
The Identity and Access Management is a foundational service in AWS that controls who can do what and it is integrated into practically all other services in AWS. Therefore, a solid understanding of IAM is critical when you are building a solution in AWS. The goal of this course is to help you learn and build skills in IAM so that you can apply your knowledge to solve real world problems. Lectures contain quizzes, exercises, reference materials to help you extend your learning beyond this course.
The demos and exercises in this course use both AWS web console and command line interface program also known as CLI. If order to follow along, you will need an AWS account which you can sign up for free. The AWS CLI program is also free is encouraged but not required.
Amazon Web Service’s Identity and Access Management (IAM) is a service you can use to control who can do what in your AWS account.
Primary purpose of IAM in AWS
AWS global infrastructure
IAM scope within AWS account
Global vs. Regional Service.
At a basic level, IAM is about authentication and authorization. Your actions comes into AWS in a bundle of information known as request context. AWS uses this to decide if your request is authorized or not. In order to do this, AWS looks at all the permissions you configure that instructs AWS who can do what. These permissions are written in a JSON document called a policy.
This lesson covers the fundamentals of IAM User with following topics
Root User
Create new IAM User
Account alias
Login to AWS Management Console
This lecture covers common type of users in the real world to set the context for rest of the course.
Principal
Credential
Root User
IAM User
Federated Users
External Users
Workload User
This lecture covers access & secret access key and how they can be used to access S3 resources using Access Key with AWS Command Line Interface (CLI) and Access Key with AWS Software Development Kit (SDK)
Create Access Key
Access Key management
S3 bucket and object setup
AWS Command Line Interface (CLI) to access S3
Long-term key risks
AWS CLoudShell
This lesson covers IAM Group and how to add users to a group.
Create IAM Groups
Adding IAM Users to IAM Group
IAM Group permission
IAM Group use cases
This lesson explains the basic concept of an AWS Policy.
Policy in the real world
AWS Policy
Permission
AWS policy types - Customer managed vs. AWS managed
This lesson covers the basic structure of an IAM policy and elements that will be covered in this course.
Create policy
Version
Statement
Statement elements - SEPARC
Sid
Effect
Principal
Action
Resource
Condition
This lesson covers Statement ID - Sid and its purpose in the IAM Policy
Sid purpose
Unique Sid value rule
Case sensitive Sid value
This lesson covers statement element Effect and how it works in the IAM Policy
Allow vs. Deny
Implicit default
Access S3 resource using AWS CLI with policy
Multiple statement with Allow and Deny
This lecture covers statement element Action and how it works in the IAM Policy.
Action purpose
Available actions for AWS Service
S3 action examples
Wildcard character
This lecture covers statement element Resource and how it works in the IAM Policy
Resource in AWS
Amazon Resource Name (ARN) convention
Case Sensitive rule for resource name
Wildcard characters
Single character "?"
Action - Resource Mapping
This lecture covers statement element Condition and how it works in the IAM policy.
Condition element structure
Condition operator
Global and Service Condition keys
Condition to Action mapping
Tag based policy use case
This lecture covers variables and how it works in the IAM policy
Variable use cases
S3 personal folder demo
Resource variable rules
Condition variable rules
Tag-based authorization demo
Default value
This lecture covers statement element Principal and how it works in the IAM policy
Using IAM User ARN as principal
User-based policy vs. Resource-based policy
S3 bucket policy demo
Principal element rules
This lecture summarizes the main topics covered in IAM Policy and tips.
Mutually exclusive elements
Wildcard character warning
IAM Access Analyzer
IAM Policy Editor
This lecture introduces the main concept of IAM Role
How IAM Roles work
Create IAM Role
Trust policy
Assume role demo
Short-term credential
This lecture deep dive into cross account use case using IAM Role.
Cross account trust policy
IAM user policy to assume role
Assume role demo
This lecture compares difference between accessing resources across AWS accounts using resource-based policy versus IAM Role.
Scope
Permission required
Identity-based permission
Cross partition
This lecture demonstrates using IAM Role in the EC2 Instance Profile. This is common pattern in AWS where a service assumes a role and access resources.
EC2 Instance Profile feature
Create Role for EC2
Launch EC2 and test role permission
EC2 temporary credential
Service-linked roles
This lecture covers the core concept of IAM Permission Boundaries.
What is permission boundaries?
Effect of permission boundaries on IAM policy
Delegate use case
This lecture covers the core concepts of IAM Session Policy.
What is session policy
Effect of session policy on IAM policy
Session policy demo
Identity broker use case
This lecture covers the difference between control plane and data plane.
Control plane operation & region
Data plane operation
Auth Runtime Service (ARS)
This lecture covers the AWS Organizations service.
Organization Unit
Management account
Consolidated billing
Provisioning accounts
Organization policies
Service Control Policy (SCP) demo
Organization structure
This lecture covers AWS IAM Identity Center service
Human users at scale
Single-sign on
Identity center directory
Permission sets
This lesson covers identity federation use case using Azure Entra ID as identity provider and IAM Identity Center.
Identity federation use case
SAML
SCIM
Attribute-based Access Control (ABAC)
This lesson covers several solutions to help you log and audit activities in IAM to stay secure and compliant.
Built-in features in IAM
AWS CloudTrail
Amazon CloudWatch
AWS Config
This lesson covers how various policies work together and AWS evaluates them to determine either allow or deny requests.
Request Context
3 main rules
Evaluation logics
Helper tools
This lesson covers best practices for IAM as you continue your cloud journey
Growing pains
Security best practices
Root user
Least-privilege permission
Policy types solution
Long-term keys
Quotas
Well-Architected Framework
Welcome to updated version of the Amazon Web Service’s Identity and Access Management course with focus on practical application to solve real word problems. The goal of this course is to give you hands on knowledge to use on your AWS project. By the end of this course, you will have skills to know how to build solutions using IAM and more importantly why you should apply certain design patterns to solve your problems.
The course is designed to start with the basic IAM building blocks that build upon one another towards more advanced concepts. There are a lot of demonstrations with quizzes and exercises to help you learn by doing. The major topics include IAM User, Group, Policy, Roles, AWS Organization Service, IAM Identity Center and more. This course includes a lot of demonstrations on how to apply these features in the real world use cases such as tag based policy, cross account roles, federated access and much more.
This course is intended for a technical audience with some familiarity with AWS. Ideal learners are software engineers, solution architects and anyone who is building solutions in AWS. There is no prerequisite other than your curiosity and willingness to learn.