{"id":23386,"date":"2017-04-27T19:53:43","date_gmt":"2017-04-27T19:53:43","guid":{"rendered":"https:\/\/www.whizlabs.com\/?p=23386"},"modified":"2024-05-22T09:38:27","modified_gmt":"2024-05-22T04:08:27","slug":"aws-iam-security","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/aws-iam-security\/","title":{"rendered":"How to Use IAM for Securing the Access to AWS Resources?"},"content":{"rendered":"<p><span lang=\"EN-US\">Are you preparing for\u00a0<\/span><a href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/\"><span lang=\"EN-US\">AWS Certified SysOps Administrator \u2013 Associate certification exam<\/span><\/a><span lang=\"EN-US\">? \u00a0Are you ready to pass this exam? In this blog, we are writing a series of articles on topics which are covered in the AWS certified SysOps associate certification exam. You can subscribe to us for receiving further updates on this topic.<\/span><\/p>\n<p><span lang=\"EN-US\">The SysOps Associate certification exam is the hardest exam at the associate certification level. We would recommend you pass both <a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-associate\/\" target=\"_blank\" rel=\"noopener\">solution architect certification<\/a> exam and developer associated certification exam first before of taking this exam.<\/span><\/p>\n<p><span lang=\"EN-US\">The AWS Certified SysOps Administrator \u2013 Associate exam validates technical expertise in deployment, management, and operations on the AWS platform<\/span><\/p>\n<ul type=\"disc\">\n<li><b><span lang=\"EN-US\">TRY\u00a0NOW :\u00a0<\/span><\/b><a title=\"AWS Certified SysOps Administrator Associate \u2013 Free Test\" href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/free-test\/\"><b><span lang=\"EN-US\">10 Free Practice Questions for SysOps Associate Exam<\/span><\/b><\/a><\/li>\n<li><b><span lang=\"EN-US\">OFFER :\u00a0<\/span><\/b><a title=\"AWS Certified SysOps Administrator Associate\" href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/\"><b><span lang=\"EN-US\">420 Practice Questions for SysOps Associate Exam (50% Discount)<\/span><\/b><\/a><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">The <a href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/\" target=\"_blank\" rel=\"noopener\">AWS Certified SysOps Administrator<\/a> \u2013 Associate Level exam validates the candidate\u2019s ability to:<\/span><\/p>\n<ul type=\"disc\">\n<li><span lang=\"EN-US\">Deliver the stability and scalability needed by a business on AWS<\/span><\/li>\n<li><span lang=\"EN-US\">Provision systems,\u00a0services, and deployment automation on AWS<\/span><\/li>\n<li><span lang=\"EN-US\">Ensure data integrity and data security on AWS technology<\/span><\/li>\n<li><span lang=\"EN-US\">Provide guidance on AWS best practices<\/span><\/li>\n<li><span lang=\"EN-US\">Understand and monitor metrics on AWS<\/span><\/li>\n<\/ul>\n<div>\n<figure id=\"attachment_23164\" aria-describedby=\"caption-attachment-23164\" style=\"width: 654px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/Figure0_SysOpsBlueprint.png\"><img decoding=\"async\" class=\"wp-image-23164 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/Figure0_SysOpsBlueprint.png\" alt=\"Domains covered by the AWS Certified SysOps associate exam\" width=\"654\" height=\"545\" \/><\/a><figcaption id=\"caption-attachment-23164\" class=\"wp-caption-text\">Domains covered by the AWS Certified SysOps associate exam<\/figcaption><\/figure>\n<p align=\"center\"><b><i><span lang=\"EN-US\">Figure #0. \u00a0Domains covered\u00a0by\u00a0the AWS Certified SysOps associate exam<\/span><\/i><\/b><\/p>\n<\/div>\n<p><span lang=\"EN-US\">You can download the related\u00a0<\/span><a href=\"http:\/\/awstrainingandcertification.s3.amazonaws.com\/production\/AWS_certified_sysops_associate_blueprint.pdf\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">AWS Certified SysOps Administrator \u2013 Associate Level Exam Blueprint<\/span><\/a><span lang=\"EN-US\">\u00a0for more detail about it.<\/span><\/p>\n<p><span lang=\"EN-US\">In this article, we are going to explain about the topic that addresses the assurance of access controls when using the AWS platform as highlighted in the AWS Blueprint from the above exam guide.<\/span><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ea7e02;color:#ea7e02\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ea7e02;color:#ea7e02\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-iam-security\/#Context\" >Context<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-iam-security\/#What_is_AWS_Identity_and_Access_Management_IAM\" >What is AWS Identity and Access Management (IAM)?