Amazon AWS Certified Security Specialty – Domain 4 – Identity & Access Management part 4
- Delegation – Cross Account Trust – Part 2
Hey everyone and welcome back. In today’s video we’ll perform the practical related to the delegation that we were discussing yesterday. So for our practical, what are the things that we’ll need? It is the first thing is an identity account. So this will be the first EWS account and on the right hand side you have one more which is the production account. So there will be two accounts which are needed. And we already discussed the overview architecture where we’ll create a user in account A. We will create a cross account role in account B and will allow user to switch to the account B role. So a very simple step by step methodology. So let’s begin. Now here I am in my Google Chrome browser and this is my first account which is starting from 871. And along with that I have one more account.
This is running in my Firefox browser which is starting from the 453 as an initial start. Now the account which is running in my Chrome. So that will be an identity account and the account which is running in Firefox, that would be a production account. So the user is something that we will be creating within our identity account. So let’s go to the IAM. And I already have certain users which are created for other practicals. I’ll create a new user, I’ll name him Bob, I’ll give him an AWS management access. I’ll go ahead and click on Next and the user will be created. Perfect. So now once the user is created, let’s look into the second step. The second step is creating a cross account role in account B. So let’s switch to the account B. And within here I’ll go to Im and I’ll select Roles and I’ll click on create a role.
Now there are various types of roles which can be created. Since we are going to work with delegation or cross account access, we’ll select the another AWS account button. So this is the button that we will be selecting and within here we will have to put the account ID from which the user will be originating from. The role is getting created in the production account, but the users from identity account will be assuming this role. So we have to put the account ID of this identity account. So in order to find that, I’ll go to the support center yet again, I’ll copy the account number and I’ll paste it over here. I’ll select next permission. So for the permission let me select s three full access. I’ll click on Next review and the role name that I’ll give is cross account hyphen production and I’ll go ahead and create a role.
Perfect. So our role is created and when you click on the role you will have the role here in you will have the link. So this is the link that the user from the identity account needs to be given. And one very important part is the trust relationship. So within the trust relationship if I click on Edit trust relationship you will see in the principle you have the account ID of the identity account and the action which is allowed is the Sts assume role. So any principal from this specific account ID which is the identity account will be allowed to perform an Sts assume role to this specific role that has been created. Perfect. So now we have done the second step as well and the last step that is needed is allow user to switch to the account b role.
So since that we have created the user, let me go to the I am once more. So basically we need to allow this Bob user to assume the role of the account b. So the role that we created in the production account, we have to allow Bob to assume that role. So one very important part to remember so let me go to Bob and within here I’ll select an inline policy, I’ll select the JSON document and I already have a template for that. I’ll copy this template and I’ll paste it over here. I’ll be pasting it below the lecture so that you will be able to use that. Now within this template within the action, the action which the user is allowed to perform its Sts assumed role and within the resource we have to specify the ARN of the role that was created in the production account.
So if you will see this role, this has the ARN and this is the ARN that we need to paste over here. Perfect. So I’ll go ahead and click on review policy and within here I’ll name it as cross account Hyphen production so that we can know that this policy allows assuming the role that belongs to the production account. Perfect. So now that we have a base set up, we need to test if everything is working perfectly. So in order to test, I’ll open up one more browser which is going to be our opera and from there we’ll log in to the bob account. So it seems that the Opera is not opening. So anyways, I’ll open up our Internet Explorer. So I have various kind of browsers installed so that we can have a backup as well as we can perform a practical perfectly.
So from the Internet Explorer, the first thing that we need is we’ll need to log in with the bob’s credentials to this identity account because the user bob is created within this identity account. So first we have to log into this account with the user Bob’s credentials. So this is the Im console. I’ll go ahead and put the username as Bob and for the password let me just close the prompt, I’ll go to the security credentials, let me just reset the password, I’ll auto generate a password and I will not select this option require password reset. So otherwise what would happen is when the user login, he’ll have to reset the password. I just want to keep it simple. For the time being. I’ll just copy the password. Perfect. So now I’m logged in.
So if you see this is the Bob’s identity account. Now let me quickly show you this. So currently Bob has logged into this identity account. Now from this identity account, Bob needs to log into the production account. Now, since we have already created a cross account role in the production account, all that we need is we have to give Bob the link to this specific role that we have created. Now this link can be accessed from the CA production role. So if you see it has given us the link, I’ll take the link and within the new tab I’ll paste the link. Now if you’ll see it has taken us to the switch role screen, I’ll go ahead and I’ll click on switch roll. Perfect. So now if you’ll see over here, I am logged in to the production account.
And since we had given S three full access, let’s quickly also verify if any other things are opening. So here it is saying unauthorized and if I go ahead and click on S three, the S three seems to be working perfectly. So this is a great thing because if you will see now, since we have two accounts, I only have to or a Bob user only has to remember the username and password associated with this identity account. And there can be a number of accounts like production, dev, stage and all that Bob has to remember is he has to remember the credentials of the identity account and from this identity account he can switch to various other AWS account. So this is about delegation.
If you want, you can even click on back to Bob and you will be again redirected to the identity account. So next time you want to switch to the production account, you can click over here and you can select CA production. And now you are in the production account. So this is how easy it is for the cross account role to be created. And if you are having multiple accounts, I’ve seen organization having more than 50 accounts and during that time having a cross account role is a must in order to make sure that you have full control and the user experience is also good. So, this is it about today’s video. I hope this has been informative for you and I look forward to seeing you in the next video.
