Coding

Account Security with IAM | Amazon Web Services BASICS

  • 00:00:01 hi everyone I'm Max and this is a video
  • 00:00:04 from my AWS serious now after creating
  • 00:00:07 an account and hosting our first web
  • 00:00:09 application in this video I'll have a
  • 00:00:11 look at how we can secure our account
  • 00:00:13 because we want to make sure that no one
  • 00:00:15 else is using our account with our
  • 00:00:17 services therefore makes us pay let's
  • 00:00:20 have a look at how this works and how
  • 00:00:21 AWS handles account level security in
  • 00:00:24 this video
  • 00:00:28 I'm in my brand-new account and to
  • 00:00:31 control the security of that account we
  • 00:00:34 can visit I am that's a service which
  • 00:00:37 you can enter into this service search
  • 00:00:39 bar and it stands for Identity and
  • 00:00:41 Access Management so we have a whole
  • 00:00:43 service dedicated to keeping our account
  • 00:00:45 secure now that is of course important
  • 00:00:48 because your account is very valuable
  • 00:00:50 you add your credit card and there are a
  • 00:00:53 lot of services which can get expensive
  • 00:00:55 if you use them wrong or even worse if
  • 00:00:58 some wrong wrong uses them so how does
  • 00:01:01 AWS handle a security and important with
  • 00:01:05 that I'm not talking about application
  • 00:01:07 security you as a system administrator
  • 00:01:10 or developer are responsible for making
  • 00:01:14 your apps and your systems secure AWS
  • 00:01:17 helps you with that for example it
  • 00:01:19 automatically protects you against basic
  • 00:01:22 DDoS attacks but beyond that that's your
  • 00:01:25 task here we're talking about giving the
  • 00:01:27 right permissions to the right people or
  • 00:01:31 services and these are two important
  • 00:01:34 things one yes people more than one
  • 00:01:37 person can use the account you are the
  • 00:01:39 account holder but of course if you're
  • 00:01:41 an organization you might have multiple
  • 00:01:43 developers and other people who should
  • 00:01:45 use this account since we have analytics
  • 00:01:48 services services for spinning up
  • 00:01:50 virtual machines services for file
  • 00:01:52 storage there might be different teams
  • 00:01:54 in your company which use these services
  • 00:01:57 so you can get the access to different
  • 00:01:59 users if you visit this page here on
  • 00:02:02 Identity and Access Management it
  • 00:02:03 probably looks like this if there's a
  • 00:02:05 new account your security status doesn't
  • 00:02:08 look that good because there are a
  • 00:02:09 couple of things you can improve before
  • 00:02:12 we turn towards that let's understand
  • 00:02:14 how this access and permission thing
  • 00:02:17 generally works we get groups we get
  • 00:02:20 users roles and policies you can see
  • 00:02:22 that on the left here now I said you can
  • 00:02:24 add multiple users and you can put these
  • 00:02:27 users into groups can for example create
  • 00:02:30 an admin group with full admin rights
  • 00:02:32 and then you could create one which is
  • 00:02:34 only allowed to access as free and store
  • 00:02:36 files there you can even be more
  • 00:02:38 granular than that and only allow a
  • 00:02:41 certain group
  • 00:02:42 to access a certain bucket like a folder
  • 00:02:44 you could say in as free to add and
  • 00:02:47 change spots there or only give it
  • 00:02:49 read-only access you can be very
  • 00:02:51 granular let's create a new group here
  • 00:02:53 so let's click on groups click create
  • 00:02:56 new group and then let's give it a name
  • 00:02:58 and all I'm going to create a admin
  • 00:03:00 group so group with full admin rights
  • 00:03:02 let's do that
  • 00:03:03 and let's search for or actually it's
  • 00:03:06 the first one
  • 00:03:06 let's pick admin access here so with
  • 00:03:10 that let's now click create group and we
  • 00:03:13 have a new group now you might ask why
  • 00:03:15 would I create a group with admin rights
  • 00:03:17 if I am already the admin well for one
  • 00:03:20 if you want to give more people admin
  • 00:03:22 rights and secondly the people here
  • 00:03:24 won't have exactly the same rights as
  • 00:03:26 the root user there are some things for
  • 00:03:29 example related to billing which you
  • 00:03:31 still can't access with these admin
  • 00:03:33 rights here now that's nice and a good