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-iam-security\/#How_to_Create_Groups\" >How to Create Groups?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-iam-security\/#Security_Credentials\" >Security Credentials<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-iam-security\/#IAM_Best_Practices\" >IAM Best Practices<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-iam-security\/#Important_Points_to_Remember_for_the_AWS_Certified_SysOps_Administrator_%E2%80%93_Associate_Certification_exam\" >Important Points to Remember for the AWS Certified SysOps Administrator \u2013 Associate Certification exam<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Context\"><\/span><span lang=\"EN-US\">Context<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span lang=\"EN-US\">From an enterprise point of view, the asset security is one of most important things for taking in count when you are designing and running infrastructure services. The access to your AWS resources should be following always the least privilege. It will warrant a better integrity, confidentiality and availability of your AWS resources.<\/span><\/p>\n<p><span lang=\"EN-US\">As part of your AWS account, AWS offers a feature called <\/span><span lang=\"EN-US\">AWS Identity and Access Management (<\/span><span lang=\"EN-US\">IAM) for controlling the access to your AWS resources.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"What_is_AWS_Identity_and_Access_Management_IAM\"><\/span><span lang=\"EN-US\">What is AWS Identity and Access Management (IAM)?<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span lang=\"EN-US\">AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.<\/span><\/p>\n<p><span lang=\"EN-US\">You can use AWS IAM to securely control individual and group access to your AWS resources. You can create and manage user identities (&#8220;IAM users&#8221;) and grant permissions for those IAM users to access your resources. You can also grant permissions for users outside of AWS.<\/span><\/p>\n<p><span lang=\"EN-US\">IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.<\/span><\/p>\n<p><span lang=\"EN-US\">You can use the IAM console (for web-based access), the AWS Command Line Interface (CLI, for command line access), or the API or SDKs (for programmatic access). To grant permissions, you create policy documents that you attach to users, groups, or other entities<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_to_Create_Groups\"><\/span><span lang=\"EN-US\">How to Create Groups?<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span lang=\"EN-US\">You use IAM to control who can use your AWS resources (<em>authentication<\/em>) and what resources they can use and in what ways (<em>authorization<\/em>). <\/span><span lang=\"EN-US\">For greater security and organization, you can give access to your AWS account to specific user. When assign permissions, use Groups to assign permissions to multiple IAM Users and apply to those groups pre-build secure policies.<\/span><\/p>\n<p><span lang=\"EN-US\">A group is a collection of IAM users. Manage group membership as a simple list:<\/span><\/p>\n<ul>\n<li><span lang=\"EN-US\">Add users to or remove them from a group.<\/span><\/li>\n<li><span lang=\"EN-US\">A user can belong to multiple groups.<\/span><\/li>\n<li><span lang=\"EN-US\">Groups cannot belong to other groups.<\/span><\/li>\n<li><span lang=\"EN-US\">Groups can be granted permissions using access control policies. This makes it easier to manage permissions for a collection of users, rather than having to manage permissions for each individual user.<\/span><\/li>\n<li><span lang=\"EN-US\">Groups do not have security credentials, and cannot access web services directly; they exist solely to make it easier to manage user permissions. <\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">To create an IAM group and attach policies using the AWS Management Console,\u00a0 you should:<\/span><\/p>\n<p><b><span lang=\"EN-US\">Step 1<\/span><\/b><span lang=\"EN-US\">. Create a New Group, after signing in to the IAM console at <a href=\"https:\/\/console.aws.amazon.com\/iam\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/console.aws.amazon.com\/iam\/<\/a> :<\/span><\/p>\n<p><span lang=\"EN-US\">Group names must be unique within an account. They are not distinguished by case, for example, you cannot create groups named both &#8220;ADMINS&#8221; and &#8220;admins&#8221;.<\/span><\/p>\n<figure id=\"attachment_24972\" aria-describedby=\"caption-attachment-24972\" style=\"width: 1579px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/Figure1_CreatingaGroup.png\"><img decoding=\"async\" class=\"size-full wp-image-24972\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/Figure1_CreatingaGroup.png\" alt=\"Creating a Group\" width=\"1579\" height=\"769\" \/><\/a><figcaption id=\"caption-attachment-24972\" class=\"wp-caption-text\">Creating a Group<\/figcaption><\/figure>\n<p align=\"center\"><b><i><span lang=\"EN-US\">Figure #1. \u00a0Creating a Group<\/span><\/i><\/b><\/p>\n<p><b><span lang=\"EN-US\">Step 2.<\/span><\/b><span lang=\"EN-US\"> Select and attach policies. In the list of policies, select the check box for each policy that you want to apply to all members of the group.<\/span><\/p>\n<figure id=\"attachment_24973\" aria-describedby=\"caption-attachment-24973\" style=\"width: 1579px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/Figure2_AttachingaPolicy.png\"><img decoding=\"async\" class=\"size-full wp-image-24973\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/Figure2_AttachingaPolicy.png\" alt=\"Attaching a Policy\" width=\"1579\" height=\"769\" \/><\/a><figcaption id=\"caption-attachment-24973\" class=\"wp-caption-text\">Attaching a Policy<\/figcaption><\/figure>\n<p align=\"center\"><b><i><span lang=\"EN-US\">Figure #2. \u00a0Attaching a Policy<\/span><\/i><\/b><\/p>\n<p><span lang=\"EN-US\">You can use roles to delegate access to users, applications, or services that don&#8217;t normally have access to your AWS resources. You can use IAM roles to grant permissions to applications running on your instances that need to use a bucket in Amazon S3. You can specify permissions for IAM roles by creating a policy in JSON format. These are like the policies that you create for IAM users. If you make a change to an IAM role, the change is propagated to all instances.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Security_Credentials\"><\/span><span lang=\"EN-US\">Security Credentials<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span lang=\"EN-US\">IAM users can have any combination of credentials that AWS supports, such as an AWS access key, X.509 certificate, SSH key, password for web app logins, or an MFA device. <\/span><\/p>\n<p><span lang=\"EN-US\">You can access AWS in diverse ways using the diverse types of credentials that can be associated with a user: <\/span><\/p>\n<ul>\n<li><b><span lang=\"EN-US\">Console password:<\/span><\/b><span lang=\"EN-US\"> A password that the user can type to sign into interactive sessions such as the AWS Management Console. <\/span><\/li>\n<li><b><span lang=\"EN-US\">Access keys:<\/span><\/b><span lang=\"EN-US\"> An access key is the combination of an access key ID and a secret access key. You can assign two to a user at a time. These can be used to make programmatic calls to AWS when using the API in program code or at a command prompt when using the AWS CLI or the AWS PowerShell tools. <\/span><\/li>\n<li><b><span lang=\"EN-US\">SSH keys for use with AWS CodeCommit:<\/span><\/b><span lang=\"EN-US\"> An SSH public key in the OpenSSH format that can be used to authenticate with AWS CodeCommit. <\/span><\/li>\n<li><b><span lang=\"EN-US\">Server certificates:<\/span><\/b><span lang=\"EN-US\"> SSL\/TLS certificates that you can use to authenticate with some AWS services. We recommend that you instead use AWS Certificate Manager to create and manage your certificates<\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">You can also use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"IAM_Best_Practices\"><\/span><span lang=\"EN-US\">IAM Best Practices<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span lang=\"EN-US\">To help secure your AWS resources, follow these recommendations and best practices for the IAM feature:<\/span><\/p>\n<ul>\n<li><b><span lang=\"EN-US\">Lock Away Your AWS Account (Root) Access Keys: <\/span><\/b><span lang=\"EN-US\">You use an access key (an access key ID and secret access key) to make programmatic requests to AWS. However, do not use your AWS account (root) access key<\/span><\/li>\n<li><b><span lang=\"EN-US\">Create Individual IAM Users: <\/span><\/b><span lang=\"EN-US\">Avoid using your AWS root account credentials to access AWS, always create individual users for anyone who needs access to your AWS services<\/span><\/li>\n<li><b><span lang=\"EN-US\">Use AWS-Defined Policies to Assign Permissions Whenever Possible:<\/span><\/b><span lang=\"EN-US\"> We recommend that you use the managed policies that are created and maintained by AWS to grant permissions whenever possible.<\/span><\/li>\n<li><b><span lang=\"EN-US\">Use Groups to Assign Permissions to IAM Users:<\/span><\/b><span lang=\"EN-US\"> First, create groups that relate to job functions (sysops, architects, developers, etc.). After, define the relevant permissions for each group. Finally, assign IAM users to those groups.<\/span><\/li>\n<li><b><span lang=\"EN-US\">Grant Least Privilege:<\/span><\/b><span lang=\"EN-US\"> When you create IAM policies, follow the standard security advice of granting least privilege\u2014that is, granting only the permissions required to perform a task.<\/span><\/li>\n<li><b><span lang=\"EN-US\">Use Access Levels to Review IAM Permissions:<\/span><\/b><span lang=\"EN-US\"> To improve the security of your AWS account, you should regularly review and monitor each of your IAM policies.<\/span><\/li>\n<li><b><span lang=\"EN-US\">Configure a Strong Password Policy for Your Users:<\/span><\/b><span lang=\"EN-US\"> If you allow users to change their own passwords, require that they create strong passwords and that they rotate their passwords periodically<\/span><\/li>\n<li><b><span lang=\"EN-US\">Enable MFA for Privileged Users:<\/span><\/b><span lang=\"EN-US\"> For extra security, enable multi-factor authentication (MFA) for privileged IAM users<\/span><\/li>\n<li><b><span lang=\"EN-US\">Use Roles for Applications That Run on Amazon EC2 Instances:<\/span><\/b><span lang=\"EN-US\"> Applications that run on an Amazon EC2 instance need credentials to access other AWS services. To provide credentials to the application in a secure way, use IAM roles.<\/span><\/li>\n<li><b><span lang=\"EN-US\">Delegate by Using Roles Instead of by Sharing Credentials<\/span><\/b><span lang=\"EN-US\">: You can define a role that specifies what permissions the IAM users from another AWS account to access resources in your AWS account. You can also designate which AWS accounts have the IAM users that can assume the role.<\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">When you connect to the IAM Dashboard, you can check the security status related to the before security best practices, also you can customize the IAM users sign-in link, initially, the URL has as prefix your account number as following:<\/span><\/p>\n<figure id=\"attachment_24974\" aria-describedby=\"caption-attachment-24974\" style=\"width: 1579px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/Figure3_IAMDashboard.png\"><img decoding=\"async\" class=\"size-full wp-image-24974\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/Figure3_IAMDashboard.png\" alt=\"IAM Dashboard\" width=\"1579\" height=\"769\" \/><\/a><figcaption id=\"caption-attachment-24974\" class=\"wp-caption-text\">IAM Dashboard<\/figcaption><\/figure>\n<p align=\"center\"><b><i><span lang=\"EN-US\">Figure #3. \u00a0IAM Dashboard<\/span><\/i><\/b><\/p>\n<p><span lang=\"EN-US\">Whizlabs is the pioneer institute provides various <span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;aws security certification&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:14337,&quot;3&quot;:{&quot;1&quot;:1},&quot;14&quot;:{&quot;1&quot;:3,&quot;3&quot;:1},&quot;15&quot;:&quot;Calibri&quot;,&quot;16&quot;:11}\"><a href=\"https:\/\/www.whizlabs.com\/aws-certified-security-specialty\/\" target=\"_blank\" rel=\"noopener\">AWS Security Certification<\/a> Courses for the AWS security only. Also <\/span>If you are preparing for the any AWS certifications exam like; <span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;aws solution architect&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:14337,&quot;3&quot;:{&quot;1&quot;:1},&quot;14&quot;:{&quot;1&quot;:3,&quot;3&quot;:1},&quot;15&quot;:&quot;Calibri&quot;,&quot;16&quot;:11}\"><a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-professional\/\" target=\"_blank\" rel=\"noopener\">AWS Solution Architect<\/a>, <a href=\"https:\/\/www.whizlabs.com\/aws-certified-cloud-practitioner\/\" target=\"_blank\" rel=\"noopener\">AWS Cloud Practitioner exam<\/a>, <a href=\"https:\/\/www.whizlabs.com\/blog\/aws-iam-security\/\" target=\"_blank\" rel=\"noopener\">AWS DevOps<\/a>, <a href=\"https:\/\/www.whizlabs.com\/aws-certified-data-analytics-specialty\/\" target=\"_blank\" rel=\"noopener\">AWS Data Science