1

00:00:06,680  -->  00:00:13,349
Welcome back to backspace Academy. In
this lab on IAM we're going to run

2

00:00:13,349  -->  00:00:18,750
through some of the main features of I
am will create a user will create a

3

00:00:18,750  -->  00:00:23,340
group and we'll add that user to that
group will create a password policy

4

00:00:23,340  -->  00:00:29,369
we'll set up an IAM role for ec2
instances will create an account alias

5

00:00:29,369  -->  00:00:33,899
which will make life easier for us to
log into our account and finally we'll

6

00:00:33,899  -->  00:00:38,309
create a credentials report which will
list all of the credentials that we've

7

00:00:38,309  -->  00:00:45,059
got for this account and the activity of
those okay so we start off at services

8

00:00:45,059  -->  00:00:58,399
and IAM and we go to users now we want
to add a user we give that user a name

9

00:00:59,239  -->  00:01:03,719
and we're going to give this user both
programmatic access and programmatic

10

00:01:03,719  -->  00:01:08,640
access means that they can use the
command-line interface or the software

11

00:01:08,640  -->  00:01:13,380
development kits with an access key and a
secret access key and we're also going

12

00:01:13,380  -->  00:01:18,299
to give this person console access as
well so they can log into the management

13

00:01:18,299  -->  00:01:24,210
console we'll use an auto-generated
password and we'll require that they

14

00:01:24,210  -->  00:01:29,670
have a password reset when they first
log in click on next permissions now

15

00:01:29,670  -->  00:01:33,240
because we're going to be creating a
group which will have those permissions

16

00:01:33,240  -->  00:01:38,430
and when this user will be added to that
group they will inherit the permissions

17

00:01:38,430  -->  00:01:43,259
of the group so we don't need to define
the permissions at the user level so

18

00:01:43,259  -->  00:01:47,970
we're just going to click on next review
and we can see there that we've got the

19

00:01:47,970  -->  00:01:52,670
username as test user and they got both
programmatic and a console access

20

00:01:52,670  -->  00:01:57,869
auto-generated password and they require
a password reset and they're also got

21

00:01:57,869  -->  00:02:01,799
permission to change their own user
password because by default they don't

22

00:02:01,799  -->  00:02:06,689
have that but because we selected the
option that they have to change their

23

00:02:06,689  -->  00:02:11,280
password then that automatically
attaches that policy for us so we click

24

00:02:11,280  -->  00:02:13,849
on create user

25

00:02:14,790  -->  00:02:19,989
okay so the user has now been created so
what we've got now are the credentials

26

00:02:19,989  -->  00:02:25,630
for the user so the users name is test
user now for programmatic access and for

27

00:02:25,630  -->  00:02:30,640
command line interface access we need
the access key ID and the secret access

28

00:02:30,640  -->  00:02:35,560
key which is what we've got there and
then we've got the password which is

29

00:02:35,560  -->  00:02:41,800
what we use combined with the username
to log into the console so we can send

30

00:02:41,800  -->  00:02:46,780
an email to someone with that or we can
download those credentials here as well

31

00:02:46,780  -->  00:02:51,160
and so if we download this CSV but we
need to do one of the other because once

32

00:02:51,160  -->  00:02:55,239
we click on close we can't get this
information again so we need to get this

33

00:02:55,239  -->  00:02:59,620
information now so either download this
CSV or send an email I'd probably

34

00:02:59,620  -->  00:03:03,519
recommend you download the CSV and that
will have all of the important

35

00:03:03,519  -->  00:03:09,880
information on there and it'll also have
this sign-in URL as well so we just

36

00:03:09,880  -->  00:03:14,890
click on that, I'm going to download that
now, and I'm just going to now that I've

37

00:03:14,890  -->  00:03:20,500
downloaded that I'll close it, okay so
there's our user that has been set up

38

00:03:20,500  -->  00:03:28,150
for us okay so now that we've created a
user I'm going to create a group now and

39

00:03:28,150  -->  00:03:33,640
we're going to associate a policy to
that group and that will have

40

00:03:33,640  -->  00:03:37,120
permissions for anyone that enters that
group and then we're going to get our

41

00:03:37,120  -->  00:03:41,530
user and we're going to put that user
inside of that group and then that user

42

00:03:41,530  -->  00:03:47,739
will inherit the permissions of that
group so let's click on groups create a

43

00:03:47,739  -->  00:03:58,290
new group I'm going to call this
administrators we'll click on next step

44

00:03:58,290  -->  00:04:04,120
so now we need to attach a policy so we
can create our own policy or we can get

45

00:04:04,120  -->  00:04:07,480
one ready made which is what we would
normally do so there's one just here

46

00:04:07,480  -->  00:04:11,560
administrator access that will be fine
for us for administrators we'll click on