  • 00:03:36 practice which we also are informed
  • 00:03:38 about on the dashboard is that we create
  • 00:03:41 users and don't and that's important
  • 00:03:44 don't use our root account except for
  • 00:03:47 maybe accessing our billing information
  • 00:03:48 or stuff like that but we shouldn't
  • 00:03:50 really use it for our day-to-day
  • 00:03:52 business instead we should create a user
  • 00:03:54 for ourselves and we can do this here
  • 00:03:56 under users and then click add user
  • 00:03:59 obviously now here give it a name and
  • 00:04:01 this can be any name you like I'll
  • 00:04:03 choose Maximilian dot Schwarz lor that's
  • 00:04:05 just my name but you can use any
  • 00:04:07 username you like you can also add more
  • 00:04:10 users in one step
  • 00:04:11 now here the access type is important we
  • 00:04:15 can choose between programmatic access
  • 00:04:17 and AWS management console access what's
  • 00:04:20 the difference well we are in the
  • 00:04:23 console and we really just want to
  • 00:04:24 decide here if there's a user who is
  • 00:04:27 mainly or only interacting with AWS
  • 00:04:30 through that console then this checkbox
  • 00:04:33 here is all we need but maybe you also
  • 00:04:35 want to interact with the AWS services
  • 00:04:37 from the command line interface for
  • 00:04:40 example a tool you can download that's
  • 00:04:42 especially important for developers you
  • 00:04:45 can then write some commands to for
  • 00:04:46 example push new code on to AWS or
  • 00:04:49 anything like that then you want to
  • 00:04:51 check this too and this will then give
  • 00:04:53 you a key value pair you can
  • 00:04:54 use for these operations that's advanced
  • 00:04:57 I won't cover it in this video but with
  • 00:04:59 these keys you'll be able to do or to
  • 00:05:02 programmatically access your services
  • 00:05:04 next you can choose a password or let
  • 00:05:07 AWS generate one you can require a
  • 00:05:10 password reset by that user and then
  • 00:05:12 let's click Next
  • 00:05:13 now here we have to define which
  • 00:05:16 permissions we want to give to the user
  • 00:05:17 the best practice is to simply add the
  • 00:05:20 user to a group because we already
  • 00:05:22 define permissions on group level but we
  • 00:05:25 could also attach policies directly to
  • 00:05:28 the user so we could make this user an
  • 00:05:30 admin or whatever I'll just choose the
  • 00:05:34 group here though and then simply click
  • 00:05:37 Next so this is all looking good to me
  • 00:05:40 and now I can click create user and now
  • 00:05:44 with that this is the overview page and
  • 00:05:46 here is you can view your password the
  • 00:05:49 password which was generated for you and
  • 00:05:51 you can even send an email to yourselves
  • 00:05:53 with you login instructions that might
  • 00:05:56 be interesting it's this language you
  • 00:05:58 now have to use in the future queue
  • 00:06:00 login into your account and then you
  • 00:06:03 will need that username you just created
  • 00:06:05 and that password so with that I will
  • 00:06:08 close that and not login with the user
  • 00:06:11 for now and let's go back to the
  • 00:06:15 dashboard before we have a look at roles
  • 00:06:17 and policies so we see our security
  • 00:06:20 status improved now what we can do is we
  • 00:06:24 can activate multi-factor authentication
  • 00:06:26 and I strongly recommend doing that if
  • 00:06:29 you plan on using that account nothing
  • 00:06:32 is stronger than having a second step
  • 00:06:34 here during authentication so that even
  • 00:06:36 if your password gets owned you have
  • 00:06:39 that fallback that the person who stole
  • 00:06:41 the password still contacts the account
  • 00:06:43 now this is something you can also
  • 00:06:46 activate and you should activate for the
  • 00:06:48 individual users so as soon as you do
  • 00:06:50 login with the newly created user go to
  • 00:06:52 the page and enable MFA for that user to
  • 00:06:55 and you should apply an IM password
  • 00:06:58 policy so that users who are now
  • 00:07:01 resetting their password are required
  • 00:07:02 for example if an applicant character
  • 00:07:05 lowercase number
  • 00:07:06 complex passwords potentionally let it
  • 00:07:09 expire and so on with this set the only
  • 00:07:13 thing missing is MFA's I'm going to do
  • 00:07:15 this after recording and we made our
