1 00:00:10,540 --> 00:00:14,440 Welcome back to Backspace Academy. In this lecture we'll have a look at the 2 00:00:14,440 --> 00:00:19,420 security identity and compliance services of AWS. Now this is a very 3 00:00:19,420 --> 00:00:25,689 important category of AWS and as such there is a very broad selection of 4 00:00:25,689 --> 00:00:29,530 products that are available once we've done that we'll finish up with a 5 00:00:29,530 --> 00:00:36,520 hands-on lab using the Identity and Access Management Service 6 00:00:36,520 --> 00:00:42,479 AWS artifact is an online portal that provides access to AWS security and compliance 7 00:00:42,479 --> 00:00:47,680 documentation and that documentation can be readily available when needed for 8 00:00:47,680 --> 00:00:54,540 auditing and compliance purposes AWS certificate manager issues ssl 9 00:00:54,540 --> 00:01:01,299 certificates for HTTPS communication with your website it integrates with AWS 10 00:01:01,299 --> 00:01:06,220 services such as route 53 and cloudfront and the certificates that are 11 00:01:06,220 --> 00:01:12,549 provisioned through AWS certificate manager are completely free 12 00:01:12,549 --> 00:01:17,410 Amazon Cloud directory is a cloud-based directory service that can have hierarchies of 13 00:01:17,410 --> 00:01:22,660 data in multiple dimensions unlike conventional LDAP based directory 14 00:01:22,660 --> 00:01:29,290 services that can only have a single hierarchy AWS directory service is a 15 00:01:29,290 --> 00:01:38,230 fully managed Microsoft Active Directory service in the AWS cloud AWS cloud HSM 16 00:01:38,230 --> 00:01:44,650 is a dedicated hardware security module in the AWS cloud this allows you to 17 00:01:44,650 --> 00:01:49,290 achieve corporate and regulatory compliance while at the same time 18 00:01:49,290 --> 00:01:56,010 greatly reducing your costs over using your own HSM in your own infrastructure 19 00:01:56,010 --> 00:02:02,770 Amazon Cognito provides sign in and sign up capability for your web and mobile 20 00:02:02,770 --> 00:02:09,069 applications you can also integrate that signup process with external orth 21 00:02:09,069 --> 00:02:15,020 providers such as Google and Facebook and also SAML 2 providers as well 22 00:02:15,020 --> 00:02:19,740 AWS identity and access management or IAM for short 23 00:02:19,740 --> 00:02:26,730 allows you to manage user access to your AWS services and resources in your 24 00:02:26,730 --> 00:02:30,060 account, users and groups of users have 25 00:02:30,060 --> 00:02:35,780 individual permissions that allow or deny access to your resources 26 00:02:35,780 --> 00:02:42,480 AWS Organizations provides policy based management for multiple AWS accounts 27 00:02:42,480 --> 00:02:46,950 this is great for large organizations that have multiple accounts and they 28 00:02:46,950 --> 00:02:52,709 want to manage those and the users that use those accounts centrally Amazon 29 00:02:52,709 --> 00:02:58,620 inspector is an automated security assessment service it can help to 30 00:02:58,620 --> 00:03:06,840 identify vulnerabilities or areas of improvement within your AWS account 31 00:03:06,840 --> 00:03:12,800 AWS key management service or kms for short makes it easy to create and control 32 00:03:12,800 --> 00:03:18,690 encryption keys for your encrypted data and it also uses hardware security 33 00:03:18,690 --> 00:03:24,630 modules to secure your keys it's integrated well with AWS services such 34 00:03:24,630 --> 00:03:32,700 as Amazon s3 redshift and EBS. AWS shield provides protection against distributed 35 00:03:32,700 --> 00:03:38,550 denial of service or DDoS for short protection against DDoS attacks the 36 00:03:38,550 --> 00:03:43,230 standard version of a double shield is implemented automatically on all AWS accounts 37 00:03:43,230 --> 00:03:48,870 Web Application Firewall or where for short is a Web Application 38 00:03:48,870 --> 00:03:54,900 Firewall that sits in front of your website to provide additional protection 39 00:03:54,900 --> 00:04:00,540 against common attacks such as SQL injection and cross-site scripting it 40 00:04:00,540 --> 00:04:06,350 has different sets of rules that can be used for different applications 41 00:04:08,940 --> 00:04:15,489 now