About saml 2.0-based federation - aws identity and access management

What is IAM and what are its features?

As mentioned in the Exam Objective, IAM or Identity and Access Management allows one to define users to have access to resources in aws.

Some of the key features of IAM are given below

Ability to define users who would have their own access to resources – You can define users and groups which can be given selective access to resources. So you could give users access to only see the EC2 instances, but not create any new ones. You can give access to users to only access the S3 service. So there are multiple ways in which IAM can be used to provide access to resources in aws.
Ability to create Policies – Access to specific resources can be segregated as Policies which can be applied to a set of users or resources. For example, you can secure what resources your EC2 instances can access by creating a separate policy for EC2 instances.
Identity federation – You can have users who have passwords stored elsewhere to log into AWS. For example, you can have users defined in your on-premise location to have access to resources in AWS.
IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider. This is a measure which is compliant with Payment Card Industry (PCI) Data Security Standard (DSS).
There is no additional charge with using IAM.

The below diagram shows the simplistic scenario where an Admin user would access the resources in an AWS account using IAM.

One can work with IAM in anyone of the following ways

The AWS management console – When one goes to the console, one can go to the Security Dashboard and see the various options for Security Credentials. Here one can create Groups, Users, Policies, Roles and work with other security settings.
AWS Command line tools – One can download and install the command line interface tools for AWS. More information on the CLI tools can be found in this link.Once you download the CLI and install it, you can use the command prompt to configure the CLI as shown below. Once configured, you can use various commands using the CLI.
One you configure the AWS CLI, you can issue various commands. One example is give below which is to describe all the EC2 instances via the ec2 describe-instances command. This will give the output as JSON.
AWS SDK – You can use the development kits available from AWS for various programming languages for .Net and Java to work with IAM. For more information on the various SDK’s available , please visit the site here.

Operations in IAM

Now let’s look at some of the operations we can perform in IAM

Making sure your security status is green overall. The first key point in IAM is to ensure that the overall status of your IAM configuration is green. When you log into IAM, the dashboard will give you 5 points that must be addressed as shown below. Ensure that each point is addressed separately.
Creating users – This can be done by going to the users section and clicking on the “Add user” button.
You will then be provided a wizard to enter the user details and set the permissions of the user accordingly in the various screens given below.

Screen 1 – User definition

Screen 2 – Permissions Screen

Here you need to assign the relevant permissions to the user.

Screen 3 – Review Screen

The next screen is the review screen. Once you are ok with settings, you can use this screen to confirm the creation of the user.

Once the user has been created, you will get a Success message and a url which will be used to log into the console.

In the new URL, the user will be presented with a different log in screen to sign in as shown below.

Once the user has logged in, they will access to only those resources they are authorized to use.
Defining Roles – Roles are used to give a set of permissions to users or resources. Let’s take an example where we need to create a role for an EC2 instance which can be used to publish updates to S3. We can do this in the following way –
- Click on Create New Role in the Roles screen
- Give a name to the Role
- Since we need to give a role to an EC2 instance , choose on Select for Amazon EC2
- Attach a policy. Since we need to provide S3 Full Access, let’s choose the “AmazonS3FullAccess” Policy.
- Once the role has been confirmed, you can confirm on the role in the final screen.Now this role can be attached to various EC2 instances that need to access the S3 resource.
Getting the Secret Access Keys – In order to use the AWS CLI or use the SDK, you need to have the Access keys. The password for the user is only used to login into the console. But in order to use the CLI or SDK, you need to use the Access keys. For this , you can go to the defined user , go to the Security credentials tab and then click on Create access key.
You will then be prompted to download the Access Key ID and the Secret Access Key. Please download these and keep it in a safe place. Both of these keys are required to log into either the AWS CLI or the SDK.

Technical Support

Good luck for your exam preparation!!

About Pavan Gumaste

Pavan Rao is a programmer / Developer by Profession and Cloud Computing Professional by choice with in-depth knowledge in AWS, Azure, Google Cloud Platform.

He helps the organisation figure out what to build, ensure successful delivery, and incorporate user learning to improve the strategy and product further.

Whizlabs Premium Subscription Plans — November 18, 2021
Chef DevOps – Automate Infrastructure – A Comprehensive Guide — October 30, 2021
Automating Infrastructure – Chef for DevOps – Online Course Launched — October 28, 2021
What is Power Apps? — October 25, 2021
Analyzing Data with Microsoft Power BI (DA-100) Certification – Practice Test Launched — October 24, 2021
Why Microsoft Power Platform is a Must Skill in 2021? — October 22, 2021
Microsoft Power Platform Functional Consultant (PL-200) Certification – Practice Test Launched — October 19, 2021
What Is Power Automate or Microsoft Flow? — October 17, 2021

Spread the love