An Overview of Users Vs Roles in AWS IAM

Today we’ll finally clarify IAM. Specifically when to use Users vs when to use Roles. This is a confusing topic for many people but with the visuals and examples I’ll share, you’ll realize it’s surprisingly simple.

Hi, I’m Dylan, a Cloud Engineer living in Oregon. So you’re using AWS for the first time, or 50th, and you want your friend to help you write and deploy a Lambda function.

• How do you give them temporary access to your AWS resources?
• How do you make sure no one else accesses your resources and runs up a huge bill?
• Do you make them a user?
• Do they just need a role?
• Maybe both?
• What’s the difference?

#aws #aws-iam #aws-lambda #aws-resources

What is GEEK

Buddha Community

An Overview of Users Vs Roles in AWS IAM

Today we’ll finally clarify IAM. Specifically when to use Users vs when to use Roles. This is a confusing topic for many people but with the visuals and examples I’ll share, you’ll realize it’s surprisingly simple.

Hi, I’m Dylan, a Cloud Engineer living in Oregon. So you’re using AWS for the first time, or 50th, and you want your friend to help you write and deploy a Lambda function.

• How do you give them temporary access to your AWS resources?
• How do you make sure no one else accesses your resources and runs up a huge bill?
• Do you make them a user?
• Do they just need a role?
• Maybe both?
• What’s the difference?

#aws #aws-iam #aws-lambda #aws-resources

Custom IAM role & Policy | AWS IAM Tutorial | AWS identity and access management (iam)

So In this video tutorial, I will show you guys iam role and policy , step by step how to create custom iam role and policy , How to manage aws iam services https://www.youtube.com/watch?v=KX_CPCZGmec

#aws training, #aws tutorial, #multi factor authentication, #components of iam , #aws iam, #aws certification,

AWS Access Keys v/s IAM Roles

AWS Access Key lets you access various AWS services using the command line on your DEV machine. But it comes with a lot of risks. Let’s look at what harm it can cause and what are the alternatives like IAM Roles.

How I got hacked

I was a power user of AWS access keys. I use to love the command-line interface of AWS Client. All the EC2 instances, I was running had the keys. Keys were in the code of a few of the services we were running.

I had to travel and I used various public WiFi access points. Not sure how the hackers got my keys from my machine, but they got it. While I was away from work, they created large EC2 instances in our account and started running their code. They were smart, they used to run the instances in the regions we were not using.

When we came to know, we decided to move away from the access keys and start using IAM Roles. It took us quite some time to create IAM roles, provision our code, and change the deployment scripts. We kept twerking these roles for the coming 2–3 weeks.

#aws-iam-role #cloud #aws-lambda #aws-access-keys #aws

Managing AWS Users and Roles in a Multi-Account Organization

My last post compared different infrastructure tools for creating users and letting them assume roles for cross-account access. I received a few questions about the underlying problem that those scripts were trying to solve, so this post delves a bit deeper into the realm of user management.

The underlying problem: how do you manage multiple AWS deployments? The typical example is development/qa/production, but developer sandboxes — in which developers have the freedom to experiment with services without fear of impacting anyone else — are perhaps even more relevant. The standard answer to this problem is to create multiple AWS accounts, and with the release of AWS Organizations in 2017 it became much easier to implement: in addition to simplifying billing, Organizations gives the master account more control over the children via Service Control Policies.

But if you use multiple accounts, how do you manage users in those accounts? One not-very-good answer is to create separate users in each account. This quickly becomes a management nightmare, both for the organization and your users. For the organization, you need to add users to the appropriate accounts, manage their permissions, and remove them if they leave the company; this can be solved with automation. But for users, it’s harder to solve: I’ve watched coworkers cycle through a list of accounts/passwords until they found the right one for the task they were about to do. And inevitably, if you’re working with multiple accounts you end up with an “oops!” where you did something in the wrong account.

A better solution is Amazon’s Single Sign-On service, also introduced in 2017. With this service, you can manage a single set of users and grant them varying permissions in different AWS accounts. The users sign in via the SSO portal and select their destination account; they can either get temporary credentials for CLI/SDK access, or be redirected to the AWS Console for that account. In addition, you can use SSO as a portal for web applications such as Office365 or your own SAML-based applications. And you can use a corporate Active Directory server as the user database, which is something that larger organizations will like (disclosure: I haven’t configured AD integration, so can’t say how easy or difficult it is).

When I first wrote this post, I pointed out that SSO did not support TOTP for multi-factor authentication. This changed in October 2019, and you can now use any MFA token provider with SSO that you could use with IAM. However, my second concern remains: SSO is not scriptable (at least as-of this writing) via either CloudFormation or Terraform. So you have to enter your users and configure their permissions manually. And SSO “permission sets” translate directly to IAM roles, so you’ll end up with a mix of scripted and unscripted roles, losing the benefit of source-control for your infrastructure.

With all that said, I still think that SSO is a good choice for many organizations. But I prefer the following architecture, in which all users are defined in the organization’s master account, and have the ability to assume roles in the child accounts (note: each account has a made-up account ID that’s used in subsequent examples):

#aws-role #amazon-web-services #aws #aws-deployment #aws-organizations

An overview of AWS IAM

In this article, I am going to introduce the concept of AWS IAM, also known as Identity and Access Management in AWS. In any cloud service, controlling who has access to the services and how each of the services accesses the other services is an important task. If we do not control the access or restrict then there might be cases of a security breach within the services and we might not be able to track those as well. So as a best practice to restrict or control access within the AWS, there is a special service called IAM that can be used to manage and control almost everything in AWS. It is the permission control system that controls access to the various AWS resources and services.

In order to follow along with this article, it is best suited that you have an AWS subscription which can be used to verify and understand the topics that we will use in this article.

#aws #aws iam #iam