1
00:00:00,100 --> 00:00:01,650
‫- [Stephane] Welcome
‫to the first deep dive

2
00:00:01,650 --> 00:00:03,220
‫on an iterator service.

3
00:00:03,220 --> 00:00:04,920
‫The first one is called IAM.

4
00:00:04,920 --> 00:00:08,210
‫So IAM stands for identity
‫and access management.

5
00:00:08,210 --> 00:00:10,860
‫It is a global service because in IAM,

6
00:00:10,860 --> 00:00:14,330
‫we are going to create our
‫users and assign them to group.

7
00:00:14,330 --> 00:00:16,430
‫So we've already used IAM without knowing,

8
00:00:17,440 --> 00:00:19,970
‫when we created an account,
‫we created a root accounts,

9
00:00:19,970 --> 00:00:21,420
‫and has been created by default.

10
00:00:21,420 --> 00:00:23,570
‫This is the root user of our accounts.

11
00:00:23,570 --> 00:00:25,800
‫And the only things you
‫should use it for is

12
00:00:25,800 --> 00:00:27,830
‫to set up your account
‫as we'll do it right now.

13
00:00:27,830 --> 00:00:29,620
‫But then you shouldn't
‫use that account anymore,

14
00:00:29,620 --> 00:00:31,110
‫or even share it.

15
00:00:31,110 --> 00:00:34,250
‫What you should be doing
‫instead, is create users.

16
00:00:34,250 --> 00:00:36,410
‫So you will create users in IAM,

17
00:00:36,410 --> 00:00:40,060
‫and one user represents one
‫person within your organization.

18
00:00:40,060 --> 00:00:42,960
‫And the users can be grouped
‫together if it makes sense.

19
00:00:42,960 --> 00:00:44,770
‫So let's take an example
‫we have an organization

20
00:00:44,770 --> 00:00:45,870
‫with six people.

21
00:00:45,870 --> 00:00:49,160
‫You have Alice, Bob,
‫Charles, David, Edward

22
00:00:49,160 --> 00:00:52,440
‫and Fred so all these people
‫are in your organization.

23
00:00:52,440 --> 00:00:55,130
‫Now Alice, Bob, and
‫Charles they work together.

24
00:00:55,130 --> 00:00:56,440
‫They're all developers.

25
00:00:56,440 --> 00:00:58,530
‫So we're going to create a group called

26
00:00:58,530 --> 00:01:00,940
‫the group developers who regrouping Alice,

27
00:01:00,940 --> 00:01:02,050
‫Bob and Charles.

28
00:01:02,050 --> 00:01:05,500
‫And it turns out that David
‫and Edward also work together.

29
00:01:05,500 --> 00:01:08,090
‫So we're going to create
‫an operations group.

30
00:01:08,090 --> 00:01:10,950
‫Now we have two groups within IAM.

31
00:01:10,950 --> 00:01:14,610
‫Now groups can only contain
‫users, not other groups.

32
00:01:14,610 --> 00:01:16,620
‫So this is something very
‫important to understand.

33
00:01:16,620 --> 00:01:18,720
‫Groups only contain users.

34
00:01:18,720 --> 00:01:21,750
‫Now, some users don't
‫have to belong to a group.

35
00:01:21,750 --> 00:01:24,110
‫For example, Fred right here is alone,

36
00:01:24,110 --> 00:01:26,280
‫he does not correspond to any group.

37
00:01:26,280 --> 00:01:27,460
‫That is not best practice.

38
00:01:27,460 --> 00:01:30,350
‫But it is something you can do in AWS.

39
00:01:30,350 --> 00:01:34,080
‫And also, a user can
‫belong to multiple groups.

40
00:01:34,080 --> 00:01:36,130
‫That means that for example,
‫if you know that Charles

41
00:01:36,130 --> 00:01:37,420
‫and David worked together,

42
00:01:37,420 --> 00:01:39,440
‫and they're part of your audit team,

43
00:01:39,440 --> 00:01:42,710
‫you can create a third group
‫with Charles and David.

