aws iam
Identity and Access Management (IAM) is something you need to take seriously if you’re working in the AWS space. If you try to ignore it, it’ll only come back to bite you time and time again.
如果您在AWS领域中工作,则需要认真考虑身份和访问管理(IAM)。 如果您尝试忽略它,它只会再次叮咬您一次又一次。
You can see here what happened when Capital One had an IAM slipup. Don’t let this happen to you! Learn from their mistakes.
您可以在此处看到Capital One进行IAM滑脱时发生的情况。 不要让这种情况发生在您身上! 从他们的错误中学习。
I suggest taking out just a half hour of your day to make the rest of your life in AWS that much easier. You’ll see the concepts aren’t too tricky once you spend some time with them.
我建议您花半个小时的时间来使余下的AWS生活变得更加轻松。 一旦花了一些时间,您就会发现这些概念并不是很棘手。
In this article, we’ll take an in-depth look at just the IAM piece of AWS.
在本文中,我们将深入研究AWS的IAM部分。
Then, I’ll walk you through how to achieve a 5/5 on your security status in the IAM part of the AWS console.
然后,我将引导您逐步了解如何在AWS控制台的IAM部分中将安全状态达到5/5。
目标 (Objectives)
Understanding IAM — its key terms and how to get started using IAM on AWS.
了解IAM-它的关键术语以及如何在AWS上开始使用IAM。
We’ll look at:
我们来看一下:
• The Power of IAM• How to Get Started• Activating MFA on Our Root Account• Creating Individual IAM Users• Using Groups To Assign Permissions• Applying an IAM Password Policy
• IAM的功能 • 如何入门 • 在我们的根帐户上激活MFA • 创建单个IAM用户 • 使用组分配权限 • 应用IAM密码策略
IAM的力量 (The Power of IAM)
First, let’s talk about what IAM is. Identity and Access Management is an AWS service that allows you to control the users to and permissions of your AWS console.
首先,让我们谈谈IAM是什么。 身份和访问管理是一项AWS服务,允许您控制用户和AWS控制台的权限。
As a system admin, this is incredibly useful and important, as this is how you manage who sees what. If you want an employee in HR to have read-only access to an S3 bucket, it’s that easy: Just assign permissions in your IAM console.
作为系统管理员,这是非常有用和重要的,因为这是您管理谁看到内容的方式。 如果您希望HR中的员工对S3存储桶具有只读访问权限,那就很简单:只需在IAM控制台中分配权限即可。
All security-related concerns can be addressed in this service.
可以在此服务中解决所有与安全相关的问题。
Specifically, IAM gives you the ability to do the following:
具体来说,IAM使您能够执行以下操作:
- Set different levels of permissions for each user 为每个用户设置不同级别的权限
- Allow temporary access for users/services 允许用户/服务临时访问
- Enforce multi-factor authentication 实施多因素身份验证
- Create a password-rotation policy (e.g., expires after 120 days) 创建密码轮换策略(例如,在120天后过期)
- Integrate security with all of your AWS services 将安全性与您的所有AWS服务集成
- Identity Federation — log in from Facebook, LinkedIn, etc. 身份联盟—从Facebook,LinkedIn等登录。
- Be Payment Card Industry Data Security Standard (PCI DSS) compliant 符合支付卡行业数据安全标准(PCI DSS)
IAM authorizes you to do whatever you want when it comes to controlling who can interact with your AWS services. Take advantage!
在控制谁可以与您的AWS服务进行交互时,IAM授权您做任何您想做的事情。 占便宜!
关键条款 (Key Terms)
Below are the essential definitions to keep in mind as we learn about how to use IAM:
在学习如何使用IAM时,请牢记以下基本定义:
Users — end users. These are the people who are assigned permissions. These users will be accessing the AWS console or executing API commands.
用户 -最终用户。 这些是被分配权限的人。 这些用户将访问AWS控制台或执行API命令。
Groups — users who share a commonality in what privileges they need. Assign groups with one set of permissions — e.g., a group of developers.
组 -在所需特权方面具有共同点的用户。 分配具有一组权限的组-例如,一组开发人员。
Roles — assign permissions to AWS resources. For example, allow an S3 bucket to query a DynamoDB in EC2.
