4) IAM Policies Hands On- AWS Certified Solutions Architect Associate Course SAA-C02- Okay so let’s play with IAM policies. So if we go into my user groups right now

NOTE– In the below pictures on the left hand side I logged into my Root User Account and opened IAM, on the right hand side I opened IAM User Account.

  • I can see that my group admin contains one user saicharan(click on admin)

  • So if I go on the right hand side and go to my Services

 

 

 

  • and I go to IAM, so I’ll go to the IAM service, see below picture

  • I will show you one thing.
  • So, this user is an IAM user.
  • And therefore, if you go to, for example, users

  • you can see all the users

  • Okay, great.
  • So now what I’m going to do is I’m going to Remove saicharan from the admin group which is in root user account on left side

  • I’m going to remove this user.
  • and the user will lose the group permissions, that’s true.

  • So the user has been removed from the group.
  • and how do we make sure that this is applied?
  • Well, if i go on the right-hand side(admin user management console)
  • and now refresh this page, as you can see,
  • I need permissions to access this page

  • and my user saicharan is not authorized
  • to perform IamlistUsers on this page.
  • user has been removed from the admin group and does not belong to group, user lost the group permission(policy that applied).
  • So that makes sense right?
  • Because we removed the user saicharan from the admin group.
  • So what i can do is i can fix this.
  • and to fix it, i can go into my users.

  • go to saicharan 

  • and now I can attach permissions directly to my saicharan user.
  • So two ways of doing so, number one is to add permissions
  • and use policies that already exists or that you created.
  • or add an inline policy to just add policies.

  • So, I’m going to add permissions

  • and I’m going to attach existing policies directly

  • and i will search for IAM
  • And I’m going to look for IAM read-only access
  • I review

  • I add these permissions.

 

  • and now my user saicharan has IAM read only access.

  • What dies that mean?
  • That means that, for example, if I refresh this right side page…
  • Then, as we can see, the user saicharan does exist.

  • But for example, if I go to User groups(right side window which is IAM user Account)

  • and I try to create a group and call it “developers

  • and create this group.

  • I’m going to get an exception.

  • because I’m not authorized to do create group,
  • I was only authorized to have read-only access to IAM.
  • So this really shows the power of IAM and so on.
  • So, now if I go to my user groups,(left hand side window, root user account), I Can do two things.
  • So number one, I can go into the admin group

  • and I’m going to add back

  • this saicharan user so that we have administrator access

  • The second thing I’m going to do is I’m going to

  • create a group named “developers” (on left hand side window, this is root user account)

  • And I’m also going to add saicharan into this group

  • and I’m going to attach a policy,
  • whatever the first policy I Found
  • it was AWSDirectConnectReadOnlyAccess

  • and then create this group.

  • It doesn’t matter which policy you’re attached to,
  • I just want to show you a behavior.
  • Okay so, now we have two groups,

  • we have admin and the developer group,
  • and the user saicharan is in both groups.

  • So what’s going to happen is
  • that if I click on the user saicharan
  • and look at the policies it has, it has three policies

  • One that was attached directly named IAM ReadOnlyAccess.
  • One that was in two that were in Attached from groups.
  • The first one is AWSdirectconnectreadonlyaccess from the group developers.
  • and second one is, it was AdministratorAccess from the group admin.
  • So, as we can see, the policies get inherited.
  • in different ways through the IAM permissions.

 

  • So finally, I want to show you how policies work.
  • So if you go to policies.
  • we have a list of all the policies available.
  • within AWS right here, their managed policy.
  • So this one is administrator access.
  • and we’ve been using it before.

  • Click on AdministratorAccess
  • And if you look at the policy, JSON forum, as we can see

  • we have a version and we have a statement
  • that statement contains one statements
  • and the Effect is Allow.
  • So to authorize action is “*”
  • that means any action resource is “*”,
  • that means any resource.
  • So we allow all the actions on all the resources.
  • therefor making this policy an administrator access policy.

 

  • we can go into policy summary as well.

  • and this is another view of the policy.
  • we have allow on 329 services of 329.
  • Now services get added all the time,
  • so if you dont have the same number,
  • dont worry, this course is up to date.

 

  • So we can have a look at another policy.

  • For example, the IAM read only policy

  • that we’ve dealt with from before.
  • So, this time allows one service out of 329

  • which is IAM.
  • And if we look at the JSON Documents,
  • we can see all the actions that are authorized by this IAM read only access.

  • So we get, for example, “iam:Get* ,
  • the star GenerateCredentionalsReport,
  • and so on, on the resource star
  • There is also a way for you to create your own policy.
  • So you can go back to your policies and create a policy

  • and you have two ways of doing it.
  • Either, you want to write plain and simple JSON

  • or you can use the visual editor, and this is quite handy.

  • For Example, we can choose the service IAM,

  • then we can choose an Action.

 

  • And we can, for example, do a ListUser,
  • so I Can filter for list users

  • for Effects and I can do GetUser.

  • So let’s say we want to add these two actions

  • and on the Resources we can specify specific resources.

  • or all resources.

 

  • we could also specify a request condition if we wanted to.

  • So, once we’ve done that
  • if we go to the JSON documents

  • as we can see the visual editor SID was Added,
  • which has the statement ID,
  • and we have two actions that were added.
  • So IAM list users and get users on resource start.
  • So it’s quite a handy way to generate JSON directly
  • from the visual editor.
  • Okay, So just to finish this lecture,
  • let’s do a few things.
  • In user groups, I’m going to delete the developers group
  • cause i dont need it.

  • and i need you to type the name of the group,
  • so i will type developers and click on delete.

 

  • And also on my Users as saicharan,
  • I’m going to remove the policy that was attached directly.
  • because we dont need this IAM read onlyAcess policy.

  • I will just remove it and we’re good to go.

  • So, now my user saicharan has a full administrator access
  • because it is inherited from the admin group.
  • And so obviously if I go back to my IAM also on the right side.
  • as we can see, everything is working just fine.
  • So I will just refresh and here we go.

  • thing are working.
  • So that’s it for this lecture.
  • I hope you liked it.
  • and i will see you in the next lecture.

 

By Sai Charan Paloju

Trained AWS Certified Solutions Architect Associate Course SAA-C02/Content Writer/Creator, Masters Degree- Software Engineering, Bachelors Degree- Computer Science & Engineering, Youtuber- Host/Interviewer/Content Creator/Video Editor, Podcaster- Host/Interviewer/Content Creator/Editor, Technical Writer, Social Media Manager/Influencer Ex-Professional Cricketer mailme@smartcherrysthoughts.com https://smartcherrysthoughts.com/

Leave a Reply

Your email address will not be published. Required fields are marked *