1
00:00:06,390 --> 00:00:08,990
- Now let's take a look
at a demo for creating

2
00:00:08,990 --> 00:00:10,543
a user and a group.

3
00:00:11,790 --> 00:00:16,690
Okay, so we are in the
AWS Management Console,

4
00:00:16,690 --> 00:00:19,350
and we need to go to the identity

5
00:00:19,350 --> 00:00:21,170
and access management service,

6
00:00:21,170 --> 00:00:24,570
so there are a couple of
ways we could go about that.

7
00:00:24,570 --> 00:00:28,020
If we scroll down the list
underneath all services,

8
00:00:28,020 --> 00:00:30,750
then Identity and Access
Management service would be

9
00:00:30,750 --> 00:00:34,260
down here under Security,
Identity, and Compliance,

10
00:00:34,260 --> 00:00:36,620
so here it is, the first one.

11
00:00:36,620 --> 00:00:41,180
We could click on that, or
what I find to be easier is,

12
00:00:41,180 --> 00:00:43,290
if you know the name of the service,

13
00:00:43,290 --> 00:00:46,520
you could just type it in
here under the search bar

14
00:00:46,520 --> 00:00:48,293
and you can go right to it.

15
00:00:49,600 --> 00:00:51,770
We can also find it under here.

16
00:00:51,770 --> 00:00:54,010
You can see that I've been there recently,

17
00:00:54,010 --> 00:00:55,343
so it's in my history.

18
00:00:56,180 --> 00:00:58,460
Of course, I could also scroll down here

19
00:00:58,460 --> 00:01:01,010
to Security, Identity, and Compliance,

20
00:01:01,010 --> 00:01:03,950
or again, we could search there as well.

21
00:01:03,950 --> 00:01:06,410
The other way that we could
find a particular service

22
00:01:06,410 --> 00:01:10,170
is that, if we don't know
the name of the service,

23
00:01:10,170 --> 00:01:13,750
then we could just type what it is,

24
00:01:13,750 --> 00:01:15,720
the kind of functionality
that we're looking for,

25
00:01:15,720 --> 00:01:18,600
so Identity and Access
Management would, of course,

26
00:01:18,600 --> 00:01:22,940
be related to users and
groups and access, right?

27
00:01:22,940 --> 00:01:27,940
So we could type in users and
scroll down, and there's IAM.

28
00:01:28,810 --> 00:01:31,420
We could type in access,

29
00:01:31,420 --> 00:01:35,960
and we could find IAM under there as well.

30
00:01:35,960 --> 00:01:38,480
So, let's go ahead and
go to the IAM service.

31
00:01:38,480 --> 00:01:42,080
And so, here, we're going to create a user

32
00:01:42,080 --> 00:01:45,880
and a couple of groups for
that user to belong to.

33
00:01:45,880 --> 00:01:49,330
First, you can see that
we have a dashboard

34
00:01:49,330 --> 00:01:50,710
for this particular service.

35
00:01:50,710 --> 00:01:54,560
Most services will have a
dashboard that kind of summarizes

36
00:01:54,560 --> 00:01:56,840
what's going on in that service,

37
00:01:56,840 --> 00:02:00,790
and then gives you ways of
drilling down into the details.

38
00:02:00,790 --> 00:02:04,040
Okay, so you can see here,
our summary says that we have

39
00:02:04,040 --> 00:02:06,150
one user and one group,

40
00:02:06,150 --> 00:02:08,660
so if we take a look at our current users,

41
00:02:08,660 --> 00:02:11,400
you'll see that, in
this particular account,

42
00:02:11,400 --> 00:02:13,940
I only have one user, I have mine,

43
00:02:13,940 --> 00:02:17,660
so here's the richard user,
and then my user account

44
00:02:17,660 --> 00:02:19,600
belongs to the admin group.

