Amazon AWS Certified Security Specialty – Domain 4 – Identity & Access Management part 5
- Revising IAM Role
Hey everyone and welcome back. So continuing our journey with the identity and access management today we will be speaking about the IAM rules. So I hope you are able to understand and you are finding this quite simple to grasp. Do feel free to connect or send your reviews because those are the motivating things that helps me wake every day in the morning quite early. Anyway, so coming back let’s understand what Im role is. Now we had discussed that if a user wants to access a particular resource in AWS, we attach a policy to that specific user and once user logs in through the AWS console or through the AWS CLI he will be able to do things according to the policies which are attached to the user.
Now the question is what happens if the server wants to do the same thing. Let’s assume that server there is an EC to instance which wants to read the buckets in AWS s three. So there are two major way of doing things. Now first thing that you might be saying is that we can copy paste the AWS access and secret key. We’ll install the AWS CLI in the server and we’ll put the access and secret key and we will be able to access the AWS resources depending upon the policy. So that is one way. The second way is through the Im role. So let’s understand on how it works with a simple use case. So the use case states there is a folder name backup within which the critical daily snapshot of the application data is stored.
Now as part of the backup process you have to upload all the daily backups from the server to S three and it says design and implement this use case in a secure fashion. So basically what is needed is EC two instance where the application is stored. Easy to instance must be able to upload the files to the AWS s three in a secure fashion. So let’s go ahead and understand on how we can achieve this specific use case. Now, I am already connected to the EC two instance. I’ll just show you. So this is the EC two instance which is running and I have logged in here. So if I just type AWS you will find that the AWS CLI is preinstalled as far Amazon Linux is concerned. So if I just do AWS S three LS, you will find that it is telling me to configure the credentials because the credentials are not configured.
Now in the earlier lecture we had configured the credentials through AWS configure but as far as the EC two instances are concerned this is not a right way. Now the reason why this is not a right way is let me show you. Let’s assume that this is the server and there are a lot of other users who also have access to this specific server. Now we had created the access and secret key of the Alice user and we had pasted this in the virtual machine that is running over here. We already looked at whenever we do AWS configure, the credentials are stored in plain text in the AWS credentials file. So this is my access and this is my secret key. Now if one more user has access to the root of the server, he will be easily be able to run this command and he can get the access and secret key belonging to a specific user.
Now this is one problem and you will not be able to track as well. Okay? So if there are multiple users within the server who are having root account, all of them will be able to open the file and they will be able to take this data. Now let’s assume if one of the system administrator leaves your organization, you will never even know whether he has told him the access and secret keys and he is secretly using. And there are cases where this has happened. So this is something that you do not really want to do at the first place. So what is the alternative? The alternative is the Im role. So consider I am role to be similar to the IAM user.Only difference is that I am role gets attached to the EC two instance.
So let me show you and it will become much more clear once we do the practical. So if I just click on the instance over here, you will find over here that I am roll is none. That means there is no im role attached. So let’s do one thing. Let’s create our first im role. I’ll create a role over here and it is asking me what type of role that I want to create. For our case, I want to create role for AWS service and the service is easy to in the use case I’ll select the first and I’ll click on next permissions. So this is now it is asking me either to attach policy or create a policy. Now this is very similar to how we used to create policy for the IAM user that we had done in the previous lecture. So for our demo purpose, I’ll put S three read only access.
I’ll click on next you have to give role name. Ideally I’ll give the role name as KP Labs and you can click on create role perfect. So the role is created. Now if you just click on this KP Labs you will see that this is very similar to what I am user looks like. Let’s open up the Im user also. So you see in IAM user also we attach the policy in the IAM role also we attach the policy. Now the difference is this role that we have created. This role can be attached to the EC two instance that we had running because this is the EC two based role. So now what I’ll do is I’ll right click on this EC two instance and go to instance settings. Click on attach replace I am role and here you can give the role name which is Kplabs.
Now you might be wondering that why the other roles were not displayed. You see there are a lot of roles which are created, but here it only is displaying KP labs. And the answer to this is when you create a role, you see that the role can be created for individual service. And we have only one role called Kplabs, which is there for the EC two service. And this is the reason why in the EC two you are able to find a specific role. So I’ll select this role and I’ll click on apply. So now the role is attached to the instance and if I click on the instance and I go down, you see the Im role is attached to the instance. So now what will happen is all the policies which are part of the role that we had created, let’s go back to the role.
