IAM
Policies: See AWS IAM Policies & My blog note
- key entities
- users
- groups
- roles
- policies
- identity policies
- resource policies
- universal: not specific to region
- new users have NO permissions by default when created
- Access Key ID abd secret access keys are assigned to new users
- not same as passwords, can only be used via SDK and CLI
- can only be viewed once so save them after creating
- (for EC2) better to create IAM roles instead of keeping credentials
- you can give federated users single sign-on (SSO) access to AWS management console with SAML (Sercurity Assertion Markup Language)
- Amazon Resource Name (ARN) is a string that uniquely identifies an AWS resource
- begins with
arn:partition:service:region:account-id
, ends withresource
orresource-type
- e.g.
arn:aws:ec2:us-east-1:123456789012:instance/i-12345678
- begins with
- IAM policy can only have effect after it was attached to a user or group
- IAM policies rules
- not explicitly allowed means implicitly denied
- explicit deny > everything else
- AWS joins all applicable policies
- AWS-managed v.s. customer-managed
- can control access based on tags
- inline policy: only effective for specific roles
- permission boundaries
- used to delegate(授权,把……委托给) admin to other users
- prevent privilege escalation(increase to counteract a perceived discrepancy) or unnecessary broad permissions
- control maximum permissions an IAM policy can grant
- “owner” (in permission policy) refers to the identity and email address used to create the AWS account
Organization
- paying account should be used for billing purposes only; do not deploy resources in paying account
- enable/disable AWS services using Service Control Policies(SCP) either on OU (Organization Unit) or on individual accounts
- SCPs affect only IAM users and roles that are managed by accounts that are part of the organization (including the root user). SCPs don’t affect resource-based policies directly. That also doesn’t affect users or roles from accounts outside the organization.
- RAM: Resource Access Manager
- can share AWS resources between accounts
- e.g. EC2, Aurora, Route 53, resource groups
- sharing must be enabled with the master account
- only resources owned by the account can be shared; cannot re-share resources owned by other accounts
- resource sharing can be done at an individual account if RAM is not enabled
- can share AWS resources between accounts
- SSO helps centrally manage access to AWS accounts
- exam tip: SAML in question -> SSO in answer
AWS Directory Service
- a family of managed services heavily integrated with Microsoft Active Directory(AD)
- connect AWS resources with on-premise AD //TODO
- standalone directory in the cloud
- use existing corporate credentials
- enable SSO to any domain-joined EC2 instance
- provides AD domain controllers(DCs) running
- reachable by applications in VPC
- extend existing AD to on-premises using AD Trust
- Simple AD: standalone managed directory
- support Windows workloads that need basic AD features
- easier to manage EC2
- does not support trusts
- AD Connector
- directory gateway for on-premises AD
- avoid caching information in the cloud
- if using with SSO, does not cache user information; only forwards to on-promise AD
- allow on-premise users to log in to AWS using AD
- join EC2 instances to the existing AD domain
- useful for on-premise applications
- scale across multiple AD Connector instances
- Cloud Directory
- directory-based store for developers
- use cases: org charts
- fully managed service