# AWS Identity and Access Management (IAM)


### What Is IAM?


AWS Identity and Access Management (IAM) is a web service. It helps you 
securely control access to AWS resources for other users in same account.
Using IAM its possible to control both authentication and authorization. 
You can control who can access AWS resources (way of authentication) and 
what resources other users can use and in what different ways
(way of authorization).


###### How To get the access key ID and secret access key for an IAM user

Access keys consist of an access key ID and secret access key. Thses are 
used to sign the programmatic requests that we make to AWS. Access keys
can be created from the AWS Management Console, AWS CLI or through an SDK.

IAM access keys should be used instead of AWS account root user access keys.

The only time that you can view or download the secret access keys is when 
you create the keys either through AWS console(website), CLI(command line) 
or SDK(for example python). You cannot recover them later. However, you can
always create new access keys at any time.

[Click here](https://youtu.be/Ul6FW4UANGc) to watch a short video on IAM 
from AWS to learn what it does in brief. 


### What does IAM offer?

1. Shared access to your AWS account
Give and manage permissions to other people to use resources in your AWS 
account. You dont have to share your password or access key to give access 
to your resources.

2. Granular permissions
Its possible to give different levels of permissions to different people 
for different resources. For example, you might allow some users complete 
access to Amazon EC2, Amazon S3 and other AWS services. For other users, 
you might allow read-only access to just some S3 buckets, or permission 
to administer just some EC2 instances but nothing else.

You can securely give applications that run on EC2 instances the credentials 
that they need in order to access other AWS resources, like S3 buckets.

3. Multi-factor authentication (MFA)
You can add two-factor authentication to your account and to individual users 
for extra security. 


4. Identity federation
You can allow authenticated users elsewhere, for example in your corporate network 
to get temporary access to your AWS account.

5. Identity information for assurance
If you use AWS CloudTrail, you receive log records that include information about 
those who made requests for resources in your account. This information is based 
on IAM identities.

6. PCI DSS Compliance
IAM supports the processing, storage, and transmission of credit card data by a 
merchant or service provider, and has been validated as being compliant with 
Payment Card Industry (PCI) Data Security Standard (DSS). 


8. Eventually Consistent
IAM, like many other AWS services, is eventually consistent. IAM achieves high 
availability by replicating data across multiple servers within Amazon's data 
centers around the world. If a request to change some data is successful, the 
change is committed and safely stored. Such changes include creating or 
updating users, groups, roles, or policies. 

9. Free to use
AWS Identity and Access Management is a feature of your AWS account offered at 
no additional charge. 

You can work with AWS Identity and Access Management in any of the following ways AWS Management Console, AWS Command Line Tools, AWS SDKs, IAM HTTPS API

# Configuring the AWS CLI

----

Before AWS CLI can be used to access its services, the credentials needs to 
be  configured in our local machine to access them. This lab explains how 
to configure settings that the AWS Command Line Interface uses when 
interacting with AWS, such as security credentials and the default region. 


### Note: 
**You will recieve the configuration details from DSA.**

The <span style="color:#b25221">aws configure</span> command is used to set 
up AWS CLI installation. It prompts you for four pieces of information. 
First one is your AWS Access Key ID and second is the AWS Secret Access 
Key. Third one is the default region where to launch resources. 
This variable overrides the default region of the in-use profile, if set. 
Fourth one is the default output format to render in the terminal. 
You can change it to json, text, or table.


<img src="../images/aws_cli.PNG">


The following settings are supported in aws configure.

<span><b>aws_access_key_id</b></span> – AWS access key.

<span><b>aws_secret_access_key</b></span> – AWS secret key.

<span><b>aws_session_token</b></span> – AWS session token. 
A session token is only required if you are using temporary security credentials.

<span><b>region</b></span> – AWS region.

<span><b>output</b></span> – output format (json, text, or table)

### Configuration and Credential Files

CLI stores credentials specified above in a local file named credentials in a 
folder named .aws in your home directory. The following command lists the contents 
of the .aws folder in Linux, macOS, or Unix. Open up a terminal and type below command. 

    ls  ~/.aws


You should see two folders as shown below.

