1 00:00:06,570 --> 00:00:08,260 - Now let's take a look at a demo 2 00:00:08,260 --> 00:00:09,593 of creating roles. 3 00:00:10,570 --> 00:00:14,190 From the AWS Management Console dashboard, 4 00:00:14,190 --> 00:00:16,390 again, in order to create roles, 5 00:00:16,390 --> 00:00:19,430 those are found under the IAM service. 6 00:00:19,430 --> 00:00:21,860 So, since we've been there recently 7 00:00:21,860 --> 00:00:24,573 we can go here, just follow that link. 8 00:00:25,890 --> 00:00:27,650 And you can see that we already have 9 00:00:27,650 --> 00:00:28,530 a number of roles. 10 00:00:28,530 --> 00:00:31,840 It shows us that I have 25 different roles 11 00:00:31,840 --> 00:00:33,210 in this particular account. 12 00:00:33,210 --> 00:00:35,510 These are things that I've done in the past. 13 00:00:35,510 --> 00:00:36,823 So, if we click on that, 14 00:00:37,840 --> 00:00:39,820 there's a number of different roles that, 15 00:00:39,820 --> 00:00:41,700 some of these were created for me 16 00:00:41,700 --> 00:00:43,170 by Amazon Services, 17 00:00:43,170 --> 00:00:45,340 some of these I created myself. 18 00:00:45,340 --> 00:00:47,290 And so, we're going to create 19 00:00:47,290 --> 00:00:48,720 a couple of different roles here. 20 00:00:48,720 --> 00:00:50,830 Again, you can see I am logged in 21 00:00:50,830 --> 00:00:52,470 as my admin user. 22 00:00:52,470 --> 00:00:55,700 So, whatever user is 23 00:00:55,700 --> 00:00:57,250 in the console trying to do this 24 00:00:57,250 --> 00:00:59,170 would of course need the permissions 25 00:00:59,170 --> 00:01:02,730 to create roles and permissions 26 00:01:02,730 --> 00:01:05,730 to assign policies to those roles. 27 00:01:05,730 --> 00:01:10,410 So, let's first create a role for EC2. 28 00:01:10,410 --> 00:01:13,170 So, there are several different types of roles. 29 00:01:13,170 --> 00:01:15,300 You can see that we have roles 30 00:01:15,300 --> 00:01:17,810 for AWS services that allows 31 00:01:17,810 --> 00:01:20,290 the service to do things on your behalf, 32 00:01:20,290 --> 00:01:23,370 such as EC2, Lambda and so on. 33 00:01:23,370 --> 00:01:25,978 We have another AWS account, 34 00:01:25,978 --> 00:01:29,020 either belonging to you or a third party. 35 00:01:29,020 --> 00:01:31,350 And then of course we have web identity. 36 00:01:31,350 --> 00:01:33,610 We're gonna talk a lot about that kind of thing 37 00:01:33,610 --> 00:01:34,820 much more later on 38 00:01:34,820 --> 00:01:36,080 and throughout the course we'll talk 39 00:01:36,080 --> 00:01:37,540 more about different ways 40 00:01:37,540 --> 00:01:39,260 we can use web identity 41 00:01:39,260 --> 00:01:41,560 so that our users can log in 42 00:01:41,560 --> 00:01:44,070 with things like Facebook, Google, 43 00:01:44,070 --> 00:01:45,550 Twitter, and so on. 44 00:01:45,550 --> 00:01:47,470 And then of course we could create a role 45 00:01:47,470 --> 00:01:50,510 that's specifically meant for federation. 46 00:01:50,510 --> 00:01:53,050 So, in this particular case 47 00:01:53,050 --> 00:01:55,250 let's just create a role for EC2. 48 00:01:55,250 --> 00:01:57,300 Let's say that we have, 49 00:01:57,300 --> 00:02:00,795 we've chosen EC2, and let's say that we have 50 00:02:00,795 --> 00:02:03,540 an application that will be deployed 51 00:02:03,540 --> 00:02:05,560 directly to an EC2 instance, 52 00:02:05,560 --> 00:02:08,370 and that application needs to communicate 53 00:02:08,370 --> 00:02:12,530 to S3 or DynamoDB, or whatever. 54 00:02:12,530 --> 00:02:15,050 Then the better way of going 55 00:02:15,050 --> 00:02:17,130 about giving that application permissions 56 00:02:17,130 --> 00:02:19,253 is to give the instance permission, 57 00:02:20,540 --> 00:02:23,120 or attach a role to the instance. 