45
00:02:19,600 --> 00:02:22,270
And then, we can see a
number of other details,

46
00:02:22,270 --> 00:02:25,695
like how old the access key is

47
00:02:25,695 --> 00:02:29,070
and how old the password
is, those kinds of things,

48
00:02:29,070 --> 00:02:32,190
so that's a good way of highlighting users

49
00:02:32,190 --> 00:02:33,840
who need to rotate their access keys

50
00:02:33,840 --> 00:02:35,100
or update their password,

51
00:02:35,100 --> 00:02:38,730
and we can also see that
I have an MFA device,

52
00:02:38,730 --> 00:02:41,680
a virtual MFA device
registered to that user,

53
00:02:41,680 --> 00:02:45,890
and we'll talk about that later
on, as well as access keys.

54
00:02:45,890 --> 00:02:48,500
And so, you can also
see up here in the top

55
00:02:48,500 --> 00:02:53,330
that I am currently logged
in as the richard user,

56
00:02:53,330 --> 00:02:57,030
so let's go ahead and,
before we create a user,

57
00:02:57,030 --> 00:02:59,273
let's first create a couple of groups.

58
00:03:00,110 --> 00:03:02,730
So you can see, we do have an admin group,

59
00:03:02,730 --> 00:03:05,250
and the admin group has basically

60
00:03:05,250 --> 00:03:08,080
the permissions to do everything.

61
00:03:08,080 --> 00:03:10,290
It's like a super-admin or a super-user.

62
00:03:10,290 --> 00:03:11,850
So, I'm gonna create a new group,

63
00:03:11,850 --> 00:03:14,293
and let's call this one developers.

64
00:03:15,280 --> 00:03:18,610
So, maybe I'm going to add
a few users that will be

65
00:03:18,610 --> 00:03:21,500
a part of a development
team and they will need

66
00:03:21,500 --> 00:03:24,870
certain level of access into AWS,

67
00:03:24,870 --> 00:03:27,080
and I might create another group for DBAs,

68
00:03:27,080 --> 00:03:30,020
another group for leads, and of course,

69
00:03:30,020 --> 00:03:33,240
users could be members of
multiple groups, right?

70
00:03:33,240 --> 00:03:35,860
So a member of the developers group,

71
00:03:35,860 --> 00:03:39,190
but could also be a
member of the leads group

72
00:03:39,190 --> 00:03:42,760
or power-user group and so on.

73
00:03:42,760 --> 00:03:44,250
There's all kinds of ways

74
00:03:44,250 --> 00:03:45,840
you could go about organizing that.

75
00:03:45,840 --> 00:03:48,010
So, we'll go to next, and then, now,

76
00:03:48,010 --> 00:03:51,120
it's asking us to attach a policy,

77
00:03:51,120 --> 00:03:53,260
but we're going to come back to that,

78
00:03:53,260 --> 00:03:55,480
and we'll talk about policies later on,

79
00:03:55,480 --> 00:03:57,740
but for now, let's just
go ahead and skip that

80
00:03:57,740 --> 00:04:00,340
and we'll go ahead and create the group.

81
00:04:00,340 --> 00:04:04,340
And so, we're going to do one
more, create one more group.

82
00:04:04,340 --> 00:04:06,680
We're going to call this one everyone,

83
00:04:06,680 --> 00:04:09,350
and the reason I do this
is because there are

84
00:04:09,350 --> 00:04:14,100
certain types of permissions
that I like to give everyone,

85
00:04:14,100 --> 00:04:16,660
and instead of adding those permissions

86
00:04:16,660 --> 00:04:18,893
to each individual user,

87
00:04:18,893 --> 00:04:21,470
I can add those kinds of permissions,

88
00:04:21,470 --> 00:04:24,600
those global, universal
permissions, to one group

89
00:04:24,600 --> 00:04:26,863
and then just put users into that group.

90
00:04:28,310 --> 00:04:31,630
And then, if any one user needs to be

91
00:04:31,630 --> 00:04:32,490
a little bit different,

92
00:04:32,490 --> 00:04:36,487
I can always address
that one user later on.

