AWS Classroom Series – 05/Mar/2020

AWS Account, User Types

Root Users and Types

  • Root User:
    • Owner of the account
    • Has permission on every thing
    • Can create resources
    • Can Create Users and set permissions
    • Manage Bills
  • Administrator:
    • Can Create Users and set permissions
    • Can create resources
    • Has permission on everything apart from billing.

Authentication and Authorization

  • Creating a user so that he/she is authenticated to use aws account
  • What he/she can do depends on Authorization.

User Types

  • User:

    • Generally user is human who is not in AWS

  • Role

    • Is an AWS Service

  • Examples:

# Activity: Create folders in s3 bucket
* Create a user and give permission to the user to create S3 bucket folders
OR
* Give the permission to ec2 instance (Virtual machine) to create s3 bucket folders

Policy

  • Policy defines Authorization for Users and Roles.
  • User/Roles creates Authentication whereas policy attached to user/role defines authorization.

Action

  • All the possibilities in AWS
  • Actions will be categorized based on resources.
  • In policy if an action is not defined/used, that means deny

IAM (Identity and Access Management)

  • In AWS authentication & Authorization is done by AWS IAM

Scenarios:

  1. Scenario 1:

    • User amar is created
    • amar is attached a policy which has following actions
      • create other user => ALLOW
      • delete other user => DENY
      • view all users => ALLOW
    • Possibilites
    1. can amar create one user  => yes
2. Can amar create ec2 machine => ec2 actions are not mentioned, if they are not mentioned they are denied. => No

  2. Scenario 2:

    • User akbar is created
    • akbar is attached a policy which has following actions
      • create other user => ALLOW
      • delete other user => DENY
      • view all users => ALLOW
      • create other user => DENY
    • Possibilites:
    will akbar be allowed to create user => Deny vs ALLOW Deny will be winner all the time in AWS => no

  3. Scenario 3:

    • user anthony is created
    • anthony is attached to policy which has following actions
      • create ec2 instance
        • resource should be only from mumbai
    • possibiliites:
    can anthony create ec2 instance in mumbai  => yes
can anthony create ec2 instance in singapore => no
  • Permissions can be set at
    • Resource Level (Particular ec2 machine/s3 bucket)
    • Service Level (all ec2 machines)
    • Region Level (only ec2 machines in some region)

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%