1 00:00:06,569 --> 00:00:07,730 - [Instructor] Alright, so now let's take a look 2 00:00:07,730 --> 00:00:10,083 at a demo of creating a user and group 3 00:00:10,083 --> 00:00:13,682 within AWS Identity And Access Management. 4 00:00:13,682 --> 00:00:15,331 You can see that I'm already logged in 5 00:00:15,331 --> 00:00:19,139 to the AWS console and from here, I'm going to go 6 00:00:19,139 --> 00:00:22,972 to the Identity And Access Management service. 7 00:00:25,211 --> 00:00:28,265 Here's the dashboard of Identity And Access Management 8 00:00:28,265 --> 00:00:29,948 you can see, at a glance 9 00:00:29,948 --> 00:00:32,061 that I already have a couple of users. 10 00:00:32,061 --> 00:00:34,834 I have one group already, an Admin group. 11 00:00:34,834 --> 00:00:36,334 I have some roles. 12 00:00:37,539 --> 00:00:40,210 You can also see that the IM service 13 00:00:40,210 --> 00:00:41,986 gives us a checklist of things 14 00:00:41,986 --> 00:00:44,088 that we need to do to ensure 15 00:00:44,088 --> 00:00:48,511 that we have the greatest security within our environment. 16 00:00:48,511 --> 00:00:50,206 So, from here, I'm going to ... 17 00:00:50,206 --> 00:00:54,397 First thing I want to do is create a user for Jane Doe. 18 00:00:54,397 --> 00:00:57,636 So, I'm gonna go ahead and go to my Users. 19 00:00:57,636 --> 00:01:00,806 I'm going to create a new user and here I'm going to 20 00:01:00,806 --> 00:01:02,582 say Jane.Doe. 21 00:01:02,582 --> 00:01:04,939 We're going to talk about access keys later, 22 00:01:04,939 --> 00:01:08,399 but for now I'm going to uncheck that. 23 00:01:08,399 --> 00:01:09,873 And Create. 24 00:01:09,873 --> 00:01:12,636 And you can see, now I have the Jane Doe user. 25 00:01:12,636 --> 00:01:15,643 Now, at this point, you can see here 26 00:01:15,643 --> 00:01:19,521 that my user has a password but Jane does not. 27 00:01:19,521 --> 00:01:21,797 So, at this point, Jane can't do anything. 28 00:01:21,797 --> 00:01:24,502 She doesn't have access to the console. 29 00:01:24,502 --> 00:01:27,753 She doesn't have access keys for the CLI, 30 00:01:27,753 --> 00:01:31,503 again, we'll talk about access keys here later on, 31 00:01:31,503 --> 00:01:34,672 but Jane has no permissions either, she just has an account 32 00:01:34,672 --> 00:01:38,074 that she can't access and can't do anything with. 33 00:01:38,074 --> 00:01:40,175 In order for Jane to be able to actually do something 34 00:01:40,175 --> 00:01:43,147 she needs to at least be able to log into the console. 35 00:01:43,147 --> 00:01:45,945 And in order to log in, you need a password. 36 00:01:45,945 --> 00:01:50,462 So, I'm going to click through to the details of Jane's user 37 00:01:50,462 --> 00:01:53,353 make sure that I'm on the Security Credentials tab. 38 00:01:53,353 --> 00:01:56,418 I'm gonna come down here to manage password 39 00:01:56,418 --> 00:01:59,750 and from here, I'm going to just assign 40 00:01:59,750 --> 00:02:03,346 an auto generated password and I want to ensure 41 00:02:03,346 --> 00:02:07,862 that Jane is required to change that next time she logs in. 42 00:02:07,862 --> 00:02:09,612 So, once I hit Apply, 43 00:02:11,243 --> 00:02:12,695 this is the only time that I will be 44 00:02:12,695 --> 00:02:15,609 able to see that password that was generated. 45 00:02:15,609 --> 00:02:18,070 So from here, I would copy and paste this and give it 46 00:02:18,070 --> 00:02:20,903 to Jane in some kind of secure way 47 00:02:22,054 --> 00:02:24,434 over an encrypted connection of some kind 48 00:02:24,434 --> 00:02:26,047 and that's the only time I would 49 00:02:26,047 --> 00:02:30,169 ever share credentials: is when I know that this user 50 00:02:30,169 --> 00:02:33,002 is going to be prompted to change their password 51 00:02:33,002 --> 00:02:34,325 when they log in. 52 00:02:34,325 --> 00:02:37,077 So, I'm gonna go ahead an close that. 53 00:02:37,077 --> 00:02:41,245 And you can see here that Jane does have a password. 54 00:02:41,245 --> 00:02:43,811 So, now she has access to the console, 55 00:02:43,811 --> 00:02:46,260 but she still doesn't have any permissions. 56 00:02:46,260 --> 00:02:50,579 I'm going to grant her permissions by way of using a group. 57 00:02:50,579 --> 00:02:52,611 And so, I'm gonna come over here 58 00:02:52,611 --> 00:02:53,888 to the groups. 59 00:02:53,888 --> 00:02:55,792 You can see I already have an Admin group 60 00:02:55,792 --> 00:02:57,719 that my user is a part of, 61 00:02:57,719 --> 00:03:01,411 but I want to create a group for developers. 62 00:03:01,411 --> 00:03:03,559 So, I'm going to create a group. 63 00:03:03,559 --> 00:03:05,254 This is totally arbitrary, what you name it. 64 00:03:05,254 --> 00:03:08,354 There's nothing Amazon Web Services that says you have to 65 00:03:08,354 --> 00:03:10,328 name it in any particular way. 66 00:03:10,328 --> 00:03:12,232 I'm gonna call this one Developers 67 00:03:12,232 --> 00:03:15,123 because that's what Jane is, in this example. 68 00:03:15,123 --> 00:03:17,480 And from here, now the wizard is prompting us 69 00:03:17,480 --> 00:03:19,755 to attach policies, and we're going to talk about 70 00:03:19,755 --> 00:03:23,126 policies later, but for now, sufficed to say 71 00:03:23,126 --> 00:03:24,925 that policies are a way of granting 72 00:03:24,925 --> 00:03:28,373 our user permissions to do things. 73 00:03:28,373 --> 00:03:32,379 And so, I want our developers to be able to launch 74 00:03:32,379 --> 00:03:35,978 EC2 instances, or virtual machines, so I'm going to 75 00:03:35,978 --> 00:03:37,099 give them 76 00:03:37,099 --> 00:03:38,266 EC2 77 00:03:38,266 --> 00:03:39,266 full access. 78 00:03:41,894 --> 00:03:45,505 And I'm going to go ahead and create that group 79 00:03:45,505 --> 00:03:47,885 and now you can see that we have a Developers group 80 00:03:47,885 --> 00:03:50,230 but we don't have any users in it yet. 81 00:03:50,230 --> 00:03:52,947 So I'm gonna click through. 82 00:03:52,947 --> 00:03:55,269 I'm going to Add Users To the Group. 83 00:03:55,269 --> 00:03:56,269 Select Jane. 84 00:03:58,206 --> 00:04:00,748 Click Add Users and now you can see that Jane 85 00:04:00,748 --> 00:04:03,837 is a member of the Developers group. 86 00:04:03,837 --> 00:04:08,028 We can see that the Developers group has access to 87 00:04:08,028 --> 00:04:08,945 Amazon EC2.