93
00:04:36,487 --> 00:04:38,609
All right, so let's do the same thing.

94
00:04:38,609 --> 00:04:39,680
We'll create this everyone group.

95
00:04:39,680 --> 00:04:42,070
For now, we will skip the policy,

96
00:04:42,070 --> 00:04:44,000
and we will come back to that.

97
00:04:44,000 --> 00:04:46,530
All right, we're going
to revisit that point

98
00:04:46,530 --> 00:04:49,003
about policies here later on.

99
00:04:50,050 --> 00:04:51,800
So, we'll go ahead and create the group,

100
00:04:51,800 --> 00:04:54,550
and now you can see we
have our developers group,

101
00:04:54,550 --> 00:04:58,590
our everyone group, so now let's
go ahead and create a user,

102
00:04:58,590 --> 00:05:02,670
and this user will be,
let's say, a developer,

103
00:05:02,670 --> 00:05:03,920
so we can add a user.

104
00:05:03,920 --> 00:05:08,920
Let's just call this user
a.fowler for Amy Fowler,

105
00:05:09,070 --> 00:05:11,920
and so they have a user name, and then,

106
00:05:11,920 --> 00:05:14,220
down below, you'll see here
what kind of access type.

107
00:05:14,220 --> 00:05:17,010
How will they be accessing AWS?

108
00:05:17,010 --> 00:05:21,050
Will they be accessing AWS
resources programmatically,

109
00:05:21,050 --> 00:05:22,650
or will they be using the console,

110
00:05:22,650 --> 00:05:24,050
or will they be doing both?

111
00:05:24,050 --> 00:05:27,970
And so, as a developer, they
will probably be doing both,

112
00:05:27,970 --> 00:05:30,913
but if I were to select
programmatic access,

113
00:05:30,913 --> 00:05:33,990
then you can see here,
it enables an access key

114
00:05:33,990 --> 00:05:34,823
and a secret key.

115
00:05:34,823 --> 00:05:37,610
We're going to talk about those later on.

116
00:05:37,610 --> 00:05:39,230
For now, I'm going to leave that off,

117
00:05:39,230 --> 00:05:43,410
because ultimately, I
don't want to have to find

118
00:05:43,410 --> 00:05:46,743
some secure way of transferring
that sensitive information

119
00:05:46,743 --> 00:05:49,780
to the Amy Fowler user.

120
00:05:49,780 --> 00:05:52,410
Email is not appropriate
for that kind of thing.

121
00:05:52,410 --> 00:05:55,070
You know, you might trust email,

122
00:05:55,070 --> 00:05:56,790
you might trust things like Slack

123
00:05:56,790 --> 00:05:59,560
and other messaging tools,
but when it comes to

124
00:05:59,560 --> 00:06:03,110
transferring credentials
that could be used

125
00:06:03,110 --> 00:06:08,110
in dangerous ways, I would
prefer that these users

126
00:06:08,690 --> 00:06:12,920
download these kinds of
credentials directly from AWS,

127
00:06:12,920 --> 00:06:14,850
rather than me downloading them

128
00:06:14,850 --> 00:06:16,880
and then transferring them to them.

129
00:06:16,880 --> 00:06:20,590
So, I am going to enable
management console access,

130
00:06:20,590 --> 00:06:23,180
and now I could do an
auto-generated password,

131
00:06:23,180 --> 00:06:27,550
but I do like to check that the user

132
00:06:27,550 --> 00:06:30,170
must create a new
password on next sign-in.

133
00:06:30,170 --> 00:06:32,550
That way, they are forced
to create a unique password

134
00:06:32,550 --> 00:06:34,110
that only they know.

135
00:06:34,110 --> 00:06:36,597
I can do the auto-generated password

136
00:06:36,597 --> 00:06:39,460
and next go to permissions, and from here,

137
00:06:39,460 --> 00:06:42,040
we could add them to a
group, which we will do.

