I’m taking AWS training from Linux Academy along with some peers. These are continuations of my notes.
AWS Certified Solutions Architect - IAM
Linux Academy’s IAM section notes.
- IAM can federate with SAML providers. That’s new to me.
- Simple token? That got briefly mentioned as a temp login
- Example given that AD via SAML can assume a Role to provide AD-authenticated users to use without creating an IAM user for them
- A couple of test-question-worthy-looking facts on combining group and user permissions:
- By default explicit DENY overrides ALLOW
- By default a user has non-explicit DENY on all services
- Multiple mentions of using Roles for services and not using API keys for e.g. EC2 instances to access AWS services
- Another mention that a user can assume a Role for tempoary access…I want to see more on that
- Users can have cross-account access between AWS root accounts
IAM Best Practices for New Accounts
- Shows another walkthrough of root account security status tasks
- Describes Security Token service as temp credentials for service access. Sounds very much like OAuth
- IAM user access to billing has to be explicitly enabled beyond IAM policies to allow non-root-account users ability to access billing
API Keys And Roles
- In demonstrating role creation I see there are different role types
- AWS Service
- Cross-account access
- Identity provider access
- Looks like it includes still-unnamed OAuth and SAML access to IAM accounts. Cool.
- Repeated twice, so important: an IAM Role can only be associated with an EC2 instance when the EC2 instance is created
- Cannot change or add a role to an existing EC2 instance
- However, later demonstrates that can alter policies on the Role
- Another repetition that explicity DENY overrides ALLOW
- Policy simulator - cute, basically an allow/deny indicator on any available actions for a policy
Log IAM Events With CloudTrail
- Interesting to me: CloudTrail is activated per-region. Video is using an alternate region so he can show initial activation.
- He created an SNS notification for when CloudTrail writes logs
- Can use with CloudWatch to alert on specific actions
No Quiz ?
No quiz. The rest of the sections seem to have quizzes and/or labs