角色 -为AWS资源分配权限。 例如,允许S3存储桶在EC2中查询DynamoDB。
Policies — a JSON that allows you to define permissions. It’s attached to users, groups, or roles. Here’s an example of a policy that’ll enable you to have only S3 read-only access:
策略 -允许您定义权限的JSON。 它已附加到用户,组或角色。 这是一个策略示例,使您仅具有S3只读访问权限:
{
“Version”: “2012–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:Get*”,
“s3:List*”
],
“Resource”: “*”
}
]
}如何开始 (How to Get Started)
Sign in to your AWS console. If you don’t have an account, you can create one here.
登录到您的AWS控制台。 如果您没有帐户,则可以在此处创建一个帐户。
Upon logging in, we’ll be taken to a screen that looks like this:
登录后,我们将转到如下所示的屏幕:
AWS is continuously changing their interfaces, so if it doesn’t look like this, I apologize. I’ll do my best to update, but be aware this continually changes. The concepts will likely remain the same.
AWS会不断更改其接口,因此,如果不这样,我深表歉意。 我会尽力更新,但是请注意,这会不断变化。 概念可能保持不变。
You’ll see when we first log in, the green check mark is already next to “Delete your root access keys.”
您将看到,当我们第一次登录时,绿色的复选标记已经在“删除您的根访问密钥”旁边。
We’ll tackle the next four by the end of this article.
我们将在本文结尾处解决下四个问题。
在我们的根帐户上激活MFA (Activating MFA on Our Root Account)
We’ll now navigate to the “Activate MFA on your root account” drop-down in the Security Status section.
现在,我们将转到“安全状态”部分中的“在您的根帐户上激活MFA”下拉菜单。
What is multi-factor authentication? MFA is where you can only gain access by successfully entering credentials from two different devices.
什么是多因素身份验证? 在MFA中,您只能通过从两个不同的设备成功输入凭据来获得访问权限。
Click on the “Manage MFA” button, and we’ll be taken to a screen that looks like this:
点击“管理MFA”按钮,我们将进入如下屏幕:
Now let’s activate our MFA.
现在让我们激活我们的MFA。
I suggest selecting “Virtual MFA device” so you can use your phone to authenticate.
我建议选择“虚拟MFA设备”,以便您可以使用手机进行身份验证。
It’ll then ask you to install an authenticator app. I chose to download the Google Authenticator app for my iOS device.
然后它将要求您安装身份验证器应用程序。 我选择下载适用于我的iOS设备的Google Authenticator应用。
You then need to activate the authenticator by completing the following steps:
然后,您需要通过完成以下步骤来激活身份验证器:
Once you hit the “Assign MFA” button, you should see a new MFA device added, like below:
点击“分配MFA”按钮后,您应该会看到一个新的MFA设备,如下所示:
And we’ve successfully turned the check mark green when we go back to the IAM console!
当我们回到IAM控制台时,我们已经成功地将复选标记变为绿色!
But more importantly, we’ve added another layer of security to our AWS root account.
但更重要的是,我们为AWS Root帐户增加了另一层安全性。
创建单个IAM用户 (Creating Individual IAM Users)
Now, let’s create some Individual IAM users.
现在,让我们创建一些个人IAM用户。
We’ll create IAM users so we don’t have to use our root account to complete day-to-day tasks on AWS. We should only be using the root when we need to.
我们将创建IAM用户,因此我们不必使用root帐户即可在AWS上完成日常任务。 我们仅在需要时才使用根。
So now, in the Users section of our IAM dashboard, let’s add a new user:
现在,在IAM仪表板的“用户”部分,我们添加一个新用户:
I’ll be creating a new user named ryan and choosing to give him programmatic access and AWS Management Console access, like below:
我将创建一个名为ryan的新用户,并选择授予他编程访问和AWS Management Console访问权限,如下所示:
We must grant our new user permissions (otherwise, what’s the point?). Since this is the account I want to use as a system admin, I want to have full access to AWS and its services and resources.
我们必须授予新用户权限(否则,有什么意义?)。 由于这是我要用作系统管理员的帐户,因此我想拥有对AWS及其服务和资源的完全访问权限。
So I’m going to select “AdministratorAccess” as my Policy name and give the Group the name of SysAdmin.
因此,我将选择“ AdministratorAccess”作为我的策略名称,并将该组命名为SysAdmin 。
Then hit the Next button at the bottom.