138
00:06:42,040 --> 00:06:44,400
We could copy permissions
from an existing user,

139
00:06:44,400 --> 00:06:47,345
if you wanted to essentially
duplicate another developer.

140
00:06:47,345 --> 00:06:51,410
If I finish with the a.fowler user

141
00:06:51,410 --> 00:06:54,430
and I want to add some other user,

142
00:06:54,430 --> 00:06:58,160
then I could copy permissions
from the a.fowler user,

143
00:06:58,160 --> 00:07:01,800
or I could attach policies
directly to the user.

144
00:07:01,800 --> 00:07:03,530
And in some cases, that's appropriate,

145
00:07:03,530 --> 00:07:07,330
but for now, we are simply going to add

146
00:07:07,330 --> 00:07:12,330
the a.fowler user to the
developers and the everyone groups.

147
00:07:12,420 --> 00:07:14,110
Then, we can go ahead and tag.

148
00:07:14,110 --> 00:07:18,100
The next one allows us
to add tags to that user,

149
00:07:18,100 --> 00:07:22,510
and so we could use tags to
organize our environment.

150
00:07:22,510 --> 00:07:27,510
So maybe this user, we
could say name, Amy Fowler,

151
00:07:29,340 --> 00:07:33,430
and we could, you know, what
department do they work in?

152
00:07:33,430 --> 00:07:36,954
And maybe she works in
engineering and so on.

153
00:07:36,954 --> 00:07:41,340
So again, tags are pretty
well arbitrary key value pairs

154
00:07:41,340 --> 00:07:44,370
that we can use to
organize our environment,

155
00:07:44,370 --> 00:07:46,540
so if we wanted to find certain resources

156
00:07:46,540 --> 00:07:49,500
based on a tag, it makes
it a whole lot easier.

157
00:07:49,500 --> 00:07:54,250
And of course, when we get
into other types of resources

158
00:07:54,250 --> 00:07:57,162
like EC2 and S3 and other things,

159
00:07:57,162 --> 00:08:00,920
we will talk about how
tagging can also contribute

160
00:08:00,920 --> 00:08:05,520
to automation and cost-attribution.

161
00:08:05,520 --> 00:08:07,500
So, we'll go ahead and review,

162
00:08:07,500 --> 00:08:10,696
and you can see here we are
creating the a.fowler user

163
00:08:10,696 --> 00:08:14,360
with an auto-generated password,

164
00:08:14,360 --> 00:08:18,520
and they are parts of the
developers and everyone group.

165
00:08:18,520 --> 00:08:21,433
All right, so let's go
ahead and create that user.

166
00:08:22,790 --> 00:08:23,670
All right, so there we go.

167
00:08:23,670 --> 00:08:27,120
We've created the a.fowler user,

168
00:08:27,120 --> 00:08:32,120
and from here, we could download
the user and the password

169
00:08:33,370 --> 00:08:37,230
in a CSV file, or we could
just show the password,

170
00:08:37,230 --> 00:08:41,460
copy it, and then send
that to them over Slack

171
00:08:41,460 --> 00:08:43,457
or some other messaging system,

172
00:08:43,457 --> 00:08:47,700
and then ensure that they
go and immediately log in

173
00:08:47,700 --> 00:08:49,870
and set their own unique password.

174
00:08:49,870 --> 00:08:52,990
So, we will continue to
explore these kinds of things

175
00:08:52,990 --> 00:08:56,140
as the course goes on, so I'm
gonna go ahead and copy that,

176
00:08:56,140 --> 00:08:57,530
close that, and there you go.

177
00:08:57,530 --> 00:09:00,338
We've created the a.fowler user

178
00:09:00,338 --> 00:09:03,407
and the developers and everyone groups,

179
00:09:03,407 --> 00:09:06,340
and like I said, we will
continue to explore these things,

180
00:09:06,340 --> 00:09:11,340
like access keys and policies,
more as we move forward.