IAM and Cloud Shell Notes

Cloud Shell

  • Cloud Shell is a browser-based terminal accessible via an icon in the AWS console.
  • It allows users to issue commands against AWS without needing a local terminal.
  • It may not be available in all AWS regions; ensure you're using a supported region.
  • It comes pre-configured with AWS CLI.
  • Commands issued from Cloud Shell use the credentials of the AWS account you're logged into.
  • The default region for API calls in Cloud Shell is the region you're currently logged into.
  • Files created in the Cloud Shell environment persist across restarts.
  • Cloud Shell is customizable, allowing you to adjust font size, theme (light or dark), etc.
  • Supports file upload and download.
  • Allows creation of multiple tabs and split-screen views for simultaneous terminal access.

IAM Roles

  • IAM roles grant permissions to AWS services to perform actions on your behalf.
  • They are used by AWS services, not physical users.
  • An IAM role is assigned to an AWS service, such as an EC2 instance, to define what actions it can perform.
  • Common use cases include EC2 instance roles, Lambda function roles, and CloudFormation roles.

Creating IAM Roles

  • Roles are created for AWS services needing to perform actions on AWS.
  • Select the AWS service for which the role will apply (e.g., EC2).
  • Attach policies to the role to define permissions (e.g., IAMReadOnlyAccess).
  • Specify a role name (e.g., demo role for EC2).
  • The trusted entity indicates which service can assume the role (e.g., EC2).

IAM Security Tools

  • IAM Credentials Report: Account-level report detailing all users and their credential statuses.
  • IAM Access Advisor: User-level tool showing service permissions granted to a user and when those services were last accessed.
  • Helps implement the principle of least privilege by identifying unused permissions.

IAM Best Practices

  • Do not use the root account except for initial AWS account setup.
  • Map one AWS user to one physical user.
  • Assign users to groups and manage permissions at the group level.
  • Create a strong password policy.
  • Enforce multi-factor authentication (MFA).
  • Create and use roles for AWS services.
  • Generate and safeguard access keys for programmatic access.
  • Audit permissions using IAM Credentials Report and Access Advisor.
  • Never share IAM users or access keys.

Shared Responsibility Model

  • AWS manages infrastructure and global network security.
  • Customers (You) manage users, groups, roles, policies, and their management.
  • Customers are responsible for MFA, key rotation, and applying appropriate permissions.
  • Customers analyze access patterns and review permissions.

IAM Summary

  • IAM Users: Represent physical users and have passwords.
  • IAM Groups: Collections of users.
  • IAM Policies: Define permissions for users or groups.
  • IAM Roles: Identities for AWS services.
  • MFA: Enable multi-factor authentication for security.
  • Password Policy: Set password complexity and rotation rules.
  • AWS CLI/SDK: Manage AWS services programmatically.
  • Access Keys: Enable CLI/SDK access.
  • IAM Credentials Report & Access Advisor: Audit IAM usage.