Welcome to this lesson in this lesson we're going to look at the AWS directory

service so this is a very Microsoft Centric topic and if you're not that
familiar with Microsoft Technologies especially services like active directory
don't worry we'll break it all down for you so let's Jump Right In so what is
AWS directory service well it's actually not a single service it's a family of
managed services and these allow me to connect AWS Resources with existing
on-premises Microsoft active directory this is a standalone directory in the
cloud and it allows users to access AWS resources and applications with your
existing corporate credentials you can also log into the AWS Management console
using those same existing corporate credentials directory service also enables
single sign-on across any domain-joined ec2 instance so if you have your Fleet
of ec2 instances all joined to an active directory domain you don't need to
manage the credentials on any individual so if you don't come from a Microsoft
background you might be wondering what is active directory well this is an
on-premises directory service that's used by most Enterprises it's a
hierarchical database of users groups than computers organized in trees and
forests and you can apply what a cold brew policies to help you manage users and
devices on a network under the hood active directory is based on two protocols
and DNS lightweight directory access protocol and domain name service and it
supports Kerberos ldap in ntlm Authentication Protocol an active directory is
intended to be configured in a highly-available configuration requiring multiple
servers so the downside of that is that there is typically lots of management
overhead which is one reason why you would want to use a managed service Amana
service like AWS managed Microsoft ID so this provides a d domain controllers
running on real Windows servers so by default you get to domain controllers for
high availability each of those in its own availability Zone these domain
controllers are reachable by applications in your V PCS you can add additional
domain controllers to increase availability or transaction rates and you have
exclusive access to these domain controllers no other AWS users will share those
two main controllers so you can be confident about the security you can also
extend your existing active directory to your on-premises infrastructure using
what's called in a d trust now when working with managed services like this
there's some things you need to keep in mind AWS will manage some aspects of the
service for you while you was the customer or responsible for some other aspects
first AWS is going to perform a multi AZ deployment for you so you don't have to
worry about high availability he'll take care of patching monitoring and
recovering your domain controllers the before many kind of instance rotation for
you making sure that you're always on the latest version of the software will
also perform backup operations like snapshotting and restoring for you now is
the customer you need to be concerned with users groups and your group policy
objects AWS will not manage those for you you can use standard 80 tools that
you're already familiar with and if you want to stay out of your domain
controllers that's your responsibility and like I mentioned before you can
employ a d trust to form a resource Forest this again is your responsibility and
management of any certificate authorities using ldap S and finally if you want
to create any kind of 80 Federation that's also your responsibilities the
customer so that's AWS managed Microsoft EDI let's take a look at his baby
brother has a standalone directory in the cloud to support Windows workloads
that need basic 80 features and there are two sizes that you can deploy You're
simply D small which is for less than 500 users or large which is up to five
thousand users typically make it easier to manage things like what do you want
to use your existing corporate credentials to log into those ec2 instances
rather than having to provision usernames and passwords on all of those
instances or manage any kind of keys and again any kind that might need a simple
led to your on-premises 80 infrastructure so that's simple e d let's take a look
at the a D connector when would you want to use this well 80 connector is your
best choice when you want to use your existing on-premises directory with
compatible AWS Services LTD connector is a directory Gateway or proxy for your
on-premises Sadie this helps you avoid cashing information in the cloud using a
d so you can join your ec2 instances in AWS existing on-premises ad domain
compatible Services Microsoft managed a d simply d&ad connector take a look at
Cloud directory this is a directory-based or intended for developers it supports
multiple hierarchies with hundreds of millions of object and some places you
might want to use this or applications that Implement org charts course catalogs
for device Registries and this is a fully managed service so no infrastructure
for you to manage so that's Cloud directory finally we have Amazon Cognito user
pool now it's kind of interesting to me that AWS include Cognito user pools in
directory service because it really has absolutely nothing to do with any of
those of the services I just mentioned what for the sake of completeness will
cover here so Cognito user pools are a managed user directory for SAS or
software-as-a-service applications it's intended to sign up & in for web or
mobile applications typically used with social media identities so for example
you can log into a SAS application using your Facebook Google or Amazon
credentials so for the exam it's important that you keep straight which of these
services are compatible and which are not a d compatible so for the ADT
compatible Services we have managed Microsoft ad also known as directory service
for Microsoft active directory a D connector and Simple 80d Solutions also
enables users to sign into AWS applications like Amazon workspaces and
quicksight with your active directory credential exam question that asks you
about logging into work spaces or quicksight with a d credentials now for the
non LED compatible Services we have Cloud directory and Cognito user pool so if
you're a developer and you don't need active directory you can use cloud
directory to create directories that organize and manage hierarchical
information and Cognito user pools work with mobile and web applications all
right so that's everything you need to know about AWS directory service and I'll
see you in the next lesson

hello Cloud Guru and welcome to this lesson in this

lesson we're going to take a look at I am policies in a bit more depth a
previous lesson covered I am users groups policies and roles this lesson covers
I am permission boundaries and how AWS evaluate I am policies let's get started
