Skip to main content

[[TOC]]

Prerequisites

GitHub Repos

https://github.com/acantril/aws-sa-associate-saac02 Best way is to install Git and then clone the repo down into your Documents folder.

Git

VS Code

AWS Accounts - The basics

  • Account is a container for your identities and resources.
  • unique email address is needed.
  • Credit Card is also needed for payment of resources. You can use the same card for multiple accounts, but email addresses need to be unique.
  • each account has a root user. That user is the email address of the creator of the account. Root users can only access the one account that it is created in.
  • AWS is a Pay-As-You-Go type of service. You use 2 minutes, you pay for 2 minutes - this gets charged to the credit card on file.
  • Root user has full control over account. Cannot be restricted.
  • IAM Service can create Users, Groups and Roles and can be given Full or Limited permissions.
    • Users start out with NO permissions
    • Groups - contain multiple identities
    • Roles - can be assumed by other identities
  • AWS Account (container) is really good at keeping bad actors out.
  • External users can be invited into the account.

DEMO Creating an AWS Account

#1 on Demos page

Multifactor Authentication

  • Using multiple factors to log in
    • what you know - password, pin, username
    • what you have - card, mfa device,
    • what you are - fingerprint, voice, iris
    • where you are - your location whether it be physical or network location (must be on VPN to access, right?)

Where does MFA come into play? Username and passwords are both things you know, so if you know them, someone else can know them. We need to add another factor of authentication to use in case someone else knows your username and password.

  • example: someone logs in with your username and password and then you get a text message to confirm or a code that you need to enter in.

Securing an AWS Account

Demo

Creating Billing Alerts

Demo

Creating Production Account

Demo: Create a new account like above and name it Production.

  • new email (gmail trick)
  • unique account name
  • add MFA to the root and IAMAdmin user
  • Set Billing alert and enable access to billing

Identity and Access Management (IAM) Basics

  • grant other users access and give them the least amount of access they need (Least Privilege)
  • IAM is included in the Account and is trusted by the account - free
    • groups - collection of related users
    • users - identities that represent human users or applications
    • roles - can be used by AWS Services or to grant external access to your accounts
      • need to attach these to users or groups
  • No additional cost to you
  • Global Service (don't need to select a region)
  • Allow or Deny identities on the account
  • No control over external identities in their external accounts.

Three purposes of IAM

  • Identity Provider (iDP) - identity federation and MFA (AD, Facebook, Google)
  • Authentication
  • Authorization

Adding an IAM user

Demo

IAM Access Keys

  • can have 2 total access keys. this allows for rotation of the keys
  • access keys can be created, deleted made inactive or active.
  • made up of two parts, Access Key ID and Secret Access Key.

Rotating access keys involve creating a new key, updating all of the places it is used and then deleting the old key.

Roles do not use access keys.

Creating Access Keys and setting up AWS CLI v2 Tools

Install on Windows

https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-windows.html#cliv2-windows-install

CLI V2 Command Reference

https://awscli.amazonaws.com/v2/documentation/api/latest/index.html#

Logging into the CLI

  1. Run the following lines to configure the default profile
aws configure
  1. Enter in the access key and secret id

Manage accounts by creating profiles

Documentation
Since we have multiple accounts, we need to set up multiple profiles to log into the individual accounts.

  1. Run this command to create a profile called Management
aws configure --profile Management
  1. Enter in the appropriate access ID and secret key
  2. Done

Location of configuration file

~/.aws/credentials (Linux & Mac) or %USERPROFILE%\.aws\credentials (Windows)

MFA

Documentation
MFA tokens generate credentials that expire after 12 hours.

# generate token
aws sts get-session-token --profile Management --serial-number arn:aws:iam::123acctnumber4567:mfa/User-Name --token-code 123456
# use authenticated session to do something
aws s3api list-buckets --profile Management