let's have a look at using one of the core AWS security services Identity 42 00:04:15,489 --> 00:04:21,850 and Access Management or I am now up until now we've been logging into our 43 00:04:21,850 --> 00:04:26,290 account using the email address and password that we use to create that 44 00:04:26,290 --> 00:04:32,620 account and that is logging in as a root user and it is not desirable to do that 45 00:04:32,620 --> 00:04:37,150 the reason I say that is that the root user will have access to everything 46 00:04:37,150 --> 00:04:44,050 access to finances, credit card access to locking people out of that account and 47 00:04:44,050 --> 00:04:48,130 so that is something that cannot be compromised otherwise you're in a lot of 48 00:04:48,130 --> 00:04:53,919 trouble so what we do is that we lock that down we put a very long password 49 00:04:53,919 --> 00:05:00,070 and complicated password on that account and we can also have multi-factor 50 00:05:00,070 --> 00:05:05,500 authentication if we want to go to that next step of locking that down 51 00:05:05,500 --> 00:05:12,160 once we've locked down our root access we can create an I AM user and we can log in as 52 00:05:12,160 --> 00:05:19,450 that I am user and that I am user will have permissions specific for what we 53 00:05:19,450 --> 00:05:25,900 need to do and so if we for whatever reason need root access we can still get 54 00:05:25,900 --> 00:05:31,930 that if we need to but we login for the most part as an IAM user and that 55 00:05:31,930 --> 00:05:38,639 protects our account so again we go to services and we look for the I Am 56 00:05:38,639 --> 00:05:46,449 service now once we're in there we can go to users on the left here and we can 57 00:05:46,449 --> 00:05:52,180 create a user by clicking on add user will give that user a name I'm just 58 00:05:52,180 --> 00:05:56,949 going to call it test that'll be fine now that user can have management 59 00:05:56,949 --> 00:06:00,760 console access yes we would like that but they can also have programmatic 60 00:06:00,760 --> 00:06:05,080 access if they're going to be connecting into a software development kit or 61 00:06:05,080 --> 00:06:09,310 connecting in through the command line interface remotely so we're going to 62 00:06:09,310 --> 00:06:13,090 give both of those and it's because it's going to be ourselves that'll be 63 00:06:13,090 --> 00:06:19,140 assuming this user we can put in a custom password there 64 00:06:19,960 --> 00:06:24,820 so I've just put in a password that I'll remember and we won't worry about 65 00:06:24,820 --> 00:06:29,289 changing that password because it's for us not for someone else so once we've 66 00:06:29,289 --> 00:06:34,930 done that then we can attach permissions to that user so we click on next 67 00:06:34,930 --> 00:06:40,870 permissions up the top here we've got attach existing policies directly so AWS 68 00:06:40,870 --> 00:06:46,539 have already done the work of writing policies specifically for job functions 69 00:06:46,539 --> 00:06:52,570 so if we click on that and what we can do is we can select your administrator 70 00:06:52,570 --> 00:07:00,099 access and that provides full access to AWS services and resources but that does 71 00:07:00,099 --> 00:07:08,530 not include financial and that sort of secure account management stuff so we 72 00:07:08,530 --> 00:07:15,370 can attach that policy to this user that we've created so we click on review and 73 00:07:15,370 --> 00:07:19,300 we can see there we've got a user named test and they've got both programmatic 74 00:07:19,300 --> 00:07:24,880 access and management console access and their permissions are defined in their 75 00:07:24,880 --> 00:07:29,530 administrator access so basically gives you full access to use all of the 76 00:07:29,530 --> 00:07:38,020 resources or all of the services we click on create user so that user has 77 00:07:38,020 --> 00:07:42,430 now been created and we can see here we've got an access key and a secret 78 00:07:42,430 --> 00:07:47,860 access key and we can download all of this information so if we download that 79 00:07:47,860 --> 00:07:52,659 now and we can say that somewhere and that's our credentials so when we open 80 00:07:52,659 --> 00:07:59,169 it up that file