<img src="../images/aws_files.PNG">


Type below command to view the contents of credentials file. 

    vi ~/.aws/credentials
    
This is how the credentials file looks like

<img src="../images/configure_file.PNG">



Common uses for command line options include checking your resources in multiple regions and changing output format for legibility or ease of use when scripting. For example, if you want to list the details of all instances in a region run the describe-instances command as shown in the image. If you want to list the details of specific instance you can specify the instance id. 

<img src="../images/describe_instances.PNG">

### Specifying Parameter Values for the AWS Command Line Interface


Almost all parameters are simple string or numeric values. For example 
"my-key-pair" for key pair name in below command.

    $ aws ec2 create-key-pair --key-name my-key-pair
    
    
Strings without any space characters may be quoted or unquoted. However, 
strings that include one or more space characters must be quoted. Use 
single quotes (') as shown in the following examples.

    $ aws ec2 create-key-pair --key-name 'my key pair'
    
    
[Click here](http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html) to learn more about specifying parameters in CLI commands.

### Using Amazon DynamoDB with the AWS Command Line Interface


The AWS Command Line Interface (AWS CLI) provides support for Amazon DynamoDB. 
You can use the AWS CLI for ad hoc operations, such as creating a table. You 
can also use it to embed DynamoDB operations within utility scripts.

    $ aws dynamodb create-table \
        --table-name MusicCollection \
        --attribute-definitions \
        AttributeName=Artist,AttributeType=S AttributeName=SongTitle,AttributeType=S \
        --key-schema AttributeName=Artist,KeyType=HASH AttributeName=SongTitle,KeyType=RANGE \
        --provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=1
        

The following command will add a new record to the table. The example 
uses shorthand syntax using '\' and uses JSON format.

<img src="../images/dynamo_inserting_record.PNG">

### Using Amazon EC2 through the AWS Command Line Interface

To list the AWS CLI commands for Amazon EC2, use the following command.

    $ aws ec2 help
    
    
Below are examples for some of the common tasks done in Amazon EC2. 


#### Creating a Key Pair

Lets create a key pair named EC2KeyPair. Use the `create-key-pair` command, 
and use the --query option and the --output text option to pipe the private 
key created directly into a file.


    $ aws ec2 create-key-pair --key-name EC2KeyPair --query 'KeyMaterial' 
    --output text > EC2KeyPair.pem
  
-----

The resulting EC2KeyPair.pem file should look like below:


<img src="../images/EC2KeyPair.PNG">



As mentioned in account creation lab, private key is not stored in AWS. 
It can only be retrieved when it is created.

Use the following command to set the permissions on your private key 
file so that only you can read it.

    $ chmod 400 EC2KeyPair.pem

#### Displaying Your Key Pair

You can use verify the private key you have on your local machine matches 
the public key that's stored in AWS. A fingerprint is generated when a 
key-pair is created. You can view the fingerprint for EC2KeyPair by using 
the following command:

    $ aws ec2 describe-key-pairs --key-name EC2KeyPair
    
    
<img src="../images/fingerprint.PNG">

#### Deleting Your Key Pair


To delete MyKeyPair, use the delete-key-pair command as follows:

    $ aws ec2 delete-key-pair --key-name EC2KeyPair

#### Creating a Security Group

To create a security group named EC2-Sg, use the create-security-group 
command.

EC2-DSA

The following command creates a security group named EC2-Sg for the 
specified Virtual Private Cluster(VPC). Here its EC2-DSA:


    $ aws ec2 create-security-group --group-name EC2-Sg --description 
    "My security group" --vpc-id vpc-711e1b08
    
    
<img src="../images/security_group_cli.PNG">



To view the initial information for EC2-Sg, use the describe-security-groups 
command as follows. Note that you can't reference a security group for EC2-DSA 
by name.