the first thing we need to understand what I'm working with I am policies is the
Amazon resource name or a RN the Aaron uniquely identifies any resource in AWS
they've an interesting syntax and we're going to break that down for you now all
errands begin with a string that looks like this Aaron: a partition Name:
service than region then account ID so what do all of these pieces mean well as
a RN is exactly what it says the errand and then we have the partition so you
might not know this but eight of you is actually has different partitions that
it operates the most common one is AWS the one that you're familiar with what if
you're working in the China region for example that's a completely separate
infrastructure call the AWS - CN partition you're not going to see it unless you
work with AWS China what does understand that that exist next we have service
and that's any of the AWS services like S3 easy to RDS dynamodb and so on then
we have a region so these are any of the AWS regions Like Us East 180 ucentral
one and so on and then finally you have your 12-digit AWS account ID so all
Aaron's begin with a string that follows this structure and the end with
something of the Forum resource or resource type and a qualifier so I realize
this is super confusing and it makes no sense without an example so let's take a
look at some of those let's take a look at this first one here this is an IAM
user so it starts with Erin AWS and then the service name I am and then we have
to call while why do we have two colons there well I am is a global region
meaning it doesn't exist in a particular region so this is actually an omitted
value so we just skip over that value using two consecutive Colin's then we have
our 12 digit account ID followed by a resource type/resource resource type is
user and the resources Mark that's me so this a r n uniquely identifies my IAM
user Mark within my account take a look at this next example this is the errand
for a specific object inside of a bucket in S3 so we have Aaron AWS the S3
service 3 because there is no specific region or account ID needed to uniquely
identify an object with an S3 remember all bucket names in S3 are globally
unique so you don't need those additional qualifiers for Unique so we have the
bucket name / object name sticker look at another one here this is a single
table with in dynamodb who have Aaron AWS dynamodb: the reasoning because
dynamodb is a regional service or 12 digit account ID and then our resource type
which is table / resource name which is orders the name of our table stick look
at one last example here we can use errands to specify and not just a single
resource but all resources for particular type so say we want to refer to all of
the easy to within a single account in a region we would have Aaron AWS ec2 Us
East one because ec2 is a regional service or 12 digit account ID and then or
resource type which is instance followed by/star and we use a star as a wildcard
this represents all ec2 instances in that account in that region so next we have
I am policies a policy is simply a Json document that defines permissions and we
have two types we have identity policies which are attached to an IAM user group
or roll these policies let you specify what in identity can do in other words
it's permissions and then we have resource policies resource-based policies are
attached to a resource for example you can attach resource-based policies to S3
buckets SQ SQ KMS encryption keys and someone with resource-based policies you
can specify who has access to the resource and what actions they can perform on
it now it's important to understand with I am policies just because you've
created a policy doesn't mean it has any effect you have to attach that policy
either to an identity or to a resource so unless it's attached it has no effect
and policies are simply structured as a list of statements the basic format of
an iamb policy looks like this this is Jason statement and it all starts with a
version number the version number helps AWS identify the structure of the
document at the time of this recording it's always going to look like 20
12-10-17 and like I said a policy document is simply a list of statements that's
what the square brackets represent an array Or List each individual statement is
enclosed in {so you can see here this outlines three statements in our policy
now each statement matches an AWS API request what's an API request so that's
really any action that you can perform against AWS so for example when we start
an ec2 instance that's an API request create a table in dynamodb that's an API
request or get an object from S3 that's also an API request so let's look at a
more concrete example sore I am policy can start with something called SSID
that's really just a human readable string that's to tell you what this
statement is for next week have an effect it's either allow or deny or I am
policy can either allow or deny specific actions on a specific resource so this
particular I am policy obviously works with dynamodb and this policy is matched
based on these actions so actions are of the Forum service Name: actioning and
you can see some of them have wildcards at the end in the form of a star so that
refers to any API request that starts with that string so Batch get star get
star batch right star delete star update star and so on and then finally we have
the resource that's the resource that this action is against so this I am policy
allows all of these actions to this particular resource in this case a table
called my table so let's take a look at creating and applying and I am policy so
here I am in the AWS Management console and we want to go to I am okay so let's
get started by creating a policy here I am and I am and we'll go to policies
know we have two types of policies in AWS we have AWS managed policies and
customer managed policies the AWS managed policies are ones created by AWS for
you for convenience and their denoted with this Orange Box icon hear these are
not editable by you but you can use as many as you like and then we have
customer someone's like these here that I've created for specific purposes we're
going to create our own customer match policy now we can either use the visual
editor or directly and put them using Json I always directly in put them using
Json so I can understand exactly what they're doing in detail so let's go ahead
and delete this boilerplate and all paste in a statement that I've already
prepared and a whole walk you through what this means so what we want this
policy to do is allow a number of actions against a bucket Nest 3 so we have two
statements hear the first statement the effect is allow the action is the S3
list bucket API and the resource is against a bucket called test now it's a
