1 00:00:07,120 --> 00:00:10,623 - Now let's take a look at a demo of creating access keys. 2 00:00:11,740 --> 00:00:15,710 From the Identity and Access Management console, 3 00:00:15,710 --> 00:00:18,120 let's go ahead and click on Users. 4 00:00:18,120 --> 00:00:22,510 And here, because I'm logged in as an admin, 5 00:00:22,510 --> 00:00:26,640 you can see my Richard user is a part of the admin group 6 00:00:26,640 --> 00:00:28,610 and that's who I'm logged in as. 7 00:00:28,610 --> 00:00:31,373 As an admin, I would have permissions 8 00:00:31,373 --> 00:00:36,373 to manage the access keys for other people, right? 9 00:00:36,820 --> 00:00:41,130 So, I could go to the Amy Fowler's user, 10 00:00:41,130 --> 00:00:44,120 and I could go to the Security credentials tab, 11 00:00:44,120 --> 00:00:48,963 scroll down and see that she currently has no access keys. 12 00:00:50,380 --> 00:00:55,380 And again, access keys are a way of configuring things 13 00:00:56,750 --> 00:00:59,770 like your command line interface tools, 14 00:00:59,770 --> 00:01:03,580 the SDKs, third-party tools, and most often, 15 00:01:03,580 --> 00:01:06,210 I would say that we end up doing that locally 16 00:01:06,210 --> 00:01:10,170 so that we can develop against or manage AWS resources 17 00:01:10,170 --> 00:01:11,853 from our local machines. 18 00:01:13,630 --> 00:01:17,810 And we can see that Amy does not have any yet, 19 00:01:17,810 --> 00:01:19,710 and I could create them for her, right? 20 00:01:19,710 --> 00:01:20,960 So, if I clicked on this button 21 00:01:20,960 --> 00:01:23,160 and created those access keys, 22 00:01:23,160 --> 00:01:27,000 then I would have to find a secure way 23 00:01:27,000 --> 00:01:29,920 of transferring those credentials to her. 24 00:01:29,920 --> 00:01:33,180 And in my opinion, I don't really think 25 00:01:33,180 --> 00:01:37,050 that there is such a thing, unless you want to do some kind 26 00:01:37,050 --> 00:01:42,050 of SSH thing and use a FIFO on SSH. 27 00:01:43,700 --> 00:01:45,100 That might be secure, 28 00:01:45,100 --> 00:01:47,350 but I don't think that email is secure, 29 00:01:47,350 --> 00:01:51,570 and because it could leave those credentials exposed 30 00:01:51,570 --> 00:01:54,610 to being used in ways that they weren't intended 31 00:01:54,610 --> 00:01:56,850 or being used maliciously. 32 00:01:56,850 --> 00:01:59,400 And the same is true for just about any messaging app. 33 00:01:59,400 --> 00:02:00,470 If you send that message, 34 00:02:00,470 --> 00:02:04,420 then those credentials are there to be found by someone. 35 00:02:04,420 --> 00:02:09,420 I prefer to allow, or enable, empower, my users, 36 00:02:10,980 --> 00:02:13,920 in this case Amy, to go to AWS 37 00:02:13,920 --> 00:02:17,150 and manage her own access keys herself. 38 00:02:17,150 --> 00:02:19,340 So I'm not going to do it for her. 39 00:02:19,340 --> 00:02:21,010 I'm going to go ahead and log out, 40 00:02:21,010 --> 00:02:24,070 and I'm going to sign in as that user. 41 00:02:24,070 --> 00:02:27,333 I'm going to go here to the Management Console. 42 00:02:28,237 --> 00:02:32,500 I'm going to log in as a.fowler, 43 00:02:32,500 --> 00:02:36,640 and we're going to use the auto-generated password 44 00:02:36,640 --> 00:02:41,623 that we got earlier when we created that user. 45 00:02:42,880 --> 00:02:45,363 I'm going to paste that password. 