AWS re:Invent 2018: [REPEAT 1] Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1)
ฝัง
- เผยแพร่เมื่อ 27 พ.ย. 2018
- Are you interested in becoming a IAM policy master and learning about powerful techniques for controlling access to AWS resources? If your answer is “yes,” this session is for you. Join us as we cover the different types of policies and describe how they work together to control access to resources in your account and across your AWS organization. We walk through use cases that help you delegate permission management to developers by demonstrating IAM permission boundaries. We take an in-depth look at controlling access to specific AWS regions using condition keys. Finally, we explain how to use tags to scale permissions management in your account. This session requires you to know the basics of IAM policies.
![แฟนแนวใด๋ - ยูริ โตเกียวมิวสิค [OFFICIAL MUSIC VIDEO ]](http://i.ytimg.com/vi/4_XVMuhhbsU/mqdefault.jpg)
![AWS re:Invent 2019: [REPEAT 1] Getting started with AWS identity (SEC209-R1)](/img/n.gif)
One of the best tutorial videos on IAM policies I've come across ! If Brigid creates an AWS course lessons, I'd blindly sign up for it !
I've gone through multiple videos on paid courses and TH-cam, this is the only one I've found which actually tries to teach the content of IAM instead of just regurgitating facts. Great job.
One of the best sessions, the presenter is fun and knowledgeable, keep them coming, thank you.
I am so thankful to Brigid for her explanation of the IAM in a nutshell. It explains and clears the concepts of all key features of AWS IAM succinctly.
One of the best IAM tutorials, Brigid made it fun and easy to comprehend.
Lady, you are the best in explanation IAM policies!!! Why I haven't seen this video earlier....
One of the best IAM Tutorials I have ever seen, going to use the solutions in my project.
This is one of the excellent presentation which helped me understand IAM permission boundary, resource policies.
Using the role's project-tag as prefix for resource name, to enforce ABAC for resources that doesn't support tag-based access control. That's brilliant!!
Bridget is very good at explaining this complicated subject. Thanks!
One of the best presentation on IAM, I must say
Great IAM policy explanation! One of the best session I have came across recently.
One of the best presentation on IAM, I must say, Thank You Brigid
Amazing Tutorial. Really cleared things up for me!
5 min in and I already know I'll be getting a lot out of this
4:05 I found the acronym easier to remember if spelled backwards
I love this session. Clear explanations in a relax way! Thank you!
We're happy you found it helpful. 😃 🎉
This is a gem.
The value of this content is immense. A similar book I read ushered in a new chapter in my life. "AWS Unleashed: Mastering Amazon Web Services for Software Engineers" by Harrison Quill
This is an excellent intro to AWS permissions. Brigid packs a lot of useful information into a 1 hour video.
So glad you like it, Quentin! 😀
Still my favorite video
How cool was that !! Awesome
Great preso! Great presenter
Great Presentation. Would you post your slide in a gist so that we can make use of them? Thanks. J.N
Great Talk!
Feedback: would be nice to link the resources at the end of the slide in the description.
Best. Tutorial. Ever!
This is the greatest of all time tutorial
😁 🙌
Anywhere to get those policies? Great preso.
Awesome! Great job, great info! This should be required day zero material for AWS users. Why am I just now encountering this while studying for my first certificate exam for AWS? I've been working with AWS for like over two years now.
Great presentation, I was in this room at the re:Invent.
Yes I heard you say "ALLOW"
Super clear !
Amazing Tutorial
Brigid, At 47:30 it appears you were allowed to change 'project' = 'sneaky' to 'project' = 'dorky' to bypass restrictions on 'sneaky' project? Did I see that wrong? And at 53:20 it appears to be trivial for Casey to change his principal tag to gain access to whichever project he wants. Is there in fact something that would block a principal from changing their tag? Great deep dive - this gave me a lot more confidence with policies and conditions. Thank you.
she was using two browser, one is firefox which is full admin. the other one is chrome which is the IAM role that with restricted access.
Great Presentation. Why is it that AWS CloudFront does not support action-level permissions for creating CloudFront key pairs and that one must use an AWS account root user to create a CloudFront key pair?
Video Summary:
This video is a tutorial on becoming an IAM Policy Master in AWS in 60 minutes or less. The speaker covers the basics of IAM policy language and then dives into different policy types and use cases. The video also includes live demonstrations of creating and modifying policies.
- 00:00 This section is an introduction to the speaker and an overview of what will be covered in the video.
- 06:56 IAM policies in AWS are based on matching the context of a request to an allows statement in a defined policy.
- 13:54 IAM Policy Master Challenge: Cross-Account Access
- 20:49 Use deny statements in Service Control Policies to restrict access and reduce blast radius.
- 27:44 The speaker demonstrates how to store and retrieve secrets using Secrets Manager in different regions, and also shows how to restrict user privileges to prevent privilege escalation.
