Learn AWS Identity Management with AWS IAM, SSO & Federation

Set up your first AWS account and practice hands-on exercises with security, a billing alarm, and essential tools like the AWS CLI and Visual Studio Code to review policies.

Understand what an AWS account is, how to create one with a unique email and credit card, and how IAM enables users, groups, roles, and policies.

Create an AWS free tier management account, verify identity via SMS, and set up a billing alarm, while preparing to use AWS Organizations for multi-account governance with users and roles.

Configure aws account settings by creating an account alias, enabling billing access for identity and access management users, and setting up a $5 budget with email alerts and CloudWatch notifications.

Install the AWS CLI and Visual Studio Code, choose your operating system, and follow installation steps to begin configuring AWS authentication and command usage later in the course.

Discover the aws identity and access management service (iam) for authentication, authorization, and access control. Practice with users, groups, roles, and policies, plus the command-line interface and multifactor authentication.

Explore how IAM authenticates and authorizes access to AWS resources via the console, CLI, and API, detailing principals, request context, and identity-based and resource-based policies.

Explore how AWS IAM uses users, groups, roles, and policies to grant permissions. Understand identity based versus resource based policies, ARNs, root accounts, and short-term credentials via sts assume role.

Explore identity and access management authentication methods, from user login with username, password and optional multi-factor authentication to programmatic access via access keys, signing certificates, and ssh or codecommit credentials.

Create an individual AWS user, set up an admin group with full permissions, and configure the AWS CLI with programmatic and console access, including handling access keys securely.

Learn how the AWS security token service provides short-lived credentials to EC2 via an instance profile and IAM role for accessing S3, using trust and permissions policies.

Learn how multi-factor authentication adds security to AWS by combining something you know (password) with something you have (a token device), and why enabling multi-factor authentication is best practice.

Practice securing an aws account by enabling multi-factor authentication with a virtual MFA device, managing access keys, and configuring password policies, including root account MFA best practices.

Master IAM access control by comparing identity-based and resource-based policies, exploring theory before hands-on practice, and implementing role-based and attribute-based access control, plus permissions boundaries and policy structure.

Explore identity-based and resource-based policies in AWS IAM, including inline and managed policies, and how to attach them to users, groups, roles, or resources such as S3 buckets.

Explore how role-based access control and attribute-based access control use groups, permissions policies, and tags to enforce least privilege and flexible access in AWS IAM.

Learn how permissions boundaries cap the maximum IAM permissions and prevent privilege escalation, showing how actions like s3:*, cloudwatch:*, and ec2:* are controlled even when policies grant access.

Explore AWS IAM policy evaluation, where a deny starts the decision, explicit denies override allows, and identity-based, resource-based policies, SCPs, permissions boundaries, and session policies shape final access.

Understand the structure of IAM policies, including statements with effect, action, resource, and optional condition, illustrated by examples of admin access, IP-based denial, and secure transport.

Explore role-based access control (RBAC) in AWS IAM by creating a billing admins group, attaching a billing policy, and granting Joanne console access while restricting EC2 permissions.

Apply attribute-based access control (ABAC) with IAM policies and tags to govern RDS actions, using environment and department tags to allow or deny access.

Apply a permissions boundary to prevent privilege escalation and ensure IAM principals attach the boundary to created users, illustrated by Lindsay and X-User scenarios.

Use the AWS Policy Generator to build identity-based and bucket policies for S3, attach inline policies to users, and observe how deny overrides allow in practice.

Explore the IAM policy simulator to test policy effects across services by selecting users, including a permission boundary, and running actions to see allowed or denied results.

Master AWS Organizations to manage multiple accounts, enable centralized billing, and enforce restrictions with service control policies across member accounts.

Manage multiple AWS accounts centrally with AWS Organizations, apply service control policies to govern tagging and API actions, enable consolidated billing, and audit actions across the organization with CloudTrail.

Create an AWS Organizations setup with a management account, add a production account under a production OU, and review the default Organization Account Access Role and sts:AssumeRole.

Create an AWS organization, add a production account, enable service control policies, and use the Organization Account Access Role to switch into and manage the new account.

Explore how service control policies cap permissions in AWS Organizations, with dev limited to t2.micro EC2 and test allowed by a lower-level policy, since SCPs do not grant rights.

Learn to enforce EC2 instance type restrictions in AWS Organizations by creating and applying a service control policy that allows only t2.micro on the production account.

Apply service control policies to prevent s3:DeleteBucket for a specific bucket ARN, create and attach the policy in AWS Organizations, and verify the restriction.

Explore IAM roles and cross-account access using two AWS accounts, with practical use cases for delegating access to AWS services in real-world scenarios.

Explore practical IAM role use cases across cross-account access, third-party access with external ID, and EC2 instance profile integration, demonstrating specific permissions to S3 and other services.

Configure cross-account access from account A to account B for S3 by creating Jack, attaching policies, and assuming a role with an external ID; validate with CLI and S3 operations.

Explore using an IAM role with EC2 by creating an instance profile, attaching an S3 read-only role, and enabling pass role for EC2 to access S3 with temporary credentials.

Explore AWS directory services, federation, and single sign-on with hands-on labs using AWS Managed Microsoft AD, Amazon WorkSpaces, AWS IAM, SAML and OIDC, and Amazon Cognito.

Explore AWS directory services with the managed Microsoft AD and AD Connector. Implement high-availability domain controllers and trust with on-premises directories for federated access to AWS resources.

Deploy AWS managed Microsoft AD with two domain controllers across subnets, join Windows EC2 instances, create users, and enable console access via delegation to AWS services and WorkSpaces.

Set up a managed active directory with AWS Microsoft AD, join a Windows server to the domain, create a user, and connect a Windows 10 workspace to access management console.

Explore identity federation across multiple identity sources—Active Directory, social IdPs, and AWS SSO—and see how IAM federation with SAML 2.0 or OIDC and Cognito enable secure access to resources.

Configure identity federation with IAM using SAML and OIDC to authenticate users and grant temporary credentials for accessing S3 via STS.

Explore AWS identity management with Identity Center, the centralized single sign-on that streamlines multi-account access to AWS and external apps like Salesforce and Office 365.

Configure AWS SSO with AWS managed AD to federate Jennifer's login and grant access to the DCT-Production management console via a permission set and a data scientist policy.

Delete the AWS managed Microsoft AD, deregister Amazon Workspaces, disable AWS management console access, remove delegated users, delete AWS SSO, and terminate the EC2 instance to avoid bills.

Amazon Cognito enables web and mobile sign in and sign up using user pools and identity pools, issuing JWTs and temporary credentials via STS.