46 00:02:48,630 --> 00:02:51,027 Now that we've logged in, you can here see it says 47 00:02:51,027 --> 00:02:53,800 "You must change your password to continue" 48 00:02:53,800 --> 00:02:55,920 and that way Amy-- 49 00:02:55,920 --> 00:03:00,480 by forcing our users to do that, in this case, 50 00:03:00,480 --> 00:03:02,703 only Amy would know what that password is. 51 00:03:03,580 --> 00:03:06,410 I'm going to go ahead and paste that old one again 52 00:03:06,410 --> 00:03:07,673 and create a new one. 53 00:03:09,650 --> 00:03:11,223 Go ahead and confirm that one. 54 00:03:12,230 --> 00:03:15,840 Now we are, you can see, logged in as Amy. 55 00:03:15,840 --> 00:03:19,030 Of course she has, she should have, being a member 56 00:03:19,030 --> 00:03:24,030 of the everyone group, she would have access to IAM. 57 00:03:25,280 --> 00:03:27,043 Or at least, read-access to IAM. 58 00:03:29,867 --> 00:03:33,041 A lot of these resources here, 59 00:03:33,041 --> 00:03:37,110 Users, Roles, Policies, Groups, this particular user 60 00:03:37,110 --> 00:03:40,020 has the ability to view those things, 61 00:03:40,020 --> 00:03:43,310 but they don't have the ability to modify those 62 00:03:43,310 --> 00:03:48,310 except for their own password and their own access keys. 63 00:03:48,520 --> 00:03:52,550 We could either go here and click on the Amy Fowler user, 64 00:03:52,550 --> 00:03:56,417 or you could go to My Security Credentials. 65 00:03:56,417 --> 00:04:00,480 Either way, Amy could get to those things 66 00:04:00,480 --> 00:04:03,683 in either of those two ways. 67 00:04:05,564 --> 00:04:07,850 The password is fresh, we don't need to worry about that. 68 00:04:07,850 --> 00:04:09,923 Let's go down here to the access keys. 69 00:04:11,600 --> 00:04:14,210 We will go ahead and Create access key, 70 00:04:14,210 --> 00:04:15,580 and that's all we have to do. 71 00:04:15,580 --> 00:04:17,853 Just like that, we've created an access key. 72 00:04:19,320 --> 00:04:21,697 What I do want to point out is this note right here. 73 00:04:21,697 --> 00:04:25,610 "This is the only time that the secret access key 74 00:04:25,610 --> 00:04:27,117 can be viewed or downloaded." 75 00:04:28,410 --> 00:04:31,160 This is sort of like a public private key pair. 76 00:04:31,160 --> 00:04:33,570 The way that these access keys work is that 77 00:04:34,510 --> 00:04:38,690 when the Amazon SDKs or the CLI tools or third party tools 78 00:04:38,690 --> 00:04:43,690 access the API, the meta-data about that particular request 79 00:04:46,390 --> 00:04:50,350 along with the Access key ID and the Secret, 80 00:04:50,350 --> 00:04:53,070 we can go ahead and show the Secret here, 81 00:04:53,070 --> 00:04:57,950 both of these values are used to create a signature, 82 00:04:57,950 --> 00:05:02,530 but only the access key is delivered in the request. 83 00:05:02,530 --> 00:05:05,757 The Secret is kept secret because it's kept locally. 84 00:05:05,757 --> 00:05:10,757 AWS has a copy of the secret, so we create a signature 85 00:05:10,770 --> 00:05:13,830 based on a combination of the access meta-data, 86 00:05:13,830 --> 00:05:16,343 the Access key, and the Secret access key. 87 00:05:17,210 --> 00:05:21,320 We pass along the access key in that request, 88 00:05:21,320 --> 00:05:23,940 and then on Amazon's side, 89 00:05:23,940 --> 00:05:28,340 they essentially replay that signature. 90 00:05:28,340 --> 00:05:30,996 They recreate it from the secret key 91 00:05:30,996 --> 00:05:33,200 they have stored on their side. 92 00:05:33,200 --> 00:05:38,200 If the signature matches, then it's authenticated. 93 00:05:38,880 --> 00:05:43,530 Again, the secret key never actually is delivered anywhere. 94 00:05:43,530 --> 00:05:46,440 It's meant to remain local, and it's meant to remain secret. 95 00:05:46,440 --> 00:05:47,850 Only the access key. 96 00:05:47,850 --> 00:05:52,040 That's why, we could download the CSV file, 97 00:05:52,040 --> 00:05:55,770 or I could copy and paste all of this. 98 00:05:55,770 --> 00:05:57,030 I'm going to go ahead and copy that 99 00:05:57,030 --> 00:06:00,280 and paste that into my text editor. 100 00:06:00,280 --> 00:06:03,310 Then I can close this, and you can see 101 00:06:03,310 --> 00:06:07,790 that now we've created that access key 102 00:06:07,790 --> 00:06:10,780 and we have no ability to see the secret again. 