- Revising AWS CLI
Everyone. And welcome back to the Knowledge Portal video series. And today we will be speaking about the AWS command line interface. So let’s get started. Now, before we go into the AWS CLI, let us understand or let us revise the basics about CLI. So, CLI stands for Command Line Interface and it is one of the ways of interacting with the system in form of commands. Now, CLA is one of the fastest way of doing things in a repeated as well as automated fashion. So the first thing that when you see this picture, the first thing that comes into mind is the Linux. Now, most of you, including me, have spent a childhood working based on the Windows system and the things that we do in Windows, most of the things will be based on GUI. On the contrary, in Linux most of the things that is done is through the CLI or through the command way of doing stuff.
Now, the command line way of doing things is quite simple and it is much more faster as well. So, in order to understand the difference, we’ll take a simple use case where there are four important steps and we’ll compare on how much time it really takes to do it in a Gui and a CLI way. So the first is create a directory, call as Test. Notice the capital test. Inside this directory, create three text file, name, one dot TXT, second TXT and third TXT. The content in each one of them would be this is KP Labs demo. And fourth point we will avoid for now. So let’s go ahead and implement the three steps and see on how much time it takes the GUI way and how much time it takes the CLI way. So let me do one thing. Let me do the GUI way in the Windows machine. So I’ll create a folder called as test. Now, I’ll create a text file called as.
One TXT, I’ll put this is KP Labs demo. I’ll save this, I’ll create one more file, second TXT. This is KP Labs Demo. This is the second file. And the third file I say third TXT, this is Kplabs demo. So this is the GUI way of doing things. Now, what would happen if there are 100 files and you would end up doing things manually. Now, let’s do one thing. Let’s go to the Linux box. I have my Linux box up and here and I have written a simple script called Demo sh. So let’s run demo. Sh. And you see it took like less than a second to finish. And now if you see there is a folder call as Test. Within this there are three files and each file contains the sentence this is Kplab’s Demo. Now, this way of doing things is quite fast. As you have seen, it takes less than 1 second. And if I copy this script to some different server and I run this script it would run the same manner.
That means it can be repeated and it can be automated. And this is one of the big benefits of CLI. Now, the same goes with AWS. Till now, what we have been doing is we have been manually logging into the AWS console and we were creating the EC two instance, or we were creating the S three bucket. So all of that is a Gui way of doing it. And GUI is mostly always slow. However, there is always the CLI way, which is quite fast. And AWS also offers the CLI way of doing things. So when we talk about AWS CLI, you might have already guessed AWS CLI is used for managing AWS resources from the terminal. Now, as the advantages of CLI says, it makes room for automation and makes things much more faster. So, quite simple, let’s go ahead and understand and implement the AWS CLI.
So the first thing that you would need is when you log in, I hope you know, like whenever you log into this account, you supply a username and password. Now for CLI, you do not really supply a username and password. Instead you supply a similar contrary call as the access key and a secret key. So if you go to a secret credentials over here, security credentials, there is a field called access keys. Now, whenever you are running AWS CLI, you would need the access and secret key to be used instead of username and password. So let’s do one thing. Let’s create access key. And you see, it has provided me an access and a secret key. Now, for those who are interested to copy paste, I would really let you know that after this lecture, I am deactivating this key so you can try it out anyways.
So, coming back to the topic, now that we have access and secret key, the first thing that we will be doing is we will be installing the AWS CLI. So let me just maximize the screen, I’ll log into root. Perfect. First thing that you need to do is you need to install the CLI. Now, one of the fastest way of installing AWS CLI is through Pip command. Now, Pip generally does not come by default, so you have to do yum y install Python Pip. This is for the Red Hat based systems or Amazon Linux Federal. So let’s wait for a minute for the Pip package to get installed. Perfect. So now that we have Pip package installed, we will run Pip install AWS CLI. So Pip will install the AWS CLI package and through AWS CLI we will be running commands which will connect to the AWS resources. Perfect.
So now we have AWS CLI installed. So if I just type AWS CLI oops. AWS. So when you type AWS over here, you will find that the AWS CLI is working. So if I just do AWS, hell, it will give me all the options which are made available. Now again, the first thing that you must do after you install AWS CLI is to configure your credentials. Now, since in AWS CLI, your username and password will not work, you have to supply the AWS access key and AWS secret key. So I’ll run the AWS configure command and it will ask me for the AWS access key. Now, I’ll copy the access key which I have generated. I’ll just paste it for secret key. I’ll have to copy this again and I’ll paste it the default region. Again, this would be the default region in which you are creating the resource.
In my case, it is US West two default output name. You can just press Enter. And now the AWS CLI has configured the credentials. Now, if you are wondering where did it configure, it has actually configured within the AWS credentials file. So this is where your credentials are configured. Now, once we have AWS CLI installed, let’s try and see if it is really working. So I’ll do. AWS s three LS. And essentially it is telling me the bucket operation denied. Perfect. So this is caused because the user does not really have permission to access the buckets. I’ll just remove this policy. Perfect. And let me go again. I’ll run the same command again, AWS S three LS. And now you see, I am actually able to see all the buckets. Now, you will be able to do all the things that you have been doing in a gui through a CLI way. You can create buckets, you can delete buckets, you can create instances, everything you will be able to do. Now again, one of the advantages of running AWS CLI is that it can be automated. And once you write your CLI script, you can do it in a repeated fashion. Now, one more thing that I really wanted to show you is the AWS CLI.
If you just type it, there is an entire documentation related to the AWS CLI commands. Now, each of these services which are part of AWS has an AWS CLI command. So let’s try s three. So I’ll open up S three over here and it will show me the commands related to the S three bucket. So all of these are the commands which are part of the S three bucket. If you go down, you’ll see the available command which is CPLs, move and all those things. So I hope you got the basic concept related to what an AWS CLI means. And in the upcoming lectures, whenever necessary, we will be using AWS CLI to automate a lot of things. So I hope this has been informative for you. And again, I’ll encourage you practice this once. And I hope to see you in the next lecture.