# Identity Access Management - IAM

## What you will learn in this course 🧐🧐

IAM is an AWS service that lets you create and manage users of your AWS Account. 

It's important to have a secure way of using your AWS account. When you first create your account, you are logged in as a _super-user_ (or _root user_). This super-user has access to everything within AWS. 

One common best practice is to use this super-user as seldom as possible and use specific users instead.

In this lecture, you are going learn:

* How to setup our AWS account
* How to create a user 
* How to manage users and service access with IAM

## Create your AWS Account ®️®️

If you have not already created your AWS account, please follow this tutorial : 

- <a href="https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/" target="_blank">Create your AWS Account</a>

Regarding Support Plans, you can choose _basic support_. It will be free of additionnal charges and we most likely won't need to contact AWS for support during our program. 

You can always change your support plan later if you need it for your company. 

## Setup Super User Account  👮‍♀️👮‍♀️

Once you created your account, you will need to setup your root user account. Sign-in to your console and then go to: _Service ➤ IAM_.

![Texte alternatif…](https://media.giphy.com/media/mEUfQ1LzInaFd1WXF3/giphy.gif)

Once you're logged in, you should see that you need to complete **5 Steps** in your security Status Section.

![Texte alternatif…](https://drive.google.com/uc?export=view&id=105qOGKy_0b6IVAUSVWFq0QeO1DXPGapi)

Let's go step by step. Click on _Delete your root access keys ➤ manager security credentials_. You should see this page pop up:

![Texte alternatif…](https://drive.google.com/uc?export=view&id=1ppCboB2jPOZq50jfLn_CSXN5j_L7yDi3)

In this page, you can: 

* Change your password
* Use Multi-factor Authentication (MFA) ➤ Add a new layer of security 
* Change or delete your access keys 
* Create Cloud Front key pairs 
* Create X.509 certificate 
* Check your account ids

### Delete Root User Access Key 🔑

First, let's delete our *root access key*. It's not recommended to use your root access key for your applications. Instead, we'll be creating a new user with specific access and use their access key credentials. 

![Texte alternatif…](https://media.giphy.com/media/mEtbrFPHvdmzhYpDet/giphy.gif)

If you go back to your _Dashboard_, you should see that you completed the first step in your Security Status section.

![](https://drive.google.com/uc?export=view&id=1YpHUA1wFzDR0MWkEdYpKX7Z576BaZ-sR)

### Activation Multi-Factor Authentication (MFA) 🔒

MFA is just an additional layer of security to access your root account. The idea is to add an additional password to access your root account.

For our example, we'll be choosing a virtual MFA that is going to be located in our mobile. To be able to do that, you will need to download an authenticator app like Google Authenticator: 

* <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en" target="_blank">Google Authenticator on Android</a>
* <a href="https://apps.apple.com/us/app/google-authenticator/id388497605" target="_blank">Google Authenticator on IOS</a>

Now that you downloaded the app, go back to your security credentials page and click on _activate MFA_.

* Click on _set up virtual MFA_
* Click on _show QR code_ and scan it on your app
* Type two consecutive MFA codes 
* Click on _assign MFA_

If everything has been done correctly, you should see a confirmation window: 

![](https://drive.google.com/uc?export=view&id=1vS4FS4Njx2ZG-OjKtg86ZcKZVDLNGdhx)

### Create IAM Users 👥

Back to your _Dashboard_, you should see that you completed the second step of your Security Status setup. We now need to create a new user with the appropriate access. 

Click on _Manage Users_ and then _Add Users_ at the top left corner just bellow _Ressource Groups_.

![](https://drive.google.com/uc?export=view&id=1BPU5jXHac4Ac9M83nzo8Ahax8AWpaURZ)

You should see a *setup user* page where you'll be able to assign: 

* A username 
* Programmatic & Console Access 
* A password 

> NB: Programmatic access lets your user access to AWS products with a SECRET KEY and KEY ID with tools such as SDK (Boto3 for Python). For example, if you need to access S3 via a python program, you will need programmatic access. 

![](https://drive.google.com/uc?export=view&id=18kvI3Jxaioln9SEaOCGakNFfqDjMyYBq)

> NB: With the last box (e.g _Require password reset_) checked, your user will need to create a new password once he logs into to the console for the first time. 

Click on _Next: Permissions_ and click on _Create Groups_.

#### What are policies? 🚧

Policies correspond to specific access to AWS services. For example, you can set up a policy that gives you _read access only_ to S3. You can also give access to only ec2 instances and so on.

When you create a new user, he will need to have specific access to your AWS products. That's why you need to assign certain policies. 

#### Policies VS Groups 

However, since your user will most likely have specific access to a lot of different products, writing specific policies can be time-consuming. That's why AWS created _Groups_. It is simply a pre-configured set of policies that you can attach to a user.

For our new user, let's give him _AdministratorAccess_.

![](https://drive.google.com/uc?export=view&id=1xqdacvsN-4fVQkZhVXHvb1VZ66KHFnyO)

Give the group a name and click on _Create group_.

You should now see a group of policies attached to a user.

![](https://drive.google.com/uc?export=view&id=1SBcoHH-oJPlzPhwHld-sjKDWjvoHB3uk)

Click on _Next: Tags_.

If you want to, you can assign tags to your user. This is totally optional though but it helps to retrieve users easily.

![](https://drive.google.com/uc?export=view&id=1W4PNGD12GYeGflpaCPjVfEjZ9KfWgk9X)

Click on _Next: Review_ and review what you've just created. If everything seems correct to you click on _Create User_ and you should see this page:

![](https://drive.google.com/uc?export=view&id=1YDHGCOaNx1aW36EVAngHsDdB0ZK2QPhH)

It means that your user has been created! However, be careful, **YOU WILL ONLY SEE THIS PAGE ONCE!** You need to send credentials either over email or download them as a CSV file so that your user can access the console.

### IAM password policy #️⃣1️⃣2️⃣3️⃣#️⃣

If you go back on your _IAM Dashboard_, you should see that we are almost done with your Security Status. We only need to apply a password policy. 

Click on _Manage Password Policy ➤ Set Password Policy_.

You should see this page:

![](https://drive.google.com/uc?export=view&id=15bZ5KvZiMzOJML9k00dajsJMyB01vJEk)

Check the necessary boxes according to the security level you need and click on _Save changes_.

You should now see a pop up confirming that your policies have been updated:

![](https://drive.google.com/uc?export=view&id=1Xlxaar14_MHsoE8XpAK6PzyMIX4aIIvz)

If you go back to your _Dashboard_, everything is now set up! Congrats! We can now use AWS safely 😄.

## Resources 📚📚

* <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-set-up.html" target="_blank">Getting Set up</a>
* <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started.html" target="_blank">Getting Started</a>
* <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html" target="_blank">IAM Users</a>
* <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html" target="_blank">IAM Groups</a>