-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathIAM
169 lines (136 loc) · 3.62 KB
/
IAM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
component of IAM
> Users =>
Each person can be one User
Each user can have different permissions
> Group
We can club multiple user and provide common acces
> Roles
Roles are not for users
Roles are for service
Ec2 => S3, RDS
> Policies
Development
UserA UserB UserC
IAM S3 RDS
S3 RDS S3
RDS
Group Developer (S3,RDS)
UserA (IAM)
UserB
UserC
Policies
IAM> Create Group, Create user, create Roles
RDS> Read, write
MyPolicy
IAM> Create Group
RDS> Read acces
JSON
{
"name":"a",
"class":"b"
}
/*********************
Check All Policy
***********************/
> AWS Dashboard
> IAM
>Policies
>List All Policy
/*********************
Create Cutsome Policy
***********************/
> Policies
> create Policy
> choose service
> Select the actions
> Review Policy
>Provide policy name
>Create policy
/*******************************
Create New IAM USer
*********************************/
> user
>Create user
>Name , Accesstypee
>custome password
>Attach existing Policies
>select policy
>Add Tags
>Review and create
/*******************************
Login with IAM user
*********************************/
> Select User
> security credential
>use summery console login url:
/*******************************
Asign MFA
*********************************/
> Select user
>security credential
> Assign MFA
>Virtual MFA
> Show QR
> Scan Qr and enter code
/**************************
Add uSer to group
**************************/
=>Select group
=>user
=>Add User
=>Select Listed User
=>Add
Roles are for the applications
Groups for the user
/**************************
Create Role
**************************/
=> Role
=>Create Role
`=> Aws Service
=> Select service to which yo want to attach policy
=> Add Permission to the Service
=>Add tags and Create
** We can attach role to service on there own dashboard
/******************************************
Access resource from diff account
******************************************/
Acc1 (Aakash Handa) Sender
=>IAM
=>Role
=>Another AWS account
=>Account ID(of aakash)
=>Add permission(s3 full access)
=>RoleName
**Root user(reciver) cannot access any other
**Only IAM user(reciver) can accesss any other account resource
>>>>>>Acc2 (Aakash) Reciver<<<<<<<<<<<
** Access S3 of aakashhanda account
=> Create new IAM user(with no permission no group)
=> Create new dummy Group(no user no policy)
=>Select create group
=>Permission
=>Add Inline Policies
=>Json
=>Create policy
=>Write JSon
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":"sts:AssumeRole",
"Resource":"arn:aws:iam::276374296137:role/S3extrenalAcess"
(ARN of role created in sender account)
}
}
=> Attach user to group
=> Login with IAM user
=>Swtich role
=>Account* (number od aakashhanda(sender) account)
Role* (created in aakash handa account)
=>Switch Role
/////////
User
Group
Role
Policies => Already defined