44
00:01:42,710 --> 00:01:44,710
‫And as you can see, now, in this example,

45
00:01:44,710 --> 00:01:47,770
‫Charles and David are part
‫of two different groups.

46
00:01:47,770 --> 00:01:51,270
‫So this is the possible
‫configurations for IAM.

47
00:01:51,270 --> 00:01:54,730
‫So why do we create users
‫and why do we create groups?

48
00:01:54,730 --> 00:01:58,160
‫Well, because we want to allow
‫them to use our AWS accounts

49
00:01:58,160 --> 00:01:59,940
‫and to allow them to do so,

50
00:01:59,940 --> 00:02:01,960
‫we have to give them permissions.

51
00:02:01,960 --> 00:02:04,490
‫So users or groups can be assigned

52
00:02:04,490 --> 00:02:05,900
‫what's called a JSON document.

53
00:02:05,900 --> 00:02:08,770
‫I'll show you right now what
‫it means called a policy,

54
00:02:08,770 --> 00:02:10,090
‫an IAM policy.

55
00:02:10,090 --> 00:02:11,820
‫So it looks just like this.

56
00:02:11,820 --> 00:02:13,170
‫So you don't have to be a programmer.

57
00:02:13,170 --> 00:02:14,130
‫This is not programming.

58
00:02:14,130 --> 00:02:17,560
‫This is just describing
‫in, I think plain English,

59
00:02:17,560 --> 00:02:20,640
‫what a user is allowed
‫to do or what a group

60
00:02:20,640 --> 00:02:24,120
‫and all the users within
‫that group are allowed to do.

61
00:02:24,120 --> 00:02:27,030
‫So in this example, we can
‫see that we allow people

62
00:02:27,030 --> 00:02:30,030
‫to use the EC2 to service
‫and do describe on it,

63
00:02:30,030 --> 00:02:31,630
‫to use the elastic load balancing service

64
00:02:31,630 --> 00:02:34,260
‫and to describe on it
‫and to use CloudWatch.

65
00:02:34,260 --> 00:02:36,800
‫Now we'll see what EC2
‫elastic load balancing

66
00:02:36,800 --> 00:02:40,210
‫and CloudWatch mean, but
‫through this JSON document

67
00:02:40,210 --> 00:02:41,490
‫that looks just like this.

68
00:02:41,490 --> 00:02:45,800
‫We are allowing our users
‫to use some services in AWS.

69
00:02:45,800 --> 00:02:48,240
‫So these policies will
‫help us define permissions

70
00:02:48,240 --> 00:02:49,830
‫of our users.

71
00:02:49,830 --> 00:02:53,380
‫And so in AWS, you don't allow
‫everyone to do everything

72
00:02:53,380 --> 00:02:54,720
‫that would be catastrophic,

73
00:02:54,720 --> 00:02:58,320
‫because a new user could
‫basically launch so many services

74
00:02:58,320 --> 00:02:59,840
‫and they will cost you a lot of money

75
00:02:59,840 --> 00:03:01,500
‫or would be valid for security.

76
00:03:01,500 --> 00:03:04,660
‫So in AWS, you apply a principle called

77
00:03:04,660 --> 00:03:06,600
‫the least privilege principle.

78
00:03:06,600 --> 00:03:10,210
‫So you don't give more
‫permissions than a user needs.

79
00:03:10,210 --> 00:03:13,240
‫Okay, so if a user just needs
‫access to three services,

80
00:03:13,240 --> 00:03:15,830
‫just create a permission for that user.

81
00:03:15,830 --> 00:03:18,460
‫So now we have seen an overview IAM.

82
00:03:18,460 --> 00:03:19,830
‫Let's go in the next lecture

83
00:03:19,830 --> 00:03:22,510
‫to practice creating users and groups.