foregone conclusion that the bucket nametest is already been used but I'm just
going to use this as an example statement is going to allow whatever user group
or role has this policy attached to list the bucket name test that is sheol the
objects in that bucket we have a second statement here that's going to allow
these 3 API calls against objects in that bucket put object which is to upload
an object S3 get object which is to download an object from S3 and delete object
you'll notice or Aaron is a slightly different format we're after the bucket
name we have / star that wild-card we talked about because these three API calls
operated on the object level and we want them to apply to all objects within
this bucket we use / * as that wild card so list all the contents within the
test bucket and put get and delete all object within that bucket all objects of
any name / * let's review our policy and we'll just call this S3 policy and give
a description if you like I'm not going to do that right now and you could see
gives you a summary so the service is S3 the access level is limited list read
and write on multiple resources and will create our policy so remember just
because we've created a policy doesn't mean it has any effect we need to attach
this policy to something for it to be effective so what's the test this policy
to a roll Google rolls and you can see have a number of roles for all different
purposes here and let's see for example we want to allow ec2 instances access to
that S3 test bucket and those three API calls that are in our policy so we'll
select a w a service ec2 what permissions and here's where we type in the name
of our policy S3 policy is the policy that we just created we expand that we can
verify that it is indeed the Json statement that we entered review and we'll
call this S3 roll you'll probably want to give it a much more specific name but
for the purposes of this demonstration that'll suffice just make sure that the
S3 policy is attached here and will create our role so now our policy has a fact
if you attach this role to any ec2 instances it will implicitly be granted
access or denied access based on what that policy contains sonar case any ec2
instances that have this S3 roll attached will have the ability to list objects
within that test bucket as well as get put and delete objects from that bucket
let's go back to this role I want to show you two more things here we can attach
a policy what's a type of managed policy you look like a tax policies till they
say for example that ec2 instance needs to do more than just access that S3
bucket let's see it needs full access to say all of dynamodb so we'll do search
for dynamodb here and we want to granted dynamodb full access now instead of
creating a I am policy specifying all the different permissions that we're going
to need we could simply choose this AWS managed policy here this is a predefined
set of permissions that's going to do everything that we need without having to
manage that policy so will click attach policy and now we have this Spanish
policy alongside our customer to find policy here now it's a free sample we want
to Grant some special permission to this role but we don't want to define a
policy that really lives outside the scope of this role that's where we'll use
in line policies here in line policies were just like any other kind of policy
except the scope is limited to just this role you can't use this in line policy
with any other role with any kind of ad hoc permissions management that you're
doing but it's typically not a best practice to use an inline policy like this
okay so let's take a look at some exam tips now one thing that's absolutely
critical to understand about I am policies is that any permissions that are not
explicitly allowed or implicitly denied so if your identity or resource doesn't
have a policy that explain 1008 w s API action it's implicitly denied if you
have a policy that send explicit deny that override anything else in any other
policies so for example if you have a policy that allows access to an S3 bucket
but another policy that explicitly denies access to that same or all S3 buckets
the explicit tonight will always override and remember only attached policies
have an effect just because you've defined a policy doesn't mean it's doing
anything until it's attached to a user group or roll and when you have multiple
policies attached to either an identity or resource AWS will join or Union all
those policies together when it performs its evaluation so if an action is
allowed by an identity-based policy a resource-based policy or both then AWS
allows the action and explicit to 9 either of these policies overrides the allow
also understand AWS managed vs. customer managed policies about boundaries this
feature can be used to delegate Administration to other users developers that
need to be able to create roles for Lambda functions or any similar scenario
then you need permission boundaries AWS supports permission boundaries for I am
entities so users are roles and permissions boundary is an advanced feature for
using a managed policy to set the maximum permissions that an identity-based
policy can grant to an IM entity these are used to prevent privilege escalation
or unnecessarily broad permissions and entities permissions boundary allows it
to perform only the actions that are allowed by both its identity-based policies
and his permission boundaries in other words it controls the maximum permissions
and I am policy can grant so some use cases for this developers that create
roles for Lambda functions application owners creating rules for ec2 instances
or administrators creating athoc users to apply a permissions boundary in each
of these cases of us Management console again and I'll show you how this works
so let's say we have our I am user here Ryan and Ryan has the directly attached
AWS managed policy administrator access so as it stands right now this user Ryan
has full access to all features within this AWS account but let's say for
example we want us to just dynamodb when we can apply permissions boundary to do
just that we spend this year permissions boundary says it's not set will want to
set the boundary so let's the light to manage policy dynamodb full access
Kwikset boundary and it says permissions boundary Amazon dynamodb full access
has been set for Ryan so now even though we have the administrator access policy
directly attached to this user the permissions boundary is going to govern the
maximum permissions that this user has so even though he's an administrator he
could only work within dynamodb while this permissions boundary is set so I hope
that makes sense and it's worth a few points on the exam so I encourage you to
play with this in your own account so that's it for this lesson on I am policies
thanks and I'll see you in the next lesson