58 00:02:23,120 --> 00:02:25,280 Then the application can retrieve 59 00:02:25,280 --> 00:02:27,483 temporary credentials based on that role. 60 00:02:28,430 --> 00:02:30,880 All right, so now it's saying Attach permissions. 61 00:02:31,760 --> 00:02:35,750 So let's do a search for S3 and see. 62 00:02:37,840 --> 00:02:40,890 We could say S3 full access 63 00:02:40,890 --> 00:02:42,960 or read only access. 64 00:02:42,960 --> 00:02:44,430 Let's just do that one for now. 65 00:02:44,430 --> 00:02:46,920 Right, whatever permissions you apply, 66 00:02:46,920 --> 00:02:49,090 the really important thing here is 67 00:02:49,090 --> 00:02:51,590 that whatever permissions you apply 68 00:02:51,590 --> 00:02:53,810 to this role are then 69 00:02:53,810 --> 00:02:56,130 available from that instance. 70 00:02:56,130 --> 00:02:58,190 For example, if we were to give 71 00:02:58,190 --> 00:03:01,100 S3 full access, then S3 full access 72 00:03:01,100 --> 00:03:05,860 would allow this role to create buckets, 73 00:03:05,860 --> 00:03:08,890 create objects and delete objects 74 00:03:08,890 --> 00:03:10,030 and delete buckets. 75 00:03:10,030 --> 00:03:12,370 So, the important thing to realize 76 00:03:12,370 --> 00:03:14,813 is that whomever, anyone, 77 00:03:15,721 --> 00:03:17,410 any person or any application 78 00:03:17,410 --> 00:03:19,480 that has access to that instance 79 00:03:19,480 --> 00:03:22,670 would then have access to the temporary credentials 80 00:03:22,670 --> 00:03:25,150 and they could then use those temporary credentials 81 00:03:25,150 --> 00:03:29,290 to perform the actions that are allowed 82 00:03:29,290 --> 00:03:30,860 by these policies, right. 83 00:03:30,860 --> 00:03:35,217 So, if I grant this role S3 full access 84 00:03:35,217 --> 00:03:38,530 and someone is able to somehow compromise 85 00:03:38,530 --> 00:03:40,910 that instance and gain remote access to it, 86 00:03:40,910 --> 00:03:44,110 they could find those temporary credentials 87 00:03:44,110 --> 00:03:46,820 and then on that instance use them 88 00:03:46,820 --> 00:03:50,020 to potentially delete S3 resources, right. 89 00:03:50,020 --> 00:03:52,100 So we want to be very careful 90 00:03:52,100 --> 00:03:54,770 about the permissions that we give 91 00:03:54,770 --> 00:03:56,150 to these kinds of roles. 92 00:03:56,150 --> 00:03:58,840 We should be following the principle of least privilege 93 00:03:58,840 --> 00:04:01,120 and giving our applications 94 00:04:01,120 --> 00:04:04,260 the permissions that they need and no more. 95 00:04:04,260 --> 00:04:06,770 So, just for example, if we wanted 96 00:04:06,770 --> 00:04:08,560 an application to be able to read 97 00:04:08,560 --> 00:04:11,040 everything from S3, but not delete, 98 00:04:11,040 --> 00:04:13,190 not create new things, then we could, 99 00:04:13,190 --> 00:04:14,650 just as a quick example, 100 00:04:14,650 --> 00:04:17,520 say S3 read only access. 101 00:04:17,520 --> 00:04:20,990 Or we could create a policy 102 00:04:20,990 --> 00:04:23,930 specifically for that application, 103 00:04:23,930 --> 00:04:26,440 which is the ideal thing to do. 104 00:04:26,440 --> 00:04:28,010 But we're gonna keep it simple for now. 105 00:04:28,010 --> 00:04:30,440 Ideally, I would normally, 106 00:04:30,440 --> 00:04:32,240 in a production scenario, 107 00:04:32,240 --> 00:04:34,440 I would create a policy specifically 108 00:04:34,440 --> 00:04:36,960 for the way in which those credentials 109 00:04:36,960 --> 00:04:38,050 would be used, specifically 110 00:04:38,050 --> 00:04:41,660 for that application on that instance. 