  • 00:07:17 account much more secure especially once
  • 00:07:20 we start using that user we just created
  • 00:07:22 now what about roles and policies then
  • 00:07:25 well we had a look at policies we
  • 00:07:28 assigned a policy to the group there's
  • 00:07:30 administrator access policy here we can
  • 00:07:35 have a look at policies to see all the
  • 00:07:37 already existing ones and we can also
  • 00:07:39 create our own policy policies simply
  • 00:07:42 define sets of rules and if we have a
  • 00:07:45 look at a policy we can even load it
  • 00:07:47 it's written here in JSON this is how
  • 00:07:50 policy looks like you basically define
  • 00:07:52 the version of the policy language here
  • 00:07:55 and then you have statements in this
  • 00:07:57 case only one where you have an effect
  • 00:07:59 that you want to low something then what
  • 00:08:01 here everything on what on everything a
  • 00:08:05 more detailed or more specific policy
  • 00:08:08 would for example be one where we search
  • 00:08:11 for elastic Beanstalk here if you have a
  • 00:08:16 look at the elastic Beanstalk fold
  • 00:08:19 service policy we see now we have a
  • 00:08:22 couple of actions which are allowed for
  • 00:08:24 example here on ec2 to do anything on
  • 00:08:26 ec2 and then on all resources so that we
  • 00:08:31 can start all possible easy two
  • 00:08:34 instances in this case for example so
  • 00:08:36 this is how such policies look you can
  • 00:08:38 create them on your own and use them to
  • 00:08:40 manage access now what our role stand
  • 00:08:44 because we have users and we have groups
  • 00:08:46 and we have policies which you can
  • 00:08:48 assign to groups or users or implicitly
  • 00:08:51 to users through groups but what our
  • 00:08:53 roles by default in your AWS account no
  • 00:08:58 service has any permissions to access
  • 00:09:01 other services you might wonder why
  • 00:09:03 would a service access other services
  • 00:09:06 what about Beanstalk we was being sought
  • 00:09:10 but in the end Beanstalk is just a
  • 00:09:12 simplification behind the scenes it
  • 00:09:14 started an ec2 instance so a virtual
  • 00:09:17 machine and it did so they
  • 00:09:20 it has the permissions to do so we gave
  • 00:09:24 it that permission implicitly when we
  • 00:09:26 started using it through the console by
  • 00:09:28 default though no service has any
  • 00:09:30 permissions to access our services and
  • 00:09:32 if you have for example code on your ec2
  • 00:09:36 instance which wants to reach out to as
  • 00:09:40 free to store files there you need to
  • 00:09:43 give easy to the role to do so and that
  • 00:09:48 is the last step roads can be attached
  • 00:09:51 to services so that your services can
  • 00:09:54 have certain roles which allow them to
  • 00:09:55 interact with other services some of
  • 00:09:58 them as with elastic Beanstalk are
  • 00:10:00 assigned dynamically when you do use
  • 00:10:03 them automatically but others have to be
  • 00:10:06 assigned and especially they have to be
  • 00:10:08 assigned if all of that happens
  • 00:10:09 programmatically if you write code which
  • 00:10:12 acts as an average service from within
  • 00:10:14 the number one then roles come into play
  • 00:10:17 and that is how I am works how a
  • 00:10:20 security on account level works you give
  • 00:10:23 permissions and you define who is able
  • 00:10:25 to do what and the best practice is to
  • 00:10:29 be as granular and strict as possible
  • 00:10:32 don't give more permissions than a user
  • 00:10:35 or a role needs that is a good practice
  • 00:10:39 now some of the things like roles here
  • 00:10:41 are a bit advanced you don't really need
  • 00:10:44 them with your chest starting off but it
  • 00:10:46 never hurts to you know right away how
  • 00:10:48 that works and how you do use it if you
  • 00:10:50 get more serious and if your application
  • 00:10:53 grows now we probably will see one or
  • 00:10:56 two opera throughout this series when we
  • 00:10:58 start working with AWS but even if we
  • 00:11:01 don't keep it as mind and one thing you
  • 00:11:04 should definitely do is secure your
  • 00:11:06 account make it secure add multi-factor
  • 00:11:08 authentication use users don't risk
  • 00:11:12 losing it or inviting other people to
  • 00:11:14 access it that could be costly so see
  • 00:11:18 you in the next videos bye