Now all the policies that we write inside this role will be applied to the EC Two instance which is attached or which is connected to this specific role. So since we have the Kplabs EC two instance which is connected to this Kplabs role, and since the Kplabs role has AWS s three read only access, our instance should be able to have the same permission. So let’s go back and if I run the command again now you see that I am able to list the buckets which are present in the AWS three. So this is the best way of doing things. Remember one thing, I will just open up the PPT again and we’ll go to the third slide. So remember one thing I am role contains set of policies and any entity which is connected to that role will have the same permission mentioned in the role.
Now again, a role can be used by IAM user AWS service as well as SAML provider which we’ll be discussing in the relevant section. Now, last important thing that I would like you to remember is that if you’re working as a solutions architect or security engineer within your organization, do not allow the use of access and secret keys within the core or within any servers. I actually spent more than three months in my previous organization, which was a payments organization. We spent more than three months trying to remove the AWS access and secret keys because it was a big pain. It was actually shared to a lot of people who were out of the organization as well. So just remember, never ever use access and secret keys. As far as the easy to instances and AWS environments are concerned.
- EC2 Instance Meta-Data
Hey everyone and welcome to the Knowledge Portal video series. Today we will be speaking about EC to instance metadata. So let’s go ahead and understand what is this. So in a very high level term, instance metadata basically provides data about your instance. Now, it really plays a very key role, specifically when you want to to automate various aspects related to the configuration parameter of your application which depends upon the EC to instances. So definitely from this line it will not be clear on what exactly it is. So let’s understand this with the use case. So we have a very simple use case which will give you a solid idea on how easy to instance metadata helps.
So the use case is ISR is a PHP based web application which allows user to get information related to their grades. Now, Isa has intelligence to enable or disable modules depending upon the size of the instance. If the instance size is m four dot large, isaiah will enable all the modules. However, for t two based instances, it will disable certain modules. Now, a very simple web application. So the use case is that there is a web application and the web application has an intelligence to enable all the modules if the instance size is m four large. So m four large, it needs this specific instance size to run effectively. However, for the instances which are of P two X series, the application will disable certain modules because it will lead to performance issue.
Now, the challenge here is that since application is going to be launched in the AWS marketplace, what is the best way to retrieve the instance type on application on which the application is downloaded? Now, since the application will be released in the AWS marketplace, there are a lot of other people who might be able to use that specific appliance. Now, it might be possible that let’s assume some person located in some different country might launch this instance based on t two nano. It might also happen that some might launch it in m four large. So depending upon the instance type which the user is launching the appliance for, the application should automatically enable or disable the module.
So this is the challenge. So let’s look into how we can help in achieving this specific use case. So, as we already discussed, that instance metadata basically provides the data about your instance. So let’s do one thing. I have one KP Labs Hyphen two B instance which is running and if you will see it is running on instance type t two micro. So let’s go ahead and see on where do we find the instance metadata. So I’m logged into the instance over here. So if I just do if confconfig this is the instance in AWS. So every instance has access to the instance metadata which provides the detail related to the EC to instance. So let me just show you.
So if I do occur http 169 25 4169 24 now you will see, it will give you a lot of information. So all of these are related to a specific snapshot in time. We want to have the latest one which will support the latest API calls. So I’ll put slash latest and I’ll have metadata. So now what you’ll find is you are finding various information related to AMI ID, instance ID, instance type, the metrics network, even the public host name and public IP addresses. So let’s do one thing, I’ll clear the screen and now let’s try and find out the AMI ID. So I’ll put AMI ID, and here, if you will see it, will return me the AMI ID which is associated with this instance. So just to verify, it ends with BDD two. So if I just go here, you see the AMI ID ends with BDD two. Perfect. So let’s try a few more things.
Over here I’ll put the public IPV four and it is giving me the public IP address of the instance which is 120 ten. Let’s verify it again and you see 120 ten. So all these information that is being provided with the help of metadata are the parameters which are attached to the specific EC two instance. Now, when we discuss about the Use case that we had seen earlier, that whenever application is launched, it should know on what type of instance it is getting launched. And depending upon the type of instance, it would either enable all the modules or disable certain modules. So in order to do that, what the application do is application, before starting, it can call the instance metadata and find the instance type.
So if you will see over here, the instance metadata has a field called as instance type. So you can just put the instance type, instance type and it will give me the instance type of the EC two. So in order to solve the Use case, what an application do, application can do a curl on this specific URL, it can find the instance type and before application gets started, it can either start all the modules or disable certain modules depending upon the instance type which it finds from the instance metadata. So I hope you got the basic understanding on what an instance metadata is and the applications in which the instance metadata can help.
