AWS Classroom Series – 05/Mar/2020

AWS Account, User Types

Preview

Root Users and Types

  • Root User:
    • Owner of the account
    • Has permission on every thing
    • Can create resources
    • Can Create Users and set permissions
    • Manage Bills
  • Administrator:
    • Can Create Users and set permissions
    • Can create resources
    • Has permission on everything apart from billing.

Authentication and Authorization

  • Creating a user so that he/she is authenticated to use aws account
  • What he/she can do depends on Authorization.

User Types

  • User:

    • Generally user is human who is not in AWS

  • Role

    • Is an AWS Service

  • Examples:

# Activity: Create folders in s3 bucket
* Create a user and give permission to the user to create S3 bucket folders
OR
* Give the permission to ec2 instance (Virtual machine) to create s3 bucket folders

Preview

Policy

  • Policy defines Authorization for Users and Roles.
  • User/Roles creates Authentication whereas policy attached to user/role defines authorization.

Action

  • All the possibilities in AWS
  • Actions will be categorized based on resources.
  • In policy if an action is not defined/used, that means deny

IAM (Identity and Access Management)

  • In AWS authentication & Authorization is done by AWS IAM

Scenarios:

  1. Scenario 1:

    • User amar is created
    • amar is attached a policy which has following actions
      • create other user => ALLOW
      • delete other user => DENY
      • view all users => ALLOW
    • Possibilites
    1. can amar create one user  => yes
2. Can amar create ec2 machine => ec2 actions are not mentioned, if they are not mentioned they are denied. => No

  2. Scenario 2:

    • User akbar is created
    • akbar is attached a policy which has following actions
      • create other user => ALLOW
      • delete other user => DENY
      • view all users => ALLOW
      • create other user => DENY
    • Possibilites:
    will akbar be allowed to create user => Deny vs ALLOW Deny will be winner all the time in AWS => no

  3. Scenario 3:

    • user anthony is created
    • anthony is attached to policy which has following actions
      • create ec2 instance
        • resource should be only from mumbai
    • possibiliites:
    can anthony create ec2 instance in mumbai  => yes
can anthony create ec2 instance in singapore => no
  • Permissions can be set at
    • Resource Level (Particular ec2 machine/s3 bucket)
    • Service Level (all ec2 machines)
    • Region Level (only ec2 machines in some region)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin