1
00:00:00,500 --> 00:00:03,280
‫Okay, so let's play with IAM policies.

2
00:00:03,280 --> 00:00:06,683
‫So if we go into my user groups right now,

3
00:00:09,650 --> 00:00:12,410
‫I can see that my group admin contains,

4
00:00:12,410 --> 00:00:14,140
‫and this UI is a bit bugged,

5
00:00:14,140 --> 00:00:16,110
‫contains one user, Stephane.

6
00:00:16,110 --> 00:00:19,180
‫So if I go on the right hand side and go to my services

7
00:00:19,180 --> 00:00:22,863
‫and I go to IAM, so I'll go to the IAM service.

8
00:00:23,900 --> 00:00:24,760
‫I will show you one thing.

9
00:00:24,760 --> 00:00:26,990
‫So, this user is an admin user.

10
00:00:26,990 --> 00:00:29,320
‫And therefore, if you go to, for example, users,

11
00:00:29,320 --> 00:00:30,640
‫you can see all the users.

12
00:00:30,640 --> 00:00:31,640
‫Okay, great.

13
00:00:31,640 --> 00:00:33,220
‫So, now what I'm going to do is I'm going

14
00:00:33,220 --> 00:00:36,504
‫to remove Stephane from the admin groups.

15
00:00:36,504 --> 00:00:37,411
‫I'm going to remove this user

16
00:00:37,411 --> 00:00:40,632
‫and the user will lose the group permissions, that's true.

17
00:00:40,632 --> 00:00:43,010
‫So the user has been removed from the group

18
00:00:43,010 --> 00:00:45,430
‫and how do we make sure that this is applied?

19
00:00:45,430 --> 00:00:46,810
‫Well, if I go on the right-hand side

20
00:00:46,810 --> 00:00:50,500
‫and now refresh this page, as you can see,

21
00:00:50,500 --> 00:00:53,140
‫I need permissions to access this page

22
00:00:53,140 --> 00:00:55,460
‫and my user Stephane is not authorized

23
00:00:55,460 --> 00:00:59,400
‫to perform IamListUsers on this page.

24
00:00:59,400 --> 00:01:00,233
‫So that makes sense, right?

25
00:01:00,233 --> 00:01:03,310
‫Because we removed the user Stephane from the admins group.

26
00:01:03,310 --> 00:01:05,480
‫So, what I can do is I can fix this

27
00:01:05,480 --> 00:01:07,853
‫and to fix it, I can go into my users.

28
00:01:09,910 --> 00:01:12,540
‫Go to Stephane and now I can attach permissions

29
00:01:12,540 --> 00:01:14,380
‫directly to my Stefane user.

30
00:01:14,380 --> 00:01:17,760
‫So two ways of doing so, number one is to add permissions

31
00:01:17,760 --> 00:01:21,030
‫and use policies that already exists or that you created

32
00:01:21,030 --> 00:01:23,240
‫or add an inline policy to just add policies

33
00:01:23,240 --> 00:01:25,040
‫directly to the user.

34
00:01:25,040 --> 00:01:27,060
‫So, I'm going to add permissions

35
00:01:27,060 --> 00:01:29,860
‫and I'm going to attach existing policies directly

36
00:01:29,860 --> 00:01:31,750
‫and I will search for IAM.

37
00:01:31,750 --> 00:01:34,910
‫And I'm going to look for IAM read-only access.

38
00:01:34,910 --> 00:01:37,690
‫I review, I add these permissions

39
00:01:37,690 --> 00:01:41,000
‫and now my user Stephane has IAM read only access.

40
00:01:41,000 --> 00:01:42,040
‫What does that mean?

41
00:01:42,040 --> 00:01:45,020
‫That means that, for example, if I refresh this page...

42
00:01:47,340 --> 00:01:50,480
‫Then, as we can see, the user Stephane does exist.

43
00:01:50,480 --> 00:01:52,510
‫But, for example, if I go to groups

44
00:01:53,960 --> 00:01:58,534
‫and I try to create a group and call it "developers"

45
00:01:58,534 --> 00:02:00,440
‫and create this group,

46
00:02:00,440 --> 00:02:01,920
‫I'm going to get an exception

47
00:02:01,920 --> 00:02:04,220
‫because I'm not authorized to do create group,

48
00:02:04,220 --> 00:02:08,250
‫I was only authorized to have read-only access to IAM.

49
00:02:08,250 --> 00:02:11,560
‫So this really shows the power of IAM and so on.

50
00:02:11,560 --> 00:02:15,473
‫So, now if I go to my user groups, I can do two things.

51
00:02:15,473 --> 00:02:17,060
‫So number one, I can go

52
00:02:17,060 --> 00:02:19,470
‫into the admin group and I'm going to add back

53
00:02:19,470 --> 00:02:22,880
‫this Stephane user so that we have administrator access.

54
00:02:22,880 --> 00:02:24,640
‫The second thing I'm going to do is I'm going to

55
00:02:24,640 --> 00:02:27,131
‫create a group named "developers".

56
00:02:27,131 --> 00:02:31,060
‫And I'm also going to add Stephane into this group

57
00:02:31,060 --> 00:02:33,270
‫and I'm going to attach a policy,

58
00:02:33,270 --> 00:02:34,930
‫whatever the first policy I found

59
00:02:34,930 --> 00:02:36,742
‫it was direct connect to read only access

60
00:02:36,742 --> 00:02:38,480
‫and then create this group.

61
00:02:38,480 --> 00:02:40,070
‫It doesn't matter which policy you're attached to,

62
00:02:40,070 --> 00:02:42,060
‫I just want to show you a behavior.

63
00:02:42,060 --> 00:02:43,150
‫Okay so, now we have two groups,

64
00:02:43,150 --> 00:02:45,130
‫we have the admins and the developers,

65
00:02:45,130 --> 00:02:48,600
‫and the user Stephane is in both groups.

66
00:02:48,600 --> 00:02:49,790
‫So what's going to happen is

67
00:02:49,790 --> 00:02:51,960
‫that if I click on the user Stephane

68
00:02:51,960 --> 00:02:55,650
‫and look at the policies it has, it has three policies.

69
00:02:55,650 --> 00:02:59,890
‫One that was attached directly named IAM ReadOnlyAccess.

70
00:02:59,890 --> 00:03:01,940
‫One that was in two that were in Attached From Groups.

71
00:03:01,940 --> 00:03:05,490
‫The first one is administrator access from the group admin.

72
00:03:05,490 --> 00:03:08,350
‫And this one, it was direct connect read only access.

73
00:03:08,350 --> 00:03:09,930
‫from the group's developers.

74
00:03:09,930 --> 00:03:12,130
‫So, as we can see, the policies get inherited

75
00:03:12,130 --> 00:03:15,563
‫in different ways through the IAM permissions.

76
00:03:16,920 --> 00:03:19,530
‫So finally, I want to show you how policies work.

77
00:03:19,530 --> 00:03:20,919
‫So if you go to policies,

78
00:03:20,919 --> 00:03:23,560
‫we have a list of all the policies available

79
00:03:23,560 --> 00:03:26,040
‫within AWS right here, their managed policy.

80
00:03:26,040 --> 00:03:27,850
‫So this one is administrator access

81
00:03:27,850 --> 00:03:29,440
‫and we've been using it before.

82
00:03:29,440 --> 00:03:32,540
‫And if you look at the policy, JSON forum, as we can see

83
00:03:32,540 --> 00:03:35,130
‫we have a version and we have a statement

84
00:03:35,130 --> 00:03:37,330
‫that statement contains one statements

85
00:03:37,330 --> 00:03:38,980
‫and the effect is allowed.

86
00:03:38,980 --> 00:03:41,120
‫So to authorize action is "*",

87
00:03:41,120 --> 00:03:43,600
‫that means any action resource is "*",

88
00:03:43,600 --> 00:03:45,160
‫that means any resource.

89
00:03:45,160 --> 00:03:48,590
‫So we allow all the actions on all the resources

90
00:03:48,590 --> 00:03:53,090
‫therefore making this policy an administrator access policy.

91
00:03:53,090 --> 00:03:55,300
‫We can go into policy summary as well

92
00:03:55,300 --> 00:03:57,100
‫and this is another view of the policy.

93
00:03:57,100 --> 00:04:01,330
‫We have allow on 284 services of 284.

94
00:04:01,330 --> 00:04:03,230
‫Now services get added all the time,

95
00:04:03,230 --> 00:04:04,580
‫so if you don't have the same number,

96
00:04:04,580 --> 00:04:07,190
‫don't worry, the course is up to date.

97
00:04:07,190 --> 00:04:09,550
‫So we can have a look at another policy.

98
00:04:09,550 --> 00:04:11,930
‫For example, the IAM read only policy

99
00:04:11,930 --> 00:04:13,970
‫that we've dealt with from before.