47

00:04:11,560  -->  00:04:17,590
next step so we can see there that we've
got our group called administrators and

48

00:04:17,590  -->  00:04:21,750
we've got the policy that is going to be
attached to it for administrator access

49

00:04:21,750  -->  00:04:28,650
we'll click create group
okay so that group has been created down

50

00:04:28,650  -->  00:04:32,940
so what we can do now is we can select
that group we go to group actions and we

51

00:04:32,940  -->  00:04:39,810
can add users to that group so we select
our test user and we add that user to

52

00:04:39,810  -->  00:04:45,180
our group so now when we click on that
group we'll just go back to groups again

53

00:04:45,180  -->  00:04:50,250
so we can click on this group and we can
see here the users for that group our

54

00:04:50,250  -->  00:04:55,830
test user and the permissions is
administrator access so now our test

55

00:04:55,830  -->  00:05:03,930
user previously had no access and now
they've got administrator access okay so

56

00:05:03,930  -->  00:05:08,760
now that we've got our user in a group
what we'll do is we'll we'll look at the

57

00:05:08,760  -->  00:05:13,110
password policy with that we're set up
for that user so again we'll go to users

58

00:05:13,110  -->  00:05:18,270
and more select our test user just click
on the name there and we're going to go

59

00:05:18,270  -->  00:05:24,480
to security credentials and there we can
see that we've got the part the console

60

00:05:24,480  -->  00:05:30,690
password and we can manage our password
here so console access is enabled and

61

00:05:30,690  -->  00:05:33,840
we're going to keep the existing
password or use an auto-generated

62

00:05:33,840  -->  00:05:39,419
password will use an auto-generated
password require a password reset and

63

00:05:39,419  -->  00:05:43,979
we'll put that in there as well and so
then we at the time we can actually

64

00:05:43,979  -->  00:05:49,919
change the individual password policy
for a user as such and so when they

65

00:05:49,919  -->  00:05:53,310
first log in they're going to have to
have an auto-generated password and

66

00:05:53,310  -->  00:05:57,780
they're going to have to require a
password reset so I'm doing click on

67

00:05:57,780  -->  00:06:07,110
apply, so now we can download the 
CSV file for that and that will have the

68

00:06:07,110  -->  00:06:13,290
login details for that, so we'll just
download that and that will have the new

69

00:06:13,290  -->  00:06:21,870
password that has been auto-generated
for this user so we can also manage

70

00:06:21,870  -->  00:06:30,060
passwords at the account level as well
so what we can do is we can go to

71

00:06:30,060  -->  00:06:35,310
account settings over here and we can
manage our account password policy from

72

00:06:35,310  -->  00:06:38,320
here and so here we can see we've got a
number of options so we can require

73

00:06:38,320  -->  00:06:43,780
least one uppercase letter one lower
case letter at least one number allow

74

00:06:43,780  -->  00:06:48,910
users to change your own password we can
put in password expiration time so every

75

00:06:48,910  -->  00:06:55,810
wanted one of the password to expire in
say 90 days we can put that in there so

76

00:06:55,810  -->  00:06:58,900
there's a lot of things that we can set
up for a password policy and that will

77

00:06:58,900  -->  00:07:03,430
be applied to all users of of the
account and so we just click on apply

78

00:07:03,430  -->  00:07:12,940
password policy for that and so that's
been done there for us okay so now that

79

00:07:12,940  -->  00:07:18,130
we've created users and groups and we've
looked after passwords and password

80

00:07:18,130  -->  00:07:25,030
policies and all that what we'll look at
now is having roles for ec2 instances so

81

00:07:25,030  -->  00:07:29,290
if we've got an application running on
ec2 and we want that application to

82

00:07:29,290  -->  00:07:35,620
access resources within our AWS account
we need to allow that to happen so if at

83

00:07:35,620  -->  00:07:42,160
once if we want our our ec2 server to
for example access to a bucket then we

84

00:07:42,160  -->  00:07:46,960
can create an IAM role that can allow
that to happen if we want our ec2 server

85

00:07:46,960  -->  00:07:52,360
to read cloudwatch logs for example
then we can set that up as well so what

86

00:07:52,360  -->  00:07:59,170
we'll do is we'll create an ec2 role now
so we go to roles and he can see it this

87

00:07:59,170  -->  00:08:04,060
tells you what our role is all about and
it's not only for ec2 but we can use it

88

00:08:04,060  -->  00:08:10,440
for IAM users in another AWS account -
to access our account we can use it for

89

00:08:10,440  -->  00:08:15,070
federated identity through for example
logging in with Google or Facebook or

90

00:08:15,070  -->  00:08:19,960
with enterprise SAML application all
this sort of stuff but for now we just

