This document discusses security mechanisms for protecting AWS users and groups:
1. Password policies can be implemented to strengthen passwords by setting minimum length, requiring certain character types, and preventing password reuse.
2. Multi-factor authentication (MFA) provides additional security beyond passwords by requiring users to authenticate with both a password and a physical security device. Common MFA devices for AWS include virtual MFA apps, physical security keys, and hardware key fobs.
3. Access keys can be generated and downloaded from the AWS management console to allow command line and programmatic access to AWS services via the CLI and SDKs. Access keys should be treated securely like passwords and not shared with others.
This document discusses security mechanisms for protecting AWS users and groups:
1. Password policies can be implemented to strengthen passwords by setting minimum length, requiring certain character types, and preventing password reuse.
2. Multi-factor authentication (MFA) provides additional security beyond passwords by requiring users to authenticate with both a password and a physical security device. Common MFA devices for AWS include virtual MFA apps, physical security keys, and hardware key fobs.
3. Access keys can be generated and downloaded from the AWS management console to allow command line and programmatic access to AWS services via the CLI and SDKs. Access keys should be treated securely like passwords and not shared with others.
This document discusses security mechanisms for protecting AWS users and groups:
1. Password policies can be implemented to strengthen passwords by setting minimum length, requiring certain character types, and preventing password reuse.
2. Multi-factor authentication (MFA) provides additional security beyond passwords by requiring users to authenticate with both a password and a physical security device. Common MFA devices for AWS include virtual MFA apps, physical security keys, and hardware key fobs.
3. Access keys can be generated and downloaded from the AWS management console to allow command line and programmatic access to AWS services via the CLI and SDKs. Access keys should be treated securely like passwords and not shared with others.
protect these users and groups from being compromised so for this we have two defense mechanisms the first one is to define what's called a password policy why well because the stronger the password you use the more security for your accounts so in aws you can set up a password policy with different options the first one is you can set a minimum password length and you can require specific character types for example you may want to have an uppercase letter lowercase letter number non-alphanumeric characters for example a question mark and so on then you can allow or not imusers to change their own passwords or you can require users to change their password after some time to make your password expired for example to say every 90 days users have to change their passwords finally you can also prevent password reuse so that users when they change their passwords don't change it to the one they already have or change it to the one they had before so this is great a password policy really is helpful against brute force attacks on your account but there's a second defense mechanism that you need to know going into the exam and this is the multi-factor authentication or mfa it is possible you already used it on some websites but on aws it's a must and it's very recommended to use it so users have access to your account and they can possibly do a lot of things especially if they're administrators they can change configuration delete resources and other things so you absolutely want to protect at least your root account and of hopefully all your iem users so how do we protect them on top of the password well you use an mfa device so what is mfa mfa is using the combination of a password that you know and a security device that you own and these two things together are have a much greater security than just a password so for example let's take alice alice knows her password but she also has an mfa generating token and by using these things together while logging in she's going to be able to do a successful login on mfa so the benefit of mfa is that even if alice has lost her password because it's stolen or it's hacked the account will not be compromised because the hacker will need to also get a hold of the physical device of alice that could be her phone for example to do a login obviously that is much less likely so what are the mfa devices option in aws and you need to know them going into the exam but don't worry they're quite simple the first one is a virtual mfa device this is what we'll be using in the hands-on and so you can use google authenticator which is just working on one phone at a time or using authy which is multi-device they both work the same way except one is multi-device and personally i use offi because i like the fact i can use it on my computer and on my phones so for authy you have support for multiple tokens on a single device so that means that with the virtual mfa device you can have AWS IAM MFA overview your root account your IAM user another account another im user it's up to you you can have as many users and accounts as you want onyour virtual mfi device which make it a very easy solution to use now we have another thing called a universal second factor or utf security key and that is a physical devicefor example a ub key by ubico and ubicois a third party to aws this is not aws that provides it this is a third party and we use a physical device because maybe it's super easy you put it on your key fobs and you're good to go so this ub key supports multiple root and im users using a single security key so you don't need as many keys as users otherwise there will be a nightmare then you have other options you have a hardware key fob mfa device for example this one provided by gemalto which is also a third party to aws and finally if you are using the cloud of the government in the u.s the aws govcloud then you have a special key fob that looks like this that is provided by surepass id which is also a third party so that's it we've seen the theory on how to protect your account
AWS access keys
so we have seen how to access aws using the management console which is the web interface that we've done so far in this course but there are actually three different options to access aws so the first one is the management consoles we've seen and it's protected by your username password maybe multi-factor authentication then there is the cli command line interface and this is something we will set up on our computer and this is protected by access keys and access keys are credentials we're going to download in a few seconds that will allow us to access aws from our terminal then finally there is the sdk the aws software development kits which is use whatever you want to call apis from aws from within your application code and again these will be protected by the exact same access keys so how do we generate access keys well we will do this through the management console and users are responsible for their own access keys and access keys from a user perspective there are secret just like a password so if you generate your own access keys do not share them with your colleagues because they can generate their own access keys as well so really make sure that you treat your access key id just like your username and your secret access key just like your password you do not share them with other people so when you go into the management console you get access key and there's a button to create access keys and then it gives you the right to download it in the very second and so for example here is a fake access key id and a fake secret access key and these when loaded into my command line interface would allow me to access the aws api and we'll do this in the hands-on in a second so again remember i want to make sure that you don't have any security issues while doing this course or at work do not share your access keys they are private to you so if you're new to the cloud and programming and so on or it then you might not know what's a cli so cli stands for command line interface and the aws cli is a tool that allows you to interact with the aw services using commands from your command line shell so whenever you see some code where you type a command line and then it returns a result for example aws s3 cp and so on this is what we call the cli and we are using the ado cli because we start every command by the word aws now with this cli you get direct access to the public apis of your aware services which is going to be very helpful in this course and then using the cli you can develop scripts to manage your resources and automate some of your tasks the cli is open source you can find all the source code on github and it is an alternative to using the aws management console i know that some people actually do not even use the manager console they only use the cli for example so what's the sdk now sdk stands for software development kits and this is a set of library this is going to be language specifics you're going to have an sdk for different programming languages and the similarly it will allow you to access and manage your ado services and apis programmatically but this time the sdk is not something that you use within your terminal it is something that you embed within your applications that you have to code so your application will have the error sdk from within them it supports many different programming languages such as javascript python php.net ruby java go node.jsc plus plus all of that's our programming languages there's also the mobile sdk if you're using android or ios and the iot so internet of things device sdk in case you're using some thermal sensors or bike locks that are connected all these kind of things so to give you an example of what you can build with the sdk well the aws cli that we're going to be using in this course is actually built on the aws sdk for pyt hon named boto so that's it for this lecture now in the next lecture we're going toractice uh setting up this the cli and dealing with access keys