AWS IAM (Identity and Access Management) Deep Dive
About the Course
About the Author
Introduction to IAM Secure Corporation
Manage Your Root User
Creating an Admin Group and User
Create Admin Users and Groups from the CLI
Tasks That Require Root User
QUIZ: IAM Account Setup with Root Account
Creation of Employee Accounts
Access Key Management for All Users
Creating IAM Groups for Your Teams
Add Users to Groups
Configuring MFA For Users
QUIZ: IAM Setup of Company Accounts
Cloud Assessments Learning Activity: Identity and Access Management (IAM)
Policy Overview For IAM Secure Corporation
Implementing IAM Policies For All Users
Implementing IAM Policies For Specific Users/Groups
Enable Users to Configure Their Own Credentials and MFA
Using Managed Access Policies to Create a Limited Administrator
Granting Limited Permissions With Inline Policies
QUIZ: IAM Identity Based Policies
Overview of Using Policies to Control S3 Bucket Access
Configuration of IAMSecure Corp S3 Bucket Folder Structure
Attaching Policies to Groups For S3 Bucket Access
Using Policies to Grant Users Specific S3 Bucket Permissions
Accessing S3 Buckets From Outside the Account
Creating Policies With The Visual Editor
QUIZ: IAM Using Policies to control S3 Bucket access
QUIZ: IAM Resource Policies and the Visual Editor
Strategies for IAM Roles
Resource Level Permission for EC2 Instances via Roles
Web Identity Federation
Providing Access to AWS Accounts Owned by Third Parties
QUIZ: IAM Roles
The Confused Deputy Problem
Sharing CloudTrail Log Files Between AWS Accounts
EC2 Instance Profiles
Delegate Access to the Billing Console
Calling AssumeRole From Python
Creating IAM Users and Groups with CloudFormation
QUIZ: IAM Advanced Concepts
General Troubleshooting of IAM
Troubleshooting Policies 2 (with Intro to AWS Auto Scaling)
Troubleshooting IAM Roles and EC2
QUIZ: IAM Troubleshooting and Best Practices
This course will give the student an in-depth experience with Identity and Access Management. The course will start off covering basic concepts, such as root account management, and continue to build on this initial foundation. The student can use their own AWS account to follow along with the lessons in configuring a small (fictitious) company with Identity and Access Management. At the end of the course, the student will have gained extensive experience in configuring a company of any size in Identity and Access Managment.
Before beginning any of the lessons for this course, make sure to download the appropriate policy for the given lesson in the Downloads section of the course.
This is a custom policy to deny requests based upon an ip address range. Alter the policy to contain a range of addresses for which you want to allow requests (The ip range should encompass the ip address of your testing device). Requests from outside this ip address range will be denied. You will be able to successfully test this policy using 2 devices, one within the range and one outside of the range.
This policy denies all permissions except those required for IAM users to manage their own credentials and MFA devices. By implementing this policy you will give user the ability to manage their own credentials.
This policy can be used in the lesson to grant limited administrator access. Please note that on line 37 of this policy you must replace ############ with your AWS Account number.
This policy is used in the lesson to give the Limited Administrator S3 Bucket access.
This is an inline policy used in the lesson, attached to a specific user (Cenzo), to grant access to the IAM Policy Simulator. The policy is tested in the lesson by navigating to the Policy Simulator at: https://policysim.aws.amazon.com/home/index.jsp?#
This is a Customer Managed Policy used in the lesson to enable access to list buckets and root level folders.
This policy is used in the lesson to enable access to the QA folder. Note that this policy can be reused to grant access to any of the folders in the iamsecurecorp bucket by simply changing the folder name in the ARN on line 29 of this policy.
This Bucket Policy is used in the lesson to grant access to the iamsecurecorp bucket from outside the account. On line 8 of this policy, you would enter the AWS account number of the account you want to give S3 Bucket access.
This policy will be used to enable cross-account access. In line 6 of this policy you need to replace ############ with the 2nd account you are using if you are following along with this lesson.
When working along with this lesson, you create the role called 3rdParty. During the creation of the role, you would paste in the code from this policy when you are editing the trust relationship. In line 7 of this policy, you need to replace ############ with the account ID of the account you are using for the 3rd Party account. In line 20 of this policy, you need to replace ############ with the account ID of your primary AWS account.
This is a Bucket Policy for the bucket iamsecurelogs. It enables sharing log files between accounts. Replace the ############ in line 21 with your primary AWS account number. Replace the ############ in line 22 with your secondary AWS account number.
This is the policy used to grant full access to the Billing Console.
This policy grants read only access to the Billing Console.
This Python script is used in the lesson to access an S3 Bucket from an EC2 instance that has been launched with a role.
This CloudFormation template is used in the lesson to create users and a group.
This policy is used in the lesson to demonstrate create a policy to deny permissions.
This document contains all of the AWS Command Line Interface (CLI) commands used throughout the course. The commands are grouped by lesson (not all lessons use the CLI so this is not a complete list of lessons).