103 00:06:10,780 --> 00:06:14,270 Amazon will not reveal that, even though they have it 104 00:06:14,270 --> 00:06:16,630 and they can use it to verify the signature 105 00:06:16,630 --> 00:06:20,750 and validate the request or authenticate and authorize, 106 00:06:20,750 --> 00:06:22,600 they won't reveal it. 107 00:06:22,600 --> 00:06:27,193 The access key is essentially the public part, 108 00:06:28,260 --> 00:06:31,230 and it's meant to be included in those requests. 109 00:06:31,230 --> 00:06:35,030 It's also not really a big deal that Amazon 110 00:06:35,030 --> 00:06:37,972 is displaying that access key in plain text 111 00:06:37,972 --> 00:06:39,770 because you need both. 112 00:06:39,770 --> 00:06:42,180 You need both the access and the secret. 113 00:06:42,180 --> 00:06:46,430 We keep the secret local and we keep it hidden. 114 00:06:46,430 --> 00:06:51,430 I can use these two keys, now, to configure the CLI tools, 115 00:06:53,230 --> 00:06:56,920 the local SDKS so that when I'm using those tools, 116 00:06:56,920 --> 00:06:59,960 or third-party tools that I might have installed locally, 117 00:06:59,960 --> 00:07:04,960 I can use those to gain access to AWS resources. 118 00:07:05,610 --> 00:07:09,160 We have this one key, and ideally, 119 00:07:09,160 --> 00:07:11,640 you can see here hasn't been used yet, 120 00:07:11,640 --> 00:07:16,640 and ideally, we rotate these keys at least every 90 days. 121 00:07:18,790 --> 00:07:21,543 You can actually see, if we go back to Users, 122 00:07:21,543 --> 00:07:24,260 you can see that this particular key 123 00:07:24,260 --> 00:07:28,420 has not been used but mine is 40 days old. 124 00:07:28,420 --> 00:07:33,420 It's still considered to be a secure key. 125 00:07:33,880 --> 00:07:37,050 After 90 days, you'll start to get a warning. 126 00:07:37,050 --> 00:07:41,110 This check mark will go to an exclamation point, 127 00:07:41,110 --> 00:07:45,220 and then after 365 days, once the key is a year old, 128 00:07:45,220 --> 00:07:46,870 you'll get a red warning. 129 00:07:46,870 --> 00:07:49,970 Let's just go back there to My security credentials, 130 00:07:49,970 --> 00:07:53,140 and if you need to rotate those keys, 131 00:07:53,140 --> 00:07:55,160 then, of course, we have the ability, 132 00:07:55,160 --> 00:07:57,023 we could create two keys. 133 00:07:58,370 --> 00:08:02,960 We could create a second one, copy all of that information, 134 00:08:02,960 --> 00:08:06,690 and then you can see that one was created earlier. 135 00:08:06,690 --> 00:08:09,010 If we wanted to rotate those keys, 136 00:08:09,010 --> 00:08:12,070 then we could start to use the new one 137 00:08:12,070 --> 00:08:15,170 and then come back and delete the old one. 138 00:08:15,170 --> 00:08:16,930 We could either make it inactive, 139 00:08:16,930 --> 00:08:21,160 which means it still exists but it's not able 140 00:08:21,160 --> 00:08:24,470 to be used to authenticate against the API, 141 00:08:24,470 --> 00:08:25,820 or we could just delete it. 142 00:08:27,250 --> 00:08:29,283 I could go ahead and delete the old one. 143 00:08:30,870 --> 00:08:33,730 Here at the console one it wants us to confirm 144 00:08:33,730 --> 00:08:36,550 that yes we do intend to do that. 145 00:08:36,550 --> 00:08:40,330 You'll see that the console does this kind of thing a lot 146 00:08:40,330 --> 00:08:44,050 as a way to help prevent accidental deletion of resources. 147 00:08:44,050 --> 00:08:45,600 We'll go ahead and delete that. 148 00:08:47,170 --> 00:08:49,593 Just like that, we've actually rotated the key. 149 00:08:50,582 --> 00:08:54,410 You've seen that we've created two access keys, 150 00:08:54,410 --> 00:08:56,510 we've deleted one, which is essentially 151 00:08:56,510 --> 00:08:58,453 the process of rotating keys. 152 00:08:59,780 --> 00:09:03,483 That's how we would go about managing access keys.