91

00:08:19,960  -->  00:08:27,060
use it for an ec2 instance so we click
on click create role so we're going to

92

00:08:27,060  -->  00:08:32,169
choose we're going to use an AWS service
and we're going to choose the ec2

93

00:08:32,169  -->  00:08:37,150
service and that will allow our ec2
instances to call AWS services on our

94

00:08:37,150  -->  00:08:42,099
behalf so we'll just select that and
then we go to permissions so again we

95

00:08:42,099  -->  00:08:48,550
need to attach a policy for this role
just the same as we attached a policy

96

00:08:48,550  -->  00:08:52,120
for our group before we need to do this
for this one here so I'm just going to

97

00:08:52,120  -->  00:09:00,899
search for ec2

98

00:09:09,630  -->  00:09:14,009
okay so this one down the bottom here
which is cloudwatch-actions ec2 access

99

00:09:14,009  -->  00:09:18,480
we'll select that one and so that will
provide read-only access to cloud watch

100

00:09:18,480  -->  00:09:32,430
alarms and metrics okay so we click on
next review will give that a name we

101

00:09:32,430  -->  00:09:34,680
won't worry about giving it a
description there's one there that's

102

00:09:34,680  -->  00:09:39,149
quite okay and we can see there that
we've got that password or that sorry

103

00:09:39,149  -->  00:09:45,509
that policy attached to that which is
cloud watch actions for ec2 and will

104

00:09:45,509  -->  00:09:53,639
click on create role okay
so I've already got a role here before

105

00:09:53,639  -->  00:09:56,579
just ignore that one but here is the
role that we just created so we can

106

00:09:56,579  -->  00:10:00,839
click on that and have a look at it so
there we can see we've got our our

107

00:10:00,839  -->  00:10:06,389
policy on them and we've also got an ARN for this role but we won't worry too

108

00:10:06,389  -->  00:10:09,750
much about that, so that's all been done
and looking pretty good, so what we can

109

00:10:09,750  -->  00:10:15,689
do now is that we can look at creating
an account alias so if we go to the

110

00:10:15,689  -->  00:10:20,069
dashboard and we can see here we've got
the the sign-in link and you can see

111

00:10:20,069  -->  00:10:25,829
it's quite difficult to remember the
signin.aws.amazon.com/console

112

00:10:25,829  -->  00:10:30,000
is reasonably easy to remember but
remembering the big long account number

113

00:10:30,000  -->  00:10:35,670
is not so good so what we can do is we
can click on customize and we can give

114

00:10:35,670  -->  00:10:39,110
that account an alias

115

00:10:46,410  -->  00:10:50,620
okay so I'm just going to call mine
backspace - labs but please don't call

116

00:10:50,620  -->  00:10:54,970
yours backspace call it something
else that's unique for you and I just

117

00:10:54,970  -->  00:11:01,630
click on yes create and there you can
see now the sign-in link is backspace - labs

118

00:11:01,630  -->  00:11:09,580
.sign in AWS and so that's a lot
easier for for you to remember okay so

119

00:11:09,580  -->  00:11:13,750
the last thing I want to do is show you
how to get a credentials report now

120

00:11:13,750  -->  00:11:17,440
that's quite a handy thing to know all
of the credentials that you've got out

121

00:11:17,440  -->  00:11:20,350
of there and whether they're being used
or not if you've got a large

122

00:11:20,350  -->  00:11:24,360
organization you want to be able to know
that those credentials are being used

123

00:11:24,360  -->  00:11:29,320
and if they're not then get rid of them
so you can go to credentials report and

124

00:11:29,320  -->  00:11:36,190
then click on download report and that
credentials report will will download so

125

00:11:36,190  -->  00:11:44,950
when you open that up okay so you'll see
here that we've got the the user so we

126

00:11:44,950  -->  00:11:48,279
got our root account access and we've
got our test user that we created

127

00:11:48,279  -->  00:11:57,430
they've got an ARN or Amazon resource
name and the user is created on this

128

00:11:57,430  -->  00:12:05,290
date and we've got password enabled and
we can see here we've got

129

00:12:05,290  -->  00:12:10,450
multi-factor authentication active which
we don't, but in the next lab we're going

130

00:12:10,450  -->  00:12:14,080
to have a look at that creating
multi-factor or implementing

131

00:12:14,080  -->  00:12:17,709
multi-factor authentication and so it
gives you a lot of information there

132

00:12:17,709  -->  00:12:23,920
around what is going on with your with
your credentials so that's a handy thing

133

00:12:23,920  -->  00:12:29,970
to have so that finishes up for this IAM
lab coming up next we'll have a look at

134

00:12:29,970  -->  00:12:35,079
implementing multi-factor authentication
on our root account and I'll see you in

135

00:12:35,079  -->  00:12:37,380
that one