111 00:04:41,660 --> 00:04:43,640 But for now, let's just keep it simple for now 112 00:04:43,640 --> 00:04:47,340 and attach this existing read only policy. 113 00:04:47,340 --> 00:04:49,770 We can go next to tags and again, 114 00:04:49,770 --> 00:04:52,160 tags can help us organize our environment. 115 00:04:52,160 --> 00:04:55,590 We could say what environment this is for, 116 00:04:55,590 --> 00:04:57,540 maybe it's for dev. 117 00:04:57,540 --> 00:04:59,523 We can say what application, 118 00:05:00,450 --> 00:05:01,360 and maybe we call this 119 00:05:01,360 --> 00:05:03,703 our fundamentals application. 120 00:05:05,330 --> 00:05:07,740 You know we could add any kind 121 00:05:07,740 --> 00:05:10,280 of key value pair that helps us make sense 122 00:05:10,280 --> 00:05:13,010 and helps us organize the resources 123 00:05:13,010 --> 00:05:14,320 in our environment. 124 00:05:14,320 --> 00:05:15,790 Right, so let's go and review that. 125 00:05:15,790 --> 00:05:17,870 We're gonna call this one 126 00:05:17,870 --> 00:05:19,070 fundamentalsApplication. 127 00:05:21,546 --> 00:05:23,447 And then it says, here we're going to say 128 00:05:23,447 --> 00:05:27,990 "Allows fundamentals application," 129 00:05:27,990 --> 00:05:30,927 our imaginary fundamentals application, 130 00:05:30,927 --> 00:05:35,407 "to read everything from S3." 131 00:05:36,320 --> 00:05:38,330 And again, you know, just going back 132 00:05:38,330 --> 00:05:39,410 to a point I made earlier, 133 00:05:39,410 --> 00:05:40,300 I want to reiterate it, 134 00:05:40,300 --> 00:05:42,350 because it's so important. 135 00:05:42,350 --> 00:05:45,210 That I've given this instance, 136 00:05:45,210 --> 00:05:49,180 you know, read access across all of S3. 137 00:05:49,180 --> 00:05:53,660 And so, if I have sensitive data stored 138 00:05:53,660 --> 00:05:55,700 in a bucket somewhere, 139 00:05:55,700 --> 00:05:57,850 be it personally identifiable information, 140 00:05:57,850 --> 00:06:00,260 protected health information, 141 00:06:00,260 --> 00:06:04,790 any kind of credential stores 142 00:06:04,790 --> 00:06:06,370 or classified information 143 00:06:06,370 --> 00:06:08,350 if you're working in gov cloud, 144 00:06:08,350 --> 00:06:11,970 then by applying this policy 145 00:06:11,970 --> 00:06:14,300 to this role, 146 00:06:14,300 --> 00:06:16,490 we are essentially granting 147 00:06:16,490 --> 00:06:21,490 that instance access to that data. 148 00:06:21,620 --> 00:06:23,710 Again, we want to be really careful 149 00:06:23,710 --> 00:06:25,960 about the permissions that we are giving 150 00:06:25,960 --> 00:06:27,700 to our applications 151 00:06:27,700 --> 00:06:29,170 and to our EC2 instances. 152 00:06:29,170 --> 00:06:32,660 And especially in the case of EC2 instances 153 00:06:32,660 --> 00:06:35,330 when we are granting permissions to them 154 00:06:35,330 --> 00:06:36,660 via roles like this, 155 00:06:36,660 --> 00:06:39,250 we want to take extra precaution 156 00:06:39,250 --> 00:06:43,750 to really prevent unwarranted 157 00:06:43,750 --> 00:06:46,320 or unauthorized remote access. 158 00:06:46,320 --> 00:06:49,880 So, let's go ahead and create that role 159 00:06:49,880 --> 00:06:53,630 and if we scroll down here, 160 00:06:53,630 --> 00:06:56,453 here's our fundamentals role, right. 161 00:06:57,680 --> 00:06:59,460 You can see here that it has 162 00:06:59,460 --> 00:07:02,270 a specific role ARN 163 00:07:02,270 --> 00:07:04,633 and it also has an instance profile. 164 00:07:05,520 --> 00:07:08,120 The instance profile is what is actually 165 00:07:08,120 --> 00:07:10,540 applied directly to the instances. 