AWS Account, User Types
- AWS Account Creation Refer Here
Root Users and Types
- Root User:
- Owner of the account
- Has permission on every thing
- Can create resources
- Can Create Users and set permissions
- Manage Bills
- Administrator:
- Can Create Users and set permissions
- Can create resources
- Has permission on everything apart from billing.
Authentication and Authorization
- Creating a user so that he/she is authenticated to use aws account
- What he/she can do depends on Authorization.
User Types
-
User:
- Generally user is human who is not in AWS
-
Role
- Is an AWS Service
-
Examples:
# Activity: Create folders in s3 bucket
* Create a user and give permission to the user to create S3 bucket folders
OR
* Give the permission to ec2 instance (Virtual machine) to create s3 bucket folders
Policy
- Policy defines Authorization for Users and Roles.
- User/Roles creates Authentication whereas policy attached to user/role defines authorization.
Action
- All the possibilities in AWS
- Actions will be categorized based on resources.
- In policy if an action is not defined/used, that means deny
IAM (Identity and Access Management)
- In AWS authentication & Authorization is done by AWS IAM
Scenarios:
-
Scenario 1:
- User amar is created
- amar is attached a policy which has following actions
- create other user => ALLOW
- delete other user => DENY
- view all users => ALLOW
- Possibilites
1. can amar create one user => yes 2. Can amar create ec2 machine => ec2 actions are not mentioned, if they are not mentioned they are denied. => No
-
Scenario 2:
- User akbar is created
- akbar is attached a policy which has following actions
- create other user => ALLOW
- delete other user => DENY
- view all users => ALLOW
- create other user => DENY
- Possibilites:
will akbar be allowed to create user => Deny vs ALLOW Deny will be winner all the time in AWS => no
-
Scenario 3:
- user anthony is created
- anthony is attached to policy which has following actions
- create ec2 instance
- resource should be only from mumbai
- create ec2 instance
- possibiliites:
can anthony create ec2 instance in mumbai => yes can anthony create ec2 instance in singapore => no
- Permissions can be set at
- Resource Level (Particular ec2 machine/s3 bucket)
- Service Level (all ec2 machines)
- Region Level (only ec2 machines in some region)