Certification<\/a>, <a href=\"https:\/\/www.whizlabs.com\/aws-certified-security-specialty\/\" target=\"_blank\" rel=\"noopener\">AWS Cloud Security Certification<\/a>, AWS <a href=\"https:\/\/www.whizlabs.com\/aws-developer-associate\/\" target=\"_blank\" rel=\"noopener\">Associate Developer<\/a> etc. We are also providing a complete guide to <a href=\"https:\/\/www.whizlabs.com\/blog\/aws-certified-solutions-architect-associate-guide\/\" target=\"_blank\" rel=\"noopener\">AWS Solutions Architect Associate<\/a> Exam which includes number of articles over the internet regarding the <a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-associate\/\" target=\"_blank\" rel=\"noopener\">AWS Architect Associate<\/a> exam. A<\/span>nd looking for any help, please send us a mail to call to our customer support team.\u00a0<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Important_Points_to_Remember_for_the_AWS_Certified_SysOps_Administrator_%E2%80%93_Associate_Certification_exam\"><\/span><span lang=\"EN-US\">Important Points to Remember for the AWS Certified SysOps Administrator \u2013 Associate Certification exam<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul type=\"disc\">\n<li><span lang=\"EN-US\">AWS Identity and Access Management (IAM) is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS<\/span><\/li>\n<li><span lang=\"EN-US\">IAM is a feature of your AWS account offered at no additional charge<\/span><\/li>\n<li><span lang=\"EN-US\">Each IAM user has a unique identity (ID) and name<\/span><\/li>\n<li><span lang=\"EN-US\">When assign permissions, use Groups to assign permissions to multiple IAM Users and apply to those groups pre-build secure policies<\/span><\/li>\n<li><span lang=\"EN-US\">Always use AWS best security practices for authentication and authorization <\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">\u00a0<\/span><\/p>\n<p><span lang=\"EN-US\">\u00a0<\/span><b><span lang=\"EN-US\">Glossary<\/span><\/b><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">Term<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><b><span lang=\"EN-US\">Brief description<\/span><\/b><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">Group<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\">\u00a0An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">User<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\">An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">Role<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\">An IAM role is like a user, it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">Policy<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\">A document in JSON format in which you define the permissions for a role. The document is written according to the rules of the IAM policy language.<\/span><span lang=\"EN-US\">When you create a role, you create two separate policies for it: a trust policy, which specifies who can assume the role (the trusted entity, or principal; see the next term), and the permissions policy, which defines what actions and resources the principal is allowed to use.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">Identity provider<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\">\u00a0With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account. You create an IAM identity provider entity to establish a trust relationship between your AWS account and the IdP. IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0)<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><\/td>\n<td valign=\"top\" width=\"515\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b><span lang=\"EN-US\">Summary<\/span><\/b><b><\/b><\/p>\n<ul type=\"disc\">\n<li><b><span lang=\"EN-US\">Don\u2019t MISS IT :\u00a0<\/span><\/b><a title=\"AWS Certified SysOps Administrator Associate \u2013 Practice Tests\" href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/practice-tests\/\"><b><span lang=\"EN-US\">420 Practice Questions for SysOps Administrator\u00a0Exam (50% Discount)<\/span><\/b><\/a><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">In this article, we have explained about relative concepts to the AWS Identity and Access Management (IAM) service, how to create groups, users and roles, and best practices about controlling the access to your AWS resources.<\/span><\/p>\n<p><b><span lang=\"EN-US\">References:<\/span><\/b><\/p>\n<p><span lang=\"EN-US\">[1] Amazon IAM Faqs.