100
00:04:13,970 --> 00:04:17,230
‫So, this time allows one service out of 284,

101
00:04:17,230 --> 00:04:18,220
‫which is IAM.

102
00:04:18,220 --> 00:04:20,220
‫And if we look at the JSON documents,

103
00:04:20,220 --> 00:04:22,890
‫we can see all the actions that are authorized

104
00:04:22,890 --> 00:04:25,050
‫by this IAM read only access.

105
00:04:25,050 --> 00:04:26,700
‫So we get, for example, iam:get*,

106
00:04:26,700 --> 00:04:29,520
‫the star GenerateCredentialsReport,

107
00:04:29,520 --> 00:04:31,850
‫and so on, on the resource start.

108
00:04:31,850 --> 00:04:34,190
‫There's also a way for you to create your own policy.

109
00:04:34,190 --> 00:04:36,937
‫So you can go back to your policies and create a policy

110
00:04:36,937 --> 00:04:38,550
‫and you have two ways of doing it.

111
00:04:38,550 --> 00:04:41,480
‫Either, you want to write plain and simple JSON

112
00:04:41,480 --> 00:04:43,350
‫or you can use the visual editor,

113
00:04:43,350 --> 00:04:44,183
‫and this is quite handy.

114
00:04:44,183 --> 00:04:46,579
‫For example, we can choose the service IAM,,

115
00:04:46,579 --> 00:04:48,370
‫then we can choose an action.

116
00:04:48,370 --> 00:04:51,550
‫And we can, for example, do a list user,

117
00:04:51,550 --> 00:04:53,600
‫so I can filter for list users

118
00:04:53,600 --> 00:04:57,600
‫for effects and I can do get user.

119
00:04:57,600 --> 00:05:00,860
‫So, let's say we want to add these two actions

120
00:05:00,860 --> 00:05:04,050
‫and on the resources we can specify specific resources

121
00:05:04,050 --> 00:05:05,740
‫or all resources.

122
00:05:05,740 --> 00:05:09,260
‫We could also specify a request condition if we wanted to.

123
00:05:09,260 --> 00:05:10,110
‫So, once we've done that

124
00:05:10,110 --> 00:05:11,470
‫if we go to the JSON documents

125
00:05:11,470 --> 00:05:15,444
‫as we can see the visual editor SID was added,

126
00:05:15,444 --> 00:05:17,279
‫which has the statement ID,

127
00:05:17,279 --> 00:05:19,440
‫and we have two actions that were added.

128
00:05:19,440 --> 00:05:22,160
‫So IAM list users and get users on resource start.

129
00:05:22,160 --> 00:05:24,350
‫So it's quite a handy way to generate JSON directly

130
00:05:24,350 --> 00:05:25,543
‫from the visual editor.

131
00:05:26,770 --> 00:05:28,640
‫Okay. So, just to finish this lecture,

132
00:05:28,640 --> 00:05:30,610
‫let's do a few things.

133
00:05:30,610 --> 00:05:33,390
‫In user groups, I'm going to delete the developers group

134
00:05:33,390 --> 00:05:34,223
‫cause I don't need it

135
00:05:34,223 --> 00:05:35,370
‫and I need you to type the name of the group,

136
00:05:35,370 --> 00:05:39,300
‫so I will type developers and click on deletes.

137
00:05:39,300 --> 00:05:41,730
‫And also on my user as Stephane,

138
00:05:41,730 --> 00:05:44,410
‫I'm going to remove the policy that was attached directly

139
00:05:44,410 --> 00:05:46,720
‫because we don't need this IAM read only policy,

140
00:05:46,720 --> 00:05:49,840
‫I will just remove it and we're good to go.

141
00:05:49,840 --> 00:05:52,840
‫So, now my user Stephane has a full administrator access

142
00:05:52,840 --> 00:05:54,870
‫because it is inherited from the admin group.

143
00:05:54,870 --> 00:05:58,360
‫And so obviously if I go back to my IAM

144
00:05:58,360 --> 00:05:59,640
‫also on the right side,

145
00:05:59,640 --> 00:06:02,170
‫as we can see, everything is working just fine.

146
00:06:02,170 --> 00:06:04,150
‫So I will refresh and here we go,

147
00:06:04,150 --> 00:06:05,068
‫things are working.

148
00:06:05,068 --> 00:06:06,690
‫So that's it for this lecture.

149
00:06:06,690 --> 00:06:07,523
‫I hope you liked it

150
00:06:07,523 --> 00:06:09,370
‫and I will see you in the next lecture.