I’m taking AWS training from Linux Academy along with some peers. These are continuations of my notes.

AWS Certified Solutions Architect - IAM

Linux Academy’s IAM section notes.

IAM Essentials

  • IAM can federate with SAML providers. That’s new to me.
  • Simple token? That got briefly mentioned as a temp login
  • Example given that AD via SAML can assume a Role to provide AD-authenticated users to use without creating an IAM user for them
  • A couple of test-question-worthy-looking facts on combining group and user permissions:
    • By default explicit DENY overrides ALLOW
    • By default a user has non-explicit DENY on all services
  • Multiple mentions of using Roles for services and not using API keys for e.g. EC2 instances to access AWS services
  • Another mention that a user can assume a Role for tempoary access…I want to see more on that
  • Users can have cross-account access between AWS root accounts

IAM Best Practices for New Accounts

  • Shows another walkthrough of root account security status tasks
  • Describes Security Token service as temp credentials for service access. Sounds very much like OAuth
  • IAM user access to billing has to be explicitly enabled beyond IAM policies to allow non-root-account users ability to access billing

API Keys And Roles

  • In demonstrating role creation I see there are different role types
    • AWS Service
    • Cross-account access
    • Identity provider access
      • Looks like it includes still-unnamed OAuth and SAML access to IAM accounts. Cool.
  • Repeated twice, so important: an IAM Role can only be associated with an EC2 instance when the EC2 instance is created
    • Cannot change or add a role to an existing EC2 instance
    • However, later demonstrates that can alter policies on the Role

IAM Policies

  • Another repetition that explicity DENY overrides ALLOW
  • Policy simulator - cute, basically an allow/deny indicator on any available actions for a policy

Log IAM Events With CloudTrail

  • Interesting to me: CloudTrail is activated per-region. Video is using an alternate region so he can show initial activation.
  • He created an SNS notification for when CloudTrail writes logs
  • Can use with CloudWatch to alert on specific actions

No Quiz ?

No quiz. The rest of the sections seem to have quizzes and/or labs