So once you start working in AWS, there will be a lot of similar use cases where the instance metadata will help for now. One more thing before we conclude this lecture, there are various instance metadata categories. We already discuss Amiid instance. Type. So AWS has a pretty good documentation related to what are the categories which are available under the EC two metadata. And it also explains the description related to each of the metadata categories available. So go ahead and read this documentation if you want to understand a specific metadata category. For instance metadata.
- Understanding working of an IAM role
Hey everyone and welcome back to the Knowledge Portal video series. Now, in the previous lecture we have been discussing about what AIIM role is. We also discuss related to the EC to instance metadata. So now that we have our base set up, we will go ahead and understand more in detail related to how an Im role actually works. So let’s go ahead and understand with a simple animation. So we have an EC to instance over here and we have an S three bucket. Now, this is the use case that we have already discussed in the earlier lecture. So the EC two instance wants to connect to the S three bucket. Now, there are two ways to do that.
The first way is we install the AWS CLI, run the AWS configure command and put the access and secret keys. Now, that is not a very good way as we discuss. The second way is the way of Im role. So what happens in the way of Im role is we create an Im role and we put some policies within this role. And then once we create a policy inside the Im role, we connect the Im role to the EC two instance and then EC two instance will be able to gain the permissions which are attached to the role and it will be able to connect to the S three bucket. Perfect. So this is the high level overview on how the Im role would work. Now let’s connect this with the EC to instance metadata and let’s look into how it would really work.
So, just to quickly verify, I have my KP Labs instance over here and it does not really have an Im role. So if you see over here, it does not have an Im role. So if I do an AWS S three LS over here, it will ask me to run AWS configure because there is no Im role which is connected. Perfect. So if you do occur on the metadata, there is a category called as IAM. So if I just query on IAM, you see you don’t really get any results. The reason why is because there is no Im role which is attached to the instance. So let’s do one thing. Let’s quickly go ahead and attach the Im role to the instance and I’ll attach the KP Labs Im role. Perfect. So the Im role is attached, let’s see. Perfect. Now if we quickly go to the Im role and see what are the policies which are attached.
Okay, so it has AWS S three read only access. Now, since the Im role is connected to the EC two instance, the EC two instance will be able to inherit the permissions which are part of this specific role. So now, if I query the instance metadata again, now you will see you have two important fields which have come up. Let me just clear the screen and run the command again.So there are two important fields. One is the info and second is the security credentials. So let me do enforcelash and what it is giving me is it is giving me the instance profile ARN. So the instance profile is the KP lab. So if you just validate this with the role, this is giving me this specific profile ARN. So this is the ARN of the instance profile for which the role belongs to.
Now, if we run AWS S three LS, this is just to verify this command was just to verify whether the role is correctly attached or not. And since it is success, we are guaranteed that the role is attached to the EC two instance. So if I run AWS S three LS, now you see it is giving me the list of buckets which are present in S three. Now the question is we’ll go in more detail. Now the question is how exactly does the EC two instance being able to connect to the S three bucket. So behind the scenes what exactly happens is IAM role will provide a secret access key and an associated secret key to the EC two instance. And the EC to instance will use that access and secret key to connect to the S three bucket. So let’s look into how exactly that would really work.
So let me do a query on IAM and this time instead of going to the info I’ll do a security credentials. Okay. Let me do KP labs. And now if you will see I find that there is an access key, there is a secret key and there is an associated token. So I enroll will provide instance with the access key, with a secret key and with a token. Now instance or the AWS CLI will use this access key. It will use the secret key to query the S three bucket and thus the S three results will be obtained. Now, the questions that many of you might ask us like if access and secret keys are anyways involved, why can’t I directly use the user’s access and secret keys. So there is one very big difference between that. The access and secret key which I am rule provides, it rotates very important to remember.
So if you look over here, there is an expiration timer. So this access key, this secret key will be rotated at a specific amount of time. Let’s assume one R. So every one R the access key and the secret key will keep on rotating. So even if a user steals this access and secret key, he will only be able to do things only for 1 hour. After one R the keys will be rotated and the older keys will be expired. So this is one very important thing to remember. And the nice thing about using im role is the entire part of key rotation. The key expiration will be handled by the AWS M. And you don’t really have to do anything related to that. So I hope you got the overview on how exactly the Im role works, and I would look forward to seeing you in the next lecture.