然后点击底部的下一步按钮。
We can skip the Tags section, as they’re not mandatory fields.
我们可以跳过“标签”部分,因为它们不是必填字段。
When we go to review our Add user action, it should look something like this:
当我们查看“添加用户”操作时,它应如下所示:
When you click “Create user” at the bottom, you should get a success message.
当您单击底部的“创建用户”时,您应该会收到一条成功消息。
Important: This is the last time you’ll see these credentials, so I suggest downloading the .csv and storing it someplace safe because you don’t know when you’ll need them again.
重要说明:这是您最后一次看到这些凭据,因此我建议下载.csv并将其存储在安全的地方,因为您不知道何时需要它们。
You’ll see we killed two birds with one stone here since we created a group as well as added a user.
您会看到,自从我们创建了一个组并添加了一个用户以来,我们在这里用一块石头杀死了两只鸟。
In the next section, we’re going to create a group with more limited permissions so you can get a feel for what these IAM groups are all about.
在下一节中,我们将创建一个具有更多受限权限的组,以便您可以大致了解这些IAM组的含义。
使用组分配权限 (Using Groups to Assign Permissions)
Let’s create a new group called Developers.
让我们创建一个名为Developers的新组。
Now let’s attach some policies. We want our developers to have full access to DynamoDB and EC2.
现在,让我们附加一些策略。 我们希望我们的开发人员能够完全访问DynamoDB和EC2。
AWS makes it very easy to simply attach these policies to the groups.
AWS使将这些策略简单地附加到组变得非常容易。
So when you review, it should look just like this:
因此,当您查看时,它应如下所示:
Now, let’s add a new user and add them to this group.
现在,让我们添加一个新用户并将其添加到该组中。
DevDave is going to be a developer on our team. And we’re merely going to add him to the Developers group like below:
DevDave将成为我们团队的开发人员。 而且我们只是将他添加到Developers组中,如下所示:
After clicking through and eventually hitting the “Create user” button, you’ll see DevDave has been created as a user:
单击并最终单击“创建用户”按钮后,您将看到DevDave创建为用户:
And we now have two users under two different groups when we navigate back to the Users page:
现在,当我们导航回“用户”页面时,我们有两个不同组的两个用户:
Easy enough, right?
很容易,对吧?
应用IAM密码策略 (Applying an IAM Password Policy)
Now, let’s tackle the final security status: applying an IAM password policy.
现在,让我们解决最终的安全状态:应用IAM密码策略。
In the Account Settings of IAM, we’re going to hit the button that says “Set password policy.”
在IAM的“帐户设置”中,我们将点击“设置密码策略”按钮。
You can make the password policy as strict or as laid back as you wish:
您可以根据需要将密码策略设置为严格或宽松:
You may also choose to have it expire in x amount of days. You can see above I decided for it to expire after 120 days.
您也可以选择使其在x天后过期。 您可以在上方看到我决定将其在120天后过期。
When you go back to the dashboard, you should see all five Security Status steps completed!
回到仪表盘,您应该看到所有五个“安全状态”步骤已完成!
自定义IAM用户登录链接 (Customize IAM Users Sign-In Link)
You’ll notice at the top, there’s an IAM sign-in link we can customize. This link will take you directly to your IAM management console.
您会在顶部看到一个可以自定义的IAM登录链接。 该链接将直接带您到IAM管理控制台。
You can make this link whatever your heart desires.
您可以随心所欲地建立此链接。
This allows for a quick and easy sign in.
这样可以快速轻松地登录。
评论 (Review)
In this article, we learned the basics of IAM. We also walked through how to get started using it.
在本文中,我们学习了IAM的基础。 我们还逐步介绍了如何开始使用它。
You should now be able to:
您现在应该能够:
- Define key terms relating to IAM 定义与IAM有关的关键术语
- Activate MFA on your root account 在您的根帐户上激活MFA
- Create users 建立使用者
- Use groups to assign permissions 使用组分配权限
- Change your password policy 更改密码政策
- Customize your IAM link 自定义您的IAM链接
Easy enough, right?
很容易,对吧?
A resource I used while learning this: A Cloud Guru on Udemy
我在学习本文时使用的资源: Udemy上的Cloud Guru
翻译自: https://medium.com/better-programming/breaking-down-awss-identity-access-management-iam-cb51c9195e4f
aws iam
扫一扫
9450
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
