Chapter 8. AWS security: working with IAM users, groups, and roles

 

The last couple of chapters showed you that Amazon S3 is a great place to store your data backups to protect you when things decide to go really wrong. But how about an early intervention? Rather than just learning how to ensure that you’ve got the data to successfully rebuild after bad stuff happens, wouldn’t it be nice if you could prevent disasters in the first place?

The trick—or most of it, at any rate—is learning how to closely control exactly who and what can access your resources. Or, in other words, how to secure your AWS account.

If your entire infrastructure consisted of a single WordPress web server managed by a single administrator (you), then all this wouldn’t necessarily interest you: you could open website access to the whole world and restrict admin access to yourself. But as your project grows, you may need to hire a few developers or some marketing and content professionals. Each team will need to reach the resources they’re working on; but at the same time, to limit your exposure to risk, security best practices recommend permitting each user access to no more than they absolutely require. So you’ll have to find a way to finely tune how people get through your front door.

8.1. Defining the pieces of the IAM picture

8.2. IAM-ifying an AWS account

8.3. Lab