- 34:45 The speaker demonstrates how to create a role in IAM with specific permissions for lambda functions.
- 41:41 This section explains the IAM policy for creating tags and modifying tags on AWS instances.
- 48:31 IAM users and roles can now be tagged, allowing for more granular access control
Great presentation. Anyone know if these slides are available?
this talk is very helpful
Great info.
Constructive feedback would be that swapping between chrome instances during the demo is not very clear or easy to follow. Also the choice of the default theme notepad ++ for the code/text editor is not great for demo purposes. Vscode, or some other dedicated code editor if you couldn't use Microsoft dev tools in an AWS presentation, would have been a better choice.
merci; this is awesome!
Question, can we control naming convention with IAM policy for creating a resource like "Security group"
miles better than my paid udemy courses
excellent.
why at 20:38, creation control of resources to specific region with iam policies? im doing it in production with org SCPs and its very easy to manage
I also thought its just easier doing it on scp. If was specific to an account then would do it her way
Not to ding Brigid. She did a good job. But the only thing going through my mind as I watch this is "This is batshit crazy". Figuring out how and why access was denied shouldn't need an n dimensional truth table. I get that this has grown organically but what we have now is a monster of Frankenstein proportions.
I realize that Google has the advantage of starting out later and not making the same mistakes. And that their offering is significantly less complex than AWS. But GCP IAM is a lot simpler and easier to understand. They have also done a much better job with BigTable than DynamoDB. It's crazy that implementation details dictate how I choose partition keys. And many cross region replication are a lot more transparent.
At this point, Amazon needs to figure out how to simplify some of this stuff. IAM in particular. Otherwise, AWS is going to collapse under its own weight.
I was wondering the same thing, if you look at the similar tutorials in AWS docs, there are so many exceptions for each of the services that you need to take care of. the level of abstraction makes it very difficult to design and scale IAM .
mate, AWS - Simple Service. Simple
IAM does not have simple in its name. Hence the complexity
@@vedambala sounds simpler
SCP polices used only for deny then how come at 13:47 she mentioned allow in SCP. Can someone please explain me?
I also thought we always use them with deny. Didnt realise they can also work this way
is the slide available the you tube video hard to read
Use "zoom in" in your browser. When it is not in the full-screen mode.
all slides are available. google the video name followed by the word slideshare
AWẞamazon1234
Please how do I access the command line?
you have to install it, you can get the tool from the aws site.
Now I am completely lost 😢
I'm guessing "is awesome" didn't show up as a name at 47:50 because tags are case sensitive? Just thought I'd point this out in case in anyone else was confused like I was.
docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html
dont know how many people she help pass the aws orgs portion of csap pro haha
yep, "organizational complexity" otherwise known as the most booooooring part of AWS, yet necessary to understand.
low key trying to start a gang war
WiseWeeabo 😂😂😂😂🤣
I don't get why she's using a whitelist SCP in her examples when almost nobody uses SCPs that way. They use blacklist SCPs
😵💫😵💫😵💫
I don't get the bashing to this girl. Either take it or leave it, but she was presenting a somewhat difficult topic to grasp for most, in a funny way. Nevermind they are posting this for free, in an easy to consume form. And I'm sure we're just seeing the tip of the iceberg on what the girl can do. Brigid is Ninja.
Where is the real-world enterprise-level project you did? she is reading white papers for one hour.
Does anybody know the difference between permission boundaries and SCPs - they both sound exactly the same!?
Hmmmm So SCP for now is on an organizational level while Permission boundaries is on the Account level. And yeah, they are kinda of similar
audience is so awkward lol
She's sweet
AWẞçlearDB/00829-⁸7845
The content was good. The presenter is not grate. She should have actually taken the case one by one
Very bad way of teaching. Don't say you are teaching, you are just checking some folks who know already that's it.
That's what Level 300 sessions are for.
Tech Industry: "Diversification is important and a priority for us!!"
Also tech industry: 22:21
😒🗑🚮
Thank you for pointing this out. I do see how when listened to I should have used the word "theme" to describe which user I was demonstrated in which browser. I will improve for next time.
@@bjohnso5murphy I would just steer clear and say "night mode" or "light theme" .. but good on you for replying
Good presentatio. Sadly, IAM is an awful product. Your average IT admin can manage this complexity.
Great tutorial. She is not that funny though.
Good info, but she really needs to stop talking to a room full of adults like they're in kindergarten.
meh, if you go to event and for 10hours straight you hear someone monologing in same tone - your audience would be sleepy - maybe from home where you just watch 1 presentation and look for just the info you want it's not necessary but she speaks with experience from speeches.
000002 *REH02241996 the RE I love your demonstration sounds like u should be in Boston massachusetts with RE.inforce
AWẞçlearDB/00829-⁸7845