1 00:00:00,100 --> 00:00:01,650 - [Stephane] Welcome to the first deep dive 2 00:00:01,650 --> 00:00:03,220 on an iterator service. 3 00:00:03,220 --> 00:00:04,920 The first one is called IAM. 4 00:00:04,920 --> 00:00:08,210 So IAM stands for identity and access management. 5 00:00:08,210 --> 00:00:10,860 It is a global service because in IAM, 6 00:00:10,860 --> 00:00:14,330 we are going to create our users and assign them to group. 7 00:00:14,330 --> 00:00:16,430 So we've already used IAM without knowing, 8 00:00:17,440 --> 00:00:19,970 when we created an account, we created a root accounts, 9 00:00:19,970 --> 00:00:21,420 and has been created by default. 10 00:00:21,420 --> 00:00:23,570 This is the root user of our accounts. 11 00:00:23,570 --> 00:00:25,800 And the only things you should use it for is 12 00:00:25,800 --> 00:00:27,830 to set up your account as we'll do it right now. 13 00:00:27,830 --> 00:00:29,620 But then you shouldn't use that account anymore, 14 00:00:29,620 --> 00:00:31,110 or even share it. 15 00:00:31,110 --> 00:00:34,250 What you should be doing instead, is create users. 16 00:00:34,250 --> 00:00:36,410 So you will create users in IAM, 17 00:00:36,410 --> 00:00:40,060 and one user represents one person within your organization. 18 00:00:40,060 --> 00:00:42,960 And the users can be grouped together if it makes sense. 19 00:00:42,960 --> 00:00:44,770 So let's take an example we have an organization 20 00:00:44,770 --> 00:00:45,870 with six people. 21 00:00:45,870 --> 00:00:49,160 You have Alice, Bob, Charles, David, Edward 22 00:00:49,160 --> 00:00:52,440 and Fred so all these people are in your organization. 23 00:00:52,440 --> 00:00:55,130 Now Alice, Bob, and Charles they work together. 24 00:00:55,130 --> 00:00:56,440 They're all developers. 25 00:00:56,440 --> 00:00:58,530 So we're going to create a group called 26 00:00:58,530 --> 00:01:00,940 the group developers who regrouping Alice, 27 00:01:00,940 --> 00:01:02,050 Bob and Charles. 28 00:01:02,050 --> 00:01:05,500 And it turns out that David and Edward also work together. 29 00:01:05,500 --> 00:01:08,090 So we're going to create an operations group. 30 00:01:08,090 --> 00:01:10,950 Now we have two groups within IAM. 31 00:01:10,950 --> 00:01:14,610 Now groups can only contain users, not other groups. 32 00:01:14,610 --> 00:01:16,620 So this is something very important to understand. 33 00:01:16,620 --> 00:01:18,720 Groups only contain users. 34 00:01:18,720 --> 00:01:21,750 Now, some users don't have to belong to a group. 35 00:01:21,750 --> 00:01:24,110 For example, Fred right here is alone, 36 00:01:24,110 --> 00:01:26,280 he does not correspond to any group. 37 00:01:26,280 --> 00:01:27,460 That is not best practice. 38 00:01:27,460 --> 00:01:30,350 But it is something you can do in AWS. 39 00:01:30,350 --> 00:01:34,080 And also, a user can belong to multiple groups. 40 00:01:34,080 --> 00:01:36,130 That means that for example, if you know that Charles 41 00:01:36,130 --> 00:01:37,420 and David worked together, 42 00:01:37,420 --> 00:01:39,440 and they're part of your audit team, 43 00:01:39,440 --> 00:01:42,710 you can create a third group with Charles and David. 44 00:01:42,710 --> 00:01:44,710 And as you can see, now, in this example, 45 00:01:44,710 --> 00:01:47,770 Charles and David are part of two different groups. 46 00:01:47,770 --> 00:01:51,270 So this is the possible configurations for IAM. 47 00:01:51,270 --> 00:01:54,730 So why do we create users and why do we create groups? 48 00:01:54,730 --> 00:01:58,160 Well, because we want to allow them to use our AWS accounts 49 00:01:58,160 --> 00:01:59,940 and to allow them to do so, 50 00:01:59,940 --> 00:02:01,960 we have to give them permissions. 51 00:02:01,960 --> 00:02:04,490 So users or groups can be assigned 52 00:02:04,490 --> 00:02:05,900 what's called a JSON document. 53 00:02:05,900 --> 00:02:08,770 I'll show you right now what it means called a policy, 54 00:02:08,770 --> 00:02:10,090 an IAM policy. 55 00:02:10,090 --> 00:02:11,820 So it looks just like this. 56 00:02:11,820 --> 00:02:13,170 So you don't have to be a programmer. 57 00:02:13,170 --> 00:02:14,130 This is not programming. 58 00:02:14,130 --> 00:02:17,560 This is just describing in, I think plain English, 59 00:02:17,560 --> 00:02:20,640 what a user is allowed to do or what a group 60 00:02:20,640 --> 00:02:24,120 and all the users within that group are allowed to do. 61 00:02:24,120 --> 00:02:27,030 So in this example, we can see that we allow people 62 00:02:27,030 --> 00:02:30,030 to use the EC2 to service and do describe on it, 63 00:02:30,030 --> 00:02:31,630 to use the elastic load balancing service 64 00:02:31,630 --> 00:02:34,260 and to describe on it and to use CloudWatch. 65 00:02:34,260 --> 00:02:36,800 Now we'll see what EC2 elastic load balancing 66 00:02:36,800 --> 00:02:40,210 and CloudWatch mean, but through this JSON document 67 00:02:40,210 --> 00:02:41,490 that looks just like this. 68 00:02:41,490 --> 00:02:45,800 We are allowing our users to use some services in AWS. 69 00:02:45,800 --> 00:02:48,240 So these policies will help us define permissions 70 00:02:48,240 --> 00:02:49,830 of our users. 71 00:02:49,830 --> 00:02:53,380 And so in AWS, you don't allow everyone to do everything 72 00:02:53,380 --> 00:02:54,720 that would be catastrophic, 73 00:02:54,720 --> 00:02:58,320 because a new user could basically launch so many services 74 00:02:58,320 --> 00:02:59,840 and they will cost you a lot of money 75 00:02:59,840 --> 00:03:01,500 or would be valid for security. 76 00:03:01,500 --> 00:03:04,660 So in AWS, you apply a principle called 77 00:03:04,660 --> 00:03:06,600 the least privilege principle. 78 00:03:06,600 --> 00:03:10,210 So you don't give more permissions than a user needs. 79 00:03:10,210 --> 00:03:13,240 Okay, so if a user just needs access to three services, 80 00:03:13,240 --> 00:03:15,830 just create a permission for that user. 81 00:03:15,830 --> 00:03:18,460 So now we have seen an overview IAM. 82 00:03:18,460 --> 00:03:19,830 Let's go in the next lecture 83 00:03:19,830 --> 00:03:22,510 to practice creating users and groups.