01. Fundamentals and AWS Accounts

These are my notes from Adrian Cantrill Solution Architect course: https://learn.cantrill.io/courses/enrolled/730712

AWS Accounts

  • An AWS Account is a container for Identities (users) and Resources.

  • The email ID you provide to create a new account is used to create a special type of identity within the AWS Account which is known as account root user.

  • An Account ROOT USER has full control over all of the AWS Account and any resources created within it & can't be restricted.

  • Use separate accounts for separate things (DEV, TEST, PROD) or teams or products or clients.

AWS Accounts

Difference between Root user and Administrator?

  • The Root user is automatically created as part of the account creation process and has full unrestricted access.

  • An Administrator is just a normal user that has been assigned administrative permissions.

Set up MFA

Set up Billing

Step 1:

Step 2: Create a CloudWatch Alarm.

CloudWatch Alarm - Alarms allow you to monitor certain metrics and change states based on certain criteria.

IAM Basics

Why IAM is required?

  • Identity and Access Management (IAM) is a core AWS Service and is a globally resilient service. So any data is always secure across AWS regions.

  • IAM is what allows additional identities (users) to be created within an AWS account - identities which can be given restricted levels of access.

  • IAM identities start with no permissions on an AWS Account, but can be granted permissions (almost) up to those held by the Account Root User.

  • IAM has almost (except billing control and account closure) all privileges as root user. Operationally, IAM of your account is trusted fully by your account, so IAM as a service can do as much as an account root user.

  • So, since an AWS Account fully trust the IAM, if IAM allows one of the identities that it manages to do something, the account automatically trusts the identity in the same way as it trusts IAM.

What IAM lets you create?

  • Users and Groups are fairly easy to understand. You use User when you need to give access to humans or applications (for long time). Groups are the collections of humans and applications.

    • You pick User when you can identify individual thing.

  • Roles are usually used by (AWS) Services. For example, giving S3 bucket access to an EC2 instance.

    • Used when number of things is uncertain.

IAM Policy

IAM lets you create these policies, which are essentially objects or documents which can be used to allow or deny access to AWS services when and only when they're attached to IAM Users, Groups or Roles. They simply define allow or deny rights to certain services.

IAM Policies

Remember these points:

Points to remember for IAM

IAM Access Keys

IAM Access Keys are meant for long term usages.

  • An IAM User has 1 username and 1 password

  • Only IAM users have or use access keys. IAM groups has no access keys.

  • An IAM user can't have more than two sets of access keys at any given time.

  • Access keys can be created, deleted, made inactive or made active.

  • Secret Access Key can be obtained only once.

  • IAM Roles don't use access keys.

Set up Access Keys

Install command line software depending on your OS:

The process of configuring remains the same. Test if the installation went correctly: aws --version

  • AWS Default configuration: aws configure

  • The AWS CLI supports using any of multiple named profiles that are stored in the config and credentials files. You can configure additional profiles by using aws configure with the --profile option.

    • Command: aws configure --profile profile-name

    • For example: aws configure --profile iamadmin-general

    • For example: aws configure --profile iamadmin-production

Demonstration