly generated rather than dictionary words that can be guessed easily.

However, a username and password combination alone is not sufficient in this age of malware attacks, hacking, and brute force attacks. MFA is a mechanism where you are prompted to verify your identity using more than one set of credentials. Instead of just having two passwords, however, MFA uses two separate secrets to verify your identity – something you know and something you have. So, for example, something you know would be your username and password, and something you have would be a one-time...

Now that you have secured your root user account, you should start creating additional accounts for users in your organization. Remember that the root user is the most privileged account, and you should not use the root user account for daily operations. Each member of your organization that needs to access the AWS services in your AWS account must be provided with an IAM user account. Never share your root credentials with other team members, even with other administrators, as they should be using their own IAM accounts with the appropriate administrative permissions.

We discuss IAM users in the next section, but for now, it becomes obvious that an IAM user account will be configured with a password. And if you have a hundred different IAM user accounts, you want to enforce some sort of password policy so that those accounts do not have weak passwords that are easy to crack.

AWS password policies enable you to define rules to...

In this section, we look at the importance of setting up additional identities that need to access your AWS account. We also look at best practices in managing what those identities can or cannot do in your AWS account, using IAM groups.

IAM users

As discussed in the preceding section, in addition to the root user, you can create additional users known as IAM users. IAM users can be used to represent physical people in your organization, such as members of your development team or server administrators. These users can then use their IAM user accounts to log in to your AWS account and perform tasks based on permissions you grant them.

IAM user accounts can also be used by applications and other services that need to authenticate themselves against a given AWS service. For example, if an application needs to update a backend Amazon RDS database, you want to make sure that the application is authorized to do so. The application...

IAM policies are objects attached to a given IAM identity, such as an IAM user, groups of IAM users, or an IAM role. These policies define what the identity can or cannot do within the AWS account and are written as JSON documents. In the following diagram, user Bob can access and read the content of an S3 bucket. The policy is attached to the group that Bob is a member of and therefore inherits the ability from the group.

When a principal (IAM user or IAM role) tries to access an AWS service, AWS will evaluate the policy document attached to it and determine what action the principal can or cannot perform:

Figure 4.6 – Policy document attached to the developers group, granting Bob read access to the Marketing Documents bucket

IAM policies enable you to follow the principle of least privileges, which means that identities can be configured to only have access to services and configuration options necessary...

AWS enables you to download a comma-separated values (CSV) file, updated every 4 hours, which allows you to audit your IAM user security state and review important information. The information could be a list of all your IAM users in your AWS account and the status of their credentials (such as if they have been configured with passwords and access keys). The report also highlights if your user accounts have been configured with MFA.

Monitoring your credentials report will also help you pick up on identities that may not have accessed resources in your AWS accounts recently. You can then work out whether those users still need access and delete unwanted users from your AWS accounts.

In this section, we looked at credential reports, which allow you to generate details of your IAM users and their current access status. In the next sections, we provide a number of exercises to help you build hands-on experience of using the IAM service to secure access...

In this exercise, you will create an IAM group for a development team that is going to require full access to Amazon S3:

1. Log in to your AWS account.
2. Click on the IAM link under the Security, Identity, & Compliance category on your AWS Services home page.
3. From the left-hand menu, click Groups.
4. Next, click on the Create New Group button.
5. You will then be presented with a step-by-step wizard. Provide a group name for your new group. For this exercise, type in Developers.
6. Click the Next Step button in the bottom right-hand corner of the screen.
7. You now need to attach a policy. You can create your own customer-managed policies but for the purposes of this exercise, type S3 in the Policy Type filter search box. This will narrow down the available policies that relate to Amazon S3.
8. Tick the checkbox next to the AmazonS3FullAccess policy.
9. Click the Next Step button in the bottom right-hand corner of the...

Now that you have created a developers group, you can add your developers to this group. To illustrate this, we will create a new user, John. John is one of our senior developers at Packt and we would like to ensure that he is a member of the developers group, which will give him full access to Amazon S3:

1. In the IAM dashboard, click on Users from the left-hand menu.
2. Click the Add user button.
3. In the User name textbox, type in john (all lowercase).
4. Next, you need to select the type of access you want to grant John. John is a developer and will require both console access and programmatic access. This means that sometimes, John will use the web-based console to configure resources in Amazon S3, and at other times, he may use the CLI. For this exercise, tick both boxes – Programmatic Access and AWS Management Console access.
5. To access the AWS account via the console, you need to create a password for the user....