166 00:07:10,540 --> 00:07:12,290 The role is applied to the profile. 167 00:07:12,290 --> 00:07:14,220 The profile is applied to the instances. 168 00:07:14,220 --> 00:07:17,260 And so, it's through that mechanism 169 00:07:17,260 --> 00:07:20,040 that the instance can retrieve 170 00:07:20,040 --> 00:07:22,766 temporary credentials and then 171 00:07:22,766 --> 00:07:25,800 use those credentials to access 172 00:07:25,800 --> 00:07:28,780 whatever resources were granted access to, 173 00:07:28,780 --> 00:07:30,220 in this case S3. 174 00:07:30,220 --> 00:07:31,053 All right? 175 00:07:31,053 --> 00:07:33,560 That's creating roles for EC2. 176 00:07:33,560 --> 00:07:36,710 Let's take a look at creating a role 177 00:07:36,710 --> 00:07:38,720 for another account. 178 00:07:38,720 --> 00:07:41,030 This is a very common pattern 179 00:07:41,030 --> 00:07:44,070 and a very powerful pattern, right. 180 00:07:44,070 --> 00:07:49,070 And so, we need to find our account ID, 181 00:07:50,000 --> 00:07:52,120 so we need the identifier of the account, 182 00:07:52,120 --> 00:07:54,470 and it could be an account that you own 183 00:07:54,470 --> 00:07:57,830 or an account belonging to a third party. 184 00:07:57,830 --> 00:07:59,470 Okay, so we're going to do here, 185 00:07:59,470 --> 00:08:02,910 I'm going to paste the account number 186 00:08:02,910 --> 00:08:04,913 of another account that I have. 187 00:08:06,090 --> 00:08:08,600 For you, if you have multiple accounts 188 00:08:08,600 --> 00:08:11,700 then you could use one of your other accounts. 189 00:08:11,700 --> 00:08:14,113 So I'm gonna paste that account number. 190 00:08:15,110 --> 00:08:17,750 Okay, so we've pasted our account ID 191 00:08:17,750 --> 00:08:19,883 and then we have a couple of options. 192 00:08:20,800 --> 00:08:23,060 If it's our own account, 193 00:08:23,060 --> 00:08:25,230 then we don't necessarily have to do 194 00:08:25,230 --> 00:08:28,060 either of these other two things. 195 00:08:28,060 --> 00:08:31,503 But if we are sharing, 196 00:08:32,820 --> 00:08:34,060 if we're creating this role 197 00:08:34,060 --> 00:08:35,660 that was meant to be assumed 198 00:08:35,660 --> 00:08:38,130 by someone in a third party, 199 00:08:38,130 --> 00:08:41,160 like a vendor or a client, 200 00:08:41,160 --> 00:08:45,130 then we might require an external ID. 201 00:08:45,130 --> 00:08:47,350 That's just an extra level of validation. 202 00:08:47,350 --> 00:08:49,767 So, if I do that, it says here 203 00:08:49,767 --> 00:08:51,527 "You can increase the security of your role 204 00:08:51,527 --> 00:08:55,117 "by requiring an optional external identifier, 205 00:08:55,117 --> 00:08:58,057 "which prevents confused deputy attacks." 206 00:09:00,800 --> 00:09:04,920 We could apply that external ID 207 00:09:04,920 --> 00:09:07,623 for that other resource, 208 00:09:08,790 --> 00:09:10,020 for that third party. 209 00:09:10,020 --> 00:09:12,380 In this case, since it's an account I own 210 00:09:12,380 --> 00:09:13,920 I don't need to worry about it. 211 00:09:13,920 --> 00:09:16,000 I could also require MFA 212 00:09:16,000 --> 00:09:18,370 or multifactor authentication. 213 00:09:18,370 --> 00:09:21,240 And so, I generally like that one. 214 00:09:21,240 --> 00:09:23,510 It just makes me feel better 215 00:09:23,510 --> 00:09:28,510 that if they are assuming this account 216 00:09:28,510 --> 00:09:29,550 or assuming this role, 217 00:09:29,550 --> 00:09:31,100 then they are going to gain access 218 00:09:31,100 --> 00:09:34,030 to resources in this account. 219 00:09:34,030 --> 00:09:36,360 And so this could be a production account. 