Amazon IAM

Authenticating DynamoDB Using Web Identity Providers

Using AssumeRoleWithWebIdentity API you can authenticate users using web identity providers such as Amazon, Google, Facebook or any other open-id compatible identity provider.

 

Following steps need to be completed first:

  1. Go to IAM

  2. Click on Create New Role

  3. Select Role for identity provider access

  4. Select grant access to identity providers

IAM Core Concepts - Users, groups, roles and policies

Authentication is done in IAM through users, groups or roles whereas authorization is done through policies.

 

Users and Groups

Users and groups control an individual's access to AWS services. 

IAM Users can be grouped into Groups

 

AWS Policy Document and Policy Generator

A policy is a document (written in the Access Policy Language) that acts as a container for one or more permission statements. A statement is the formal description of a single permission.  Within a statement you can specify elements such as Effect (allow / Deny), Principal, AWS Services, Actions (e.g. Create Bucket), Amazon Resource Name (ARN) and optionally conditions (e.g. ARN Equals, NotIPAddress).

 

IAM Policy Evaluation Overview

When an AWS service receives a request, the request is first authenticated and then determined whether the requester is authorized to perform the action represented by the request. A few services, like Amazon S3, also allow requests from anonymous users.

[Lab] Setting Up the AWS Environment for Working with DynamoDB

DynamoDB is an AWS service and hence you need to have an AWS account setup first. For setting up AWS account and basic configurations within AWS, please refer to getting-started-with-aws-part-1-iam-and-storage-services. Better use a dedicated user account for this section, or cleanup everything before and after the section. Next you will need to do some configurations within your system, and some of these steps might be specific to your OS (OSX, Windows, Linux etc.).

[Lab] Using IAM Roles Instead of Configuring Credentials from AWS Command Line in EC2

Amazon Linux AMI comes with aws command line pre-installed, and we will use it for out lab. You may have to install it manually in other AMIs. You can install AWS command line in our personal devices as Windows, Mac etc.

 

Steps

  1. Login to AWS console and go to IAM:

    1. Go to Roles (side menu)

[Lab] Configuring Access Key Id and Secret Access Key from AWS Command Line Inside EC2

Amazon Linux AMI comes with aws command line pre-installed, and we will use it for out lab. You may have to install it manually in other AMIs. You can install AWS command line in our personal devices as Windows, Mac etc.

 

[Lab] Setting Up Basic First Time Security Tasks in IAM Dashboard

After going to the IAM page as seen in the previous note, you need to complete all items under security status.

 

Initial Security Status

Note that Task 1 should have been already completed.

 

[Lab] Experimenting More with IAM Users, Roles, Groups and Policies

This is the second lab on AWS IAM and we will do more experiments with AWS IAM.

 

Prerequisite:

Important terms to understand before lab: Users, Groups, Roles, and Policies.

 

Summary of steps:

  1. Got to AWS console and go to IAM dashboard.

  2. Compare policy documents (JSON documents) for two policies Administrator Access and System Administrator and find differences.

AWS IAM Important Notes (Exam Tips)

This is a highlight of the IAM FAQ and important notes.

 

Important Notes

  1. You can give your federated users single sign-on (SSO) access to the AWS Management Console using SAML 2.0.

 

How To Links

  1. How can individual IAM users set up MFA?

Pages