[자격증] aws 기초 (IAM & AWS CLI)

개요 

IAM이 무엇이지 알아 본다. 

 

IAM 이란?

Identity ans Access Management로써 Global Serivce 입니다. 

사용자의 접근 권한을 관리 하는 Service 입니다.

 

IAM의 구성 

1. Users

    - Users are people within your organization, and cab be grouped

    - Users don't have to belong to a group, and user can be belong to multiple groups

2. Groups

    - Groups only contain users, not other groups

3. Role(롤)

    - 생성된 Role은 사용자나 그룹에 할당하는 것이 아니라 EC2 같은 AWS 리소스에 할당됩니다.
4. Policy(정책)

    - 하나 또는 다수의 Permissions를 정의한 문서입니다. 문서는 JSON파일로 되어 있습니다.
5. Permission (권한)

    - 어떤 리소스와 어떤 작업을 허용/거부할지를 결정합니다.

 

IAM : Permissions

1. Users or Groups can be assigned JSON documents called policies

2. These Policies define the permission of the users

3. In AWS you apply the least privilege principle : don't give more permissions than a user needs

 

 

IAM : Policies inheritance

1. policy : group의 users에게  적용 

2. inline policy : 오직 user에게만 적용 가능 

 

IAM : Policies Structure 

Consists of

    - Version : policy language version, always include "2012-10-17"

    - Id : an identifier for the policy (optional)

    - Statement : one or more indivisual statements (required)

 

 Statement Consists of

    - Sid : an identifier for ther statement (optional)

    - Effect : whether the statement allows or denies access (Allow, Deny)

      * Action에 정의된 API 접근을 허용 할지 말지 결정

    - Principal : account/user/role to which this policy applied to

      * 어떤 계정에 policy를 적용 할것인가를 지정

    - Action: list of action this policy allow or denies

      * API list이고 Efffect에 의해서 허용 할지 말지가 결정된다.

    - Resource: list of resources to which the actions applied to 

      * 어느 resource에게 action을 적용 할 것인지 결정

    - Condition: conditions for when this policy is in effect (optional)

 

IAM : Password Policy 

in AWS, you can setup a password policy

    - Set a minimum password length

    - Require specfic character types:

        * include uppercase letters

        * lowercase letters

        * numbers

        * non-alphanumeric characters

    - Allow all IAM users to change their  own passwords

    - Require users to change their password after some time(password expiration)

    - Prevent password re-use

 

IAM : Multi Factor Authentication - MFA

    - Users have access to your account and can possibly change configurations or delete resources in oyur AWS account

    - You want to protect your Root Accounts and IAM users

    - MFA = Password you know + security device you own 

    - MFA device opion in aws

 

IAM : Roles for Service 

- Some AWS service will need to perform actions on your behalf

- To do so, we will assing permissions to AWS  service with IAM  Roles

- service에 권한을 부여 하는 것이다.

 

IAM : Security Tools 

1. IAM Credentials Report(accoutn-level)

    - a report that lists all your account's users and the status of their various credential

2. IAM Access Advisor

    - Access advisor shows the service permissions granted to a userand when those serive last accessed.

    - You can use this information to revise your policies

 

IAM : Guidelines & Best Practices

1. Don't use the root account except for AWS account setup 

2. One physcial user == One AWS user

3. Assign users to groups and assign pemissions to groups

4. Create a strong password policy

5. Use and enforce the use of Multi Factor Authentication (MFA)

6. Create and use Roles for giving permissions to AWS services

7. Use Access Keys for Programmatic Access (CLI/SDK)

8. Audit permssions of your account with the IAM Credentials Report

 

 

---

AWS를 제어하는 방법 

1. AWS ManageMent Consol 

    - Protected by password + MFA

2. AWS Comand Line Interface (CLI)

    - Protected by access keys

3. AWS  Software Developer key(SK)

    - for code : prortected by access keys 

 

AWS:Access key

- Access key are secrest, just like a password

- Access key의 구성 

    1. Access Key ID == username 

    2. Secret Access Key == password

Fake

What's ther AWS CLI?

- A tool that enable you to interact with AWS services using commands in your command-line shell

- Direct access to the public APIs of AWS  service 

- You can develop script to manage your resources

- It's open-source https://github.com/aws/aws-cli 

- Alternative to using AWS Management Console

AWS CLI

 

What's the AWS SDK?

- AWS Software Developemnt kit (AWS SDK)

- Language-specific APIs(set of libraries)

- Enables you to acces and manage AWS services programmatically

- Embedded within your application 

- Supports

    - SDKs(Javascript, Python, PHP, .NE. Ruby, Java, Go, Node.js, C++)

    - Mobile SDKs (Android, iOS, ...)

    - IoT Device  SDKs(Embedded C, Arduino, ..)

Example : AWS CLI is built on AWS SDK for Python