\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/iam\/faqs\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">https:\/\/aws.amazon.com\/iam\/faqs<\/span><\/a><span lang=\"EN-US\"><br \/>\n[2] Amazon IAM Documentation.\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/documentation\/iam\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">https:\/\/aws.amazon.com\/documentation\/iam<\/span><\/a><span lang=\"EN-US\"><br \/>\n[3] AWS Certified SysOps Administrator \u2013 Associate Certification.<\/span><a href=\"https:\/\/aws.amazon.com\/certification\/certified-sysops-admin-associate\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">https:\/\/aws.amazon.com\/certification\/certified-sysops-admin-associate\/<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Are you preparing for\u00a0AWS Certified SysOps Administrator \u2013 Associate certification exam? \u00a0Are you ready to pass this exam? In this blog, we are writing a series of articles on topics which are covered in the AWS certified SysOps associate certification exam. You can subscribe to us for receiving further updates on this topic. The SysOps Associate certification exam is the hardest exam at the associate certification level. We would recommend you pass both solution architect certification exam and developer associated certification exam first before of taking this exam. The AWS Certified SysOps Administrator \u2013 Associate exam validates technical expertise in [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":96382,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[3946,3935,195,241,3923,3970,3969,3924,1678,300,315,918,932,1441,3931],"class_list":["post-23386","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws-certifications","tag-associate-developer","tag-aws-architect-associate","tag-aws-certification","tag-aws-certified-sysops-administrator","tag-aws-cloud-practitioner-exam","tag-aws-cloud-security-certification","tag-aws-data-science-certification","tag-aws-devops","tag-aws-resources","tag-aws-solution-architect","tag-aws-sysops-certification","tag-iam","tag-information-security","tag-security","tag-solution-architect-certification"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security.jpg",725,282,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security-150x150.jpg",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security-300x117.jpg",300,117,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security.jpg",725,282,false],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security.jpg",725,282,false],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security.jpg",725,282,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security.jpg",725,282,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security.jpg",24,9,false],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security.jpg",48,19,false],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security.jpg",96,37,false],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security.jpg",150,58,false],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security.jpg",300,117,false],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security-250x250.jpg",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security-640x282.jpg",640,282,true],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security-96x96.jpg",96,96,true],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/04\/aws-iam-security-150x58.jpg",150,58,true]},"uagb_author_info":{"display_name":"Pavan Gumaste","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/pavan\/"},"uagb_comment_info":5,"uagb_excerpt":"Are you preparing for\u00a0AWS Certified SysOps Administrator \u2013 Associate certification exam? \u00a0Are you ready to pass this exam? In this blog, we are writing a series of articles on topics which are covered in the AWS certified SysOps associate certification exam. You can subscribe to us for receiving further updates on this topic. The SysOps&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/23386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=23386"}],"version-history":[{"count":5,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/23386\/revisions"}],"predecessor-version":[{"id":96388,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/23386\/revisions\/96388"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/96382"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=23386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=23386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=23386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}