it will have information about how we log in to the management 81 00:07:59,169 --> 00:08:05,020 console so before we would have been logging in from aws.amazon.com but now 82 00:08:05,020 --> 00:08:10,030 we've got our own sign-in link and yours will be different and if we click on 83 00:08:10,030 --> 00:08:19,840 that now we will be able to sign in as at IAM user so you will have your 84 00:08:19,840 --> 00:08:24,159 account ID or if you've created an alias it will be an alias now I've created an 85 00:08:24,159 --> 00:08:28,389 alias from my account called backspace - labs but you will no doubt just had your 86 00:08:28,389 --> 00:08:33,520 account ID there put in the name of that user that we created 87 00:08:33,520 --> 00:08:37,690 and then we put in the password that we created for that user as well and if we 88 00:08:37,690 --> 00:08:46,270 sign in now we should be able to get in and so there you go where we've signed 89 00:08:46,270 --> 00:08:50,650 in back to where we were in the AWS management console so now we don't need 90 00:08:50,650 --> 00:08:56,290 to use those root user credentials so what we can do now is we can change 91 00:08:56,290 --> 00:09:02,470 those root user credentials so to do that we need to log in as the root user 92 00:09:02,470 --> 00:09:08,800 so we go to our account up here so I'm logged in as test so I want to sign out 93 00:09:08,800 --> 00:09:13,480 and then log in with root access so I click on sign out and that'll take me 94 00:09:13,480 --> 00:09:18,040 back to the AWS home page so if I go back into my account AWS management 95 00:09:18,040 --> 00:09:25,750 console and I get this screen that we had before down the bottom here is a 96 00:09:25,750 --> 00:09:31,500 link sign-in using root account credential so I'm going to click on that 97 00:09:32,790 --> 00:09:41,950 and that's going to get me into and my root user so I just climb in and there 98 00:09:41,950 --> 00:09:46,930 we go we're signed in now as the root user of the account so what we can do 99 00:09:46,930 --> 00:09:51,160 now is do the same thing again we go into our account details here but we go 100 00:09:51,160 --> 00:09:58,480 down to my security credentials and what we can do now is that it's going to give 101 00:09:58,480 --> 00:10:01,960 us a warning that we're going to be changing the security credentials of the 102 00:10:01,960 --> 00:10:05,980 entire account so that is what we want to do so we're going to continue to 103 00:10:05,980 --> 00:10:11,440 security credentials and here we can see up the top here is password and click 104 00:10:11,440 --> 00:10:16,180 here to change the password name or email address of your root access 105 00:10:16,180 --> 00:10:24,370 account so we click on that and here we can go so we can update that password so 106 00:10:24,370 --> 00:10:27,880 we click on edit and we can put our current password in and then our new 107 00:10:27,880 --> 00:10:31,420 password which I'm not going to change because I don't want to change it but 108 00:10:31,420 --> 00:10:35,410 I'd advise you to do that and put in a really really long and complicated 109 00:10:35,410 --> 00:10:40,930 password use a password generator to do that and that will help to secure down 110 00:10:40,930 --> 00:10:46,930 your AWS account you can also enable multi-factor authentication it's a 111 00:10:46,930 --> 00:10:48,940 little bit a long-winded process but that will give 112 00:10:48,940 --> 00:10:54,700 you a little bit more security as well if you want to go down that process so 113 00:10:54,700 --> 00:11:00,100 for now I don't want to stay in the root user so I'm going to log out and next 114 00:11:00,100 --> 00:11:06,070 time I log in I'll use my IAM user. So that's all I need to show you now on 115 00:11:06,070 --> 00:11:10,630 creating a IAM user going through the course we're going to learn a lot more 116 00:11:10,630 --> 00:11:15,100 about IAM and you'd be going on to do an associate level certification you'll 117 00:11:15,100 --> 00:11:19,480 you'll be an absolute wizard this by the end of it you'll be creating policies 118 00:11:19,480 --> 00:11:23,950 you'll be doing a lot more with this so I look forward to seeing you in the next 119 00:11:23,950 --> 00:11:26,220 lecture