<img src="../images/describe_security_group.PNG">

### Using CLI for Amazon EC2 Instances

You can launch, list, and terminate EC2 instances using key pair and 
security group associated with the instances. You'll also need to select 
an Amazon Machine Image (AMI) and note its AMI ID. 

Note
Before you try the example command, set your default credentials.


#### Launching an Instance

To launch a single Amazon EC2 instance using the AMI you selected, use 
the run-instances command. 


<span><b><i>EC2-DSA</i></b></span>

The following command launches a t2.micro instance in free_tier 
in the specified subnet:


    $ aws ec2 run-instances --image-id ami-4fffc834 --count 1 --instance-type 
    t2.micro --key-name EC2KeyPair --security-group-ids sg-a06d6fd0 --subnet-id 
    subnet-0a46a341

<img src="../images/launching_instance.PNG">



<span><b><i>EC2-Classic</i></b></span>

The following command launches a t1.micro instance in EC2-Classic:


    $ aws ec2 run-instances --image-id ami-4fffc834 --count 1 --instance-type 
    t1.micro --key-name EC2KeyPair --security-groups EC2-Sg
    
    
    


aws ec2 run-instances --image-id ami-4fffc834 --count 1 --instance-type t2.micro --key-name EC2KeyPair --security-group-ids sg-a06d6fd0 --subnet-id subnet-0a46a341

### Adding a Name Tag to Instance

To add the tag Name=MyInstance to your instance, use the create-tags command as follows:

    $ aws ec2 create-tags --resources i-0b27222d8819f86ac --tags Key=Name,Value=MyInstance

### Connecting to Your Instance

Connect to to your Amazon EC2 Instance using steps below. First you need 
to make sure of two things, have your keypair created and have the DNS 
name of the AWS EC2 instance already created . 

To SSH into the instance you need those pieces of information. In our 
case the AWS EC2 instance is created using keypair(EC2KeyPair.pem). 
The public DNS of the instance can be obtained from console as
shown below 

<img src="../images/aws_console.PNG">


----


or by listing the instance details using describe-instances



<img src="../images/list_instance.PNG">


Use the ssh command to connect to the instance. Specify the private 
key(.pem) file and user_name@public_dns_name. For Amazon Linux, the 
user name is ec2-user. So the command would look like below.



<span><b>ssh -i &lt;path to .pem file&gt; user_name@public_dns_name</b></span>




    $ ssh -i CloudComputingDataAnalytics/module2/labs/EC2KeyPair.pem 
    ec2-user@ec2-52-54-137-204.compute-1.amazonaws.com
    
    
<img src="../images/launch_ec2_instance.PNG">

### To stop/ start/ terminate an Amazon EC2 instance

Below example stops the specified Amazon EC2 instance.

Command:

    $ aws ec2 stop-instances --instance-ids i-0b5e09f52ae5187f0
 
 
<img src="../images/stop_instance.PNG">


To start the instance again just change the keyword


    $ aws ec2 start-instances --instance-ids i-0b5e09f52ae5187f0


To terminate the instance again just change the keyword


    $ aws ec2 terminate-instances --instance-ids i-0b5e09f52ae5187f0


### List the instances launched using the specified images

You can list all instances that were launched from specific AMIs.

Syntax is 

    $ aws ec2 describe-instances --filters "Name=image-id,Values=ami-xxxxxx,ami-yyyyyyy,ami-zzzzzzz"

## Accessing Amazon S3

The AWS CLI provides two tiers of commands for accessing Amazon S3.

The first tier, named s3, consists of high-level commands for frequently used operations, such as creating, manipulating, and deleting objects and buckets.
The second tier, named s3api, exposes all Amazon S3 operations, including modifying a bucket access control list (ACL), using cross-origin resource sharing (CORS), or logging policies. It allows you to carry out advanced operations that may not be possible with the high-level commands alone.
To get a list of all commands available in each tier, use the help argument with the aws s3 or aws s3api commands:

$ aws s3 help

$ aws s3api get-bucket-location --bucket my-bucket

# Save your notebook, then `File > Close and Halt`