In this exercise, we log out of the AWS account as the root user and re-login as the IAM user you just created. If you did not make a note of the special sign-in link, you will need to know what your AWS account ID is. You can easily discover this by clicking on your account name in the top right-hand corner of your web-based management console and noting the account ID:

Figure 4.10 – Drop-down box when clicking on the account name to discover the account ID, which is shown after My Account

Now that you have the account ID (or you can make a note of the sign-in URL previously discussed), we can proceed to log in as the IAM user you created earlier:

1. Sign out of the AWS account (remember, you are currently signed in as the root user).
2. You will be taken to the AWS console home page where you can click the Log back in button or the Sign in to the Console button.
3. Clicking...

As previously discussed, you can access the vast array of AWS services using the web-based management console or the CLI. The AWS CLI is a unified tool to manage your AWS services programmatically. The AWS CLI gives you access to the application programming interface (API) of each AWS service. This enables you to remotely access your AWS account and run commands from your Terminal application on Linux and Mac computers or use Command Prompt on Windows computers.

The AWS CLI is therefore ideal for running simple commands to complete repetitive tasks and because a single command string can contain necessary attributes of your request, you will find it a lot faster than using mouse clicks within the web console. The CLI is something you will need to get accustomed to—for one, you will need to know how to construct commands, but AWS offers complete reference documentation for this.

You can run your CLI commands line by line individually...

Once you have installed the AWS CLI tools on your Windows machine, the next step is to configure it to access your AWS account as the IAM user you created earlier:

1. Open the credentials file, which you downloaded earlier when you created the IAM user john. This file has the access keys for your user, which comprises the access key ID and the secret access key.
2. On your Windows desktop, click on the Start button and search for Command Prompt by typing in CMD:

   Figure 4.14 – Command Prompt on a Windows computer

3. At the prompt, type in AWS configure to start the configuration process.
4. You will then be prompted to enter the AWS access key ID, followed by the AWS secret access key. These keys are in your credentials document that you downloaded earlier.
5. For Default region name, type in us-east-1.
6. For Default output format, leave this blank and press Enter:

   Figure 4.15 &...

In this exercise, you will create another IAM user account that you will use to log in to your AWS account. This IAM user will be provided with full administrative access to help you work through the upcoming exercises easily, although in the real world, you would want to restrict permissions to only the job function of the users in question. By getting used to logging in as an IAM user, you will build a habit of avoiding the use of the root user credentials for your day-to-day tasks:

1. Ensure that you are logged in to your AWS account as the root user (the email address and password combination you used to create your AWS account).
2. Navigate to the IAM dashboard.
3. From the left-hand menu, click on Users. Next, from the right-hand pane, click Add user.

   You will be redirected to the Add user wizard page.

4. For the username, type in Alice. Throughout the rest of this guide, you will be logging in as...

In this chapter, we discussed the AWS IAM service and how it acts as the gatekeeper to your AWS account. We discussed the root user of your account, which is the most senior administrative account for your AWS account. The root user has complete access and protecting this account with MFA is a recommended best practice.

With AWS IAM, you can create and manage identities that are granted or denied access to the various AWS services in your account. These identities can include IAM users, groups of IAM users, or IAM roles. You can also further enhance the security of your IAM users by configuring them with MFA.

We discussed best practices when configuring your IAM users and IAM groups. We emphasized that, as best practice, you should create IAM groups and subsequently place any necessary IAM users within groups that share a common task. For example, if you have a developers group, you can place all your developers in that group. In addition, you can create IAM policies...

Here are a few questions to test your knowledge:

1. You wish to deploy a dev and test environment on AWS. You want to ensure that your developers can access your AWS account using a highly secure authentication process and follow best practices. Which of the following two configuration options will help ensure enhanced security? (Choose two answers)
   1. Configure your IAM accounts with MFA.
   2. Configure your IAM password policy with complexity rules.
   3. Ensure you encrypt your EBS volumes.
   4. Create RDS databases with Multi-AZ.
   5. Provide the root account credential details to your developers.
2. Your developer is working from home this weekend and needs to access your AWS account using the CLI to configure your RDS database from their local computer. Which type of IAM credentials would they need to configure the AWS CLI tool on their machine?
   1. IAM username and password
   2. Access key IDs and secret access keys
   3. Access keys and secret ID
   4. HTTPS
3. Which AWS service enables you to troubleshoot your...