220 00:09:36,360 --> 00:09:38,190 That's a common practice where users 221 00:09:38,190 --> 00:09:41,770 are in, let's say, like an admin account, 222 00:09:41,770 --> 00:09:44,650 but then we give them cross-account access 223 00:09:44,650 --> 00:09:47,410 by way of a cross-account role 224 00:09:47,410 --> 00:09:50,570 and into the production account 225 00:09:50,570 --> 00:09:52,653 or some other account. 226 00:09:55,200 --> 00:09:57,440 Again, by allowing them to assume 227 00:09:57,440 --> 00:09:58,460 this cross-account role 228 00:09:58,460 --> 00:10:01,030 we give them access to all 229 00:10:01,030 --> 00:10:02,680 of the resources in that account, 230 00:10:02,680 --> 00:10:04,440 or at least what they are permitted 231 00:10:04,440 --> 00:10:06,283 to access based on this role. 232 00:10:07,410 --> 00:10:10,740 And so, let's go ahead and say Next Permissions. 233 00:10:10,740 --> 00:10:13,780 Again, we need to find, 234 00:10:13,780 --> 00:10:16,670 attach a policy that grants 235 00:10:16,670 --> 00:10:18,370 some type of permission. 236 00:10:18,370 --> 00:10:21,100 And again, we could create a policy 237 00:10:21,100 --> 00:10:23,310 specifically for what this role 238 00:10:23,310 --> 00:10:24,530 will be used for. 239 00:10:24,530 --> 00:10:25,930 In this case again, let's just, 240 00:10:25,930 --> 00:10:29,060 as a quick example, do S3 read only. 241 00:10:29,060 --> 00:10:33,450 We could also do EC2 read only access, 242 00:10:33,450 --> 00:10:35,820 for example, and say Next Tags. 243 00:10:35,820 --> 00:10:37,410 And again, we could apply tags 244 00:10:37,410 --> 00:10:39,250 to this role if we needed to, 245 00:10:39,250 --> 00:10:41,420 we'll go ahead and skip that for now 246 00:10:41,420 --> 00:10:44,082 and review that, and we'll call this one 247 00:10:44,082 --> 00:10:45,915 prodAccountReadAccess. 248 00:10:48,770 --> 00:10:51,497 So this will say "Allows users 249 00:10:51,497 --> 00:10:53,927 "who assume this role 250 00:10:53,927 --> 00:10:57,890 "to read S3 and EC2 251 00:10:59,117 --> 00:11:02,360 "in production account." 252 00:11:02,360 --> 00:11:04,820 Okay, so now that we've got 253 00:11:04,820 --> 00:11:06,660 all of that in place 254 00:11:06,660 --> 00:11:08,363 we can say Create Role, 255 00:11:09,260 --> 00:11:12,110 and if we search for prod, here it is. 256 00:11:12,110 --> 00:11:13,810 Here's our prod account role. 257 00:11:13,810 --> 00:11:17,000 And so now, in order for a user 258 00:11:17,000 --> 00:11:20,900 within the current account to assume that one, 259 00:11:20,900 --> 00:11:23,720 or for a user to assume that, 260 00:11:23,720 --> 00:11:26,410 we would give them this ARN. 261 00:11:26,410 --> 00:11:27,243 So we could, 262 00:11:27,243 --> 00:11:29,310 and this value is safe to email 263 00:11:29,310 --> 00:11:32,940 because it's not really secret 264 00:11:32,940 --> 00:11:35,440 and just having this information 265 00:11:35,440 --> 00:11:38,380 doesn't really allow you to do anything with it. 266 00:11:38,380 --> 00:11:40,450 Anyone trying to use this 267 00:11:40,450 --> 00:11:42,280 would have to be allowed to use it. 268 00:11:42,280 --> 00:11:44,950 And the only person allowed to use it 269 00:11:44,950 --> 00:11:47,623 is the person in this account, right? 270 00:11:48,630 --> 00:11:50,653 Someone who has been explicitly, 271 00:11:51,730 --> 00:11:54,940 an IAM user who has explicitly been granted 272 00:11:54,940 --> 00:11:58,180 the ability to assume this particular role. 273 00:11:58,180 --> 00:12:00,900 So that's how we can create roles 274 00:12:00,900 --> 00:12:05,143 for both EC2 and cross-account.