🤷‍♂️ What is IAM
👉AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources
🤷‍♂️Amazon Resource Name
👉Amazon Resource Names uniquely identify AWS resources.
👉Every resource in AWS is provided with an ARN.
👉ARN Format:
arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource
arn:partition:service:region:account-id:resourcetype:resource
👉IAM Hierarchy
👉IAM Features
👉Represents an entity that is created in AWS, can be a person or service.
👉No permissions by default. Nothing is allowed.
👉Access requirement
👉Programmatic Access: User needs to make API calls from programs or uses CLI to access AWS resources.
👉Management Console Access: User needs to access AWS resources from management console.
🤷‍♂️IAM Policies
👉Policies are JSON documents which mention what an user or group can do on AWS resources.
👉It defines the Authorization paradigm for AWS resources.
👉Contains 3 components at the least (EAR):
👉Policies can be attached to Users or Groups.
👉Resource based policies: when policies are attached to resources.
👉 AWS Managed Policies.
👉Customer Managed Policies.
👉Inline Policies
🤷‍♂️IAM Permissions
👉Permissions are given by attaching policies to users or groups.
👉No permission by default for all IAM users.
👉AWS account “root” credential.
👉Use the policies defined earlier to provide access to users and groups.
🤷‍♂️IAM Roles
👉Role is similar to an user/group which has permissions/policies attached to it.
👉Roles are temporary access given to anyone who needs to perform the specific task mentioned in the Role.
👉Permissions attached to the users are taken away till the time role is getting used.
🤷‍♂️Tasks To Be Performed:
1. Create 4 IAM users named “Dev1”, “Dev2”, “Test1”, and “Test2”.
2. Create 2 groups named “Dev Team” and “Ops Team”.
3. Add Dev1 and Dev2 to the Dev Team.
4. Add Dev1, Test1 and Test2 to the Ops Team.
Solution:
1. Create 4 IAM users named “Dev1”, “Dev2”, “Test1”, and “Test2 ,
Go to IAM Dashboard and click user and create user
⚡Download the password and all user Dve2, Test1,Test2 create as it is , download the password for login . look at given below I have created all user same as it .
. Create 2 groups named “Dev Team” and “Ops Team”
ď‚· In IAM dashboard ,go to Group and click create group, and provide group name and , create user group
 ⚡Ops-Team create same as it ,same process we can follow it.
Add Dev1 and Dev2 to the Dev Team. ď‚· Go to User Group and click Dev-Team, into Dev-Team ,click add user and select Dev1,Dev2, and click add users
Add Dev1, Test1 and Test2 to the Ops Team.
Same as it add user in Ops-Team .follow same process
2 Tasks To Be Performed:
1. Create policy number 1 which lets the users to:
a. Access S3 completely
b. Only create EC2 instances
c. Full access to RDS
2. Create a policy number 2 which allows the users to:
a. Access CloudWatch and billing completely
b. Can only list EC2 and S3 resources
3. Attach policy number 1 to the Dev Team from task 1
4. Attach policy number 2 to Ops Team from task 1
Solution:
1. Create policy number 1 which lets the users to:
a. Access S3 completely
b. Only create EC2 instances
c. Full access to RDS ď‚·
Go to polices and click create policy and select the service click next select which you give permission and create policy ď‚· . First create policy number
👉Create a policy number 2 which allows the users to:
a. Access CloudWatch and billing completely
b. Can only list EC2 and S3 resources ď‚· Create same as it is, follow same process above policy-number1 .here I am created policy-number2
Attach policy number 1 to the Dev Team from task1
ď‚· In policy , go to custom policy select your policy and click action , click attach, select group name, Dev-Team and attach policy.
⚡Attach policy number 2 to Ops Team from task 1
⚡ Attach policy number 2 to ops-Team same at it follow above process.
🤷‍♂️3 Tasks To Be Performed:
1. Create a role which only lets user1 and user2 from task 1 to have complete access to VPCs and DynamoDB.
2. Login into user1 and shift to the role to test out the feature.
1. Create a role which only lets user1 and user2 from task 1 to have completeaccess to VPCs and DynamoDB. ď‚·
Go to IAM dashboard , click roles , click create role, click custom trust policy, provides ARN of Dev1,Dev2, here user1,user2,.
click next add permission , provides role name and click create role
