1 00:00:06,782 --> 00:00:10,296 - Alright, so let's talk about the AWS Identity 2 00:00:10,296 --> 00:00:12,796 and Access Management service. 3 00:00:14,063 --> 00:00:18,878 Within AWS, we need a way to authenticate and authorize 4 00:00:18,878 --> 00:00:19,923 our users. 5 00:00:19,923 --> 00:00:23,814 Authentication being knowing who that person is. 6 00:00:23,814 --> 00:00:28,346 Authorization being what they're allowed to do. 7 00:00:28,346 --> 00:00:31,006 Now, of course, just like any system we have the ability 8 00:00:31,006 --> 00:00:33,940 to create users and groups of users. 9 00:00:33,940 --> 00:00:36,615 We have the ability to control our password policy, 10 00:00:36,615 --> 00:00:39,905 and it's recommended that we set a strong password policy 11 00:00:39,905 --> 00:00:44,072 including disallowing the last certain number of passwords 12 00:00:45,331 --> 00:00:48,054 that perhaps the last two or three or four passwords 13 00:00:48,054 --> 00:00:50,024 should not be reused. 14 00:00:50,024 --> 00:00:52,360 We also have the ability to enable 15 00:00:52,360 --> 00:00:54,431 Multifactor Authentication. 16 00:00:54,431 --> 00:00:57,041 So, just in case we might not be familiar with that, 17 00:00:57,041 --> 00:01:00,415 Multifactor Authentication could be described as 18 00:01:00,415 --> 00:01:03,109 "something you have," "something you know," and 19 00:01:03,109 --> 00:01:04,714 "something you are." 20 00:01:04,714 --> 00:01:07,385 Now, the "something you are" would be biometrics, 21 00:01:07,385 --> 00:01:11,164 like fingerprints, iris scan, and of course those 22 00:01:11,164 --> 00:01:13,866 aren't available here within the AWS Identity 23 00:01:13,866 --> 00:01:17,135 and Access Management service, but the other two are. 24 00:01:17,135 --> 00:01:20,558 "Something you know," would be like your user name 25 00:01:20,558 --> 00:01:22,362 and your password. 26 00:01:22,362 --> 00:01:25,682 "Something you have" would be a Multifactor Authentication 27 00:01:25,682 --> 00:01:29,766 or an MFA device, such as a key fob or a virtual MFA 28 00:01:29,766 --> 00:01:31,493 device on your cell phone. 29 00:01:31,493 --> 00:01:34,751 So, MFA, or Multifactor Authentication is fulfilling 30 00:01:34,751 --> 00:01:36,891 at least two of those. 31 00:01:36,891 --> 00:01:39,303 So, "something you know," the user name and password 32 00:01:39,303 --> 00:01:41,936 combined with "something you have" would fulfill the 33 00:01:41,936 --> 00:01:43,367 Multifactor Authentication. 34 00:01:43,367 --> 00:01:46,589 It just adds that extra layer of security to your account 35 00:01:46,589 --> 00:01:49,886 and it's highly recommended and considered best practice 36 00:01:49,886 --> 00:01:52,999 that we enable that and use that for all members who 37 00:01:52,999 --> 00:01:56,900 especially need to log into the console, or in other cases 38 00:01:56,900 --> 00:01:59,455 that we'll talk about later when you're doing special 39 00:01:59,455 --> 00:02:03,643 types of things like accessing your production account. 40 00:02:03,643 --> 00:02:07,391 Now, it's really important to note that what we're talking 41 00:02:07,391 --> 00:02:09,982 about here, creating users and groups, 42 00:02:09,982 --> 00:02:11,973 authenticating and authorizing, 43 00:02:11,973 --> 00:02:14,473 this is meant for authenticating 44 00:02:14,473 --> 00:02:18,710 and authorizing against the Amazon Web Services API. 45 00:02:18,710 --> 00:02:21,474 When you think about realms of authentication, 46 00:02:21,474 --> 00:02:25,212 like the areas into which we need to authenticate our users, 47 00:02:25,212 --> 00:02:28,944 that would be one, being the AWS API, 48 00:02:28,944 --> 00:02:31,285 which is what the Identity and Access Management 49 00:02:31,285 --> 00:02:32,682 service is for. 50 00:02:32,682 --> 00:02:35,145 And then, of course, we have our operating system. 51 00:02:35,145 --> 00:02:38,021 If we install applications on that operating system 52 00:02:38,021 --> 00:02:40,549 or databases, then they would have their own realm 53 00:02:40,549 --> 00:02:43,112 of authentication and their own set of users. 54 00:02:43,112 --> 00:02:46,157 So it's important to know that what we're talking about 55 00:02:46,157 --> 00:02:49,390 here within the IM service, the Identity and Access 56 00:02:49,390 --> 00:02:52,925 Management, that this is specifically for authenticating 57 00:02:52,925 --> 00:02:54,594 against the AWS API. 58 00:02:54,594 --> 00:02:59,224 It is not to be used for OS level authentication, 59 00:02:59,224 --> 00:03:02,097 or application or database level authentication. 60 00:03:02,097 --> 00:03:05,244 Except in the case of Amazon DynamoDB, and we'll 61 00:03:05,244 --> 00:03:07,186 talk about that later. 62 00:03:07,186 --> 00:03:11,902 So, again, the AWS Identity and Access Management service 63 00:03:11,902 --> 00:03:15,295 is for authenticating and authorizing users and 64 00:03:15,295 --> 00:03:19,462 groups of users against the Amazon Web Services API.