AWS Identification Access Management (IAM)
IAM Dashboard
Enable MFA for privileged users
For extra security, enable multifactor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP) and users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).
Below is a Virtual MFA demonstration.
Virtual MFA: Google Authenticator
Press on to the AWS “Manage MFA” and use your smatphone with the Google authenticator App installed to scan the bar code on AWS MFA setting screen. After you key in both the 6 digits code into the Google Authenticator App, then AWS MFA are configured.
Use groups to assign permissions to IAM users
Instead of defining permissions for individual IAM users, it’s usually more convenient to create groups that relate to job functions (administrators, developers, accounting, etc.), define the relevant permissions for each group, and then assign IAM users to those groups. All the users in an IAM group inherit the permissions assigned to the group.
That way, you can make changes for everyone in a group in just one place. As people move around in your company, you can simply change what IAM group their IAM user belongs to.
Create new Group
Create New User
Add User to Group
Use roles for applications that run on Amazon EC2 instances
Applications that run on an Amazon EC2 instance need credentials in order to access other AWS services. To provide credentials to the application in a secure way, use IAM roles.
A role is an entity that has its own set of permissions, but that isn’t a user or group. Roles also don’t have their own permanent set of credentials the way IAM users do
For example in the below case, I create a new role and specify the role for the Elastic Map Reduce instances as launch parameter.
Applications that run on the EC2 instance can use the role’s credentials when they access AWS resources. The role’s permissions determine what the application is allowed to do. In below case, I allow the EMR instances to have access to the relevant AWS resources, e.g. dynamodb, S3, kinesis etc.
Create New Role and assign role to EMR instances
So when you launch your EMR cluster, you will see the EMR-user role created above can be assigned to your EMR cluster configuration.
Rotate credentials regularly
Change your own passwords and access keys regularly, and make sure that all IAM users in your account do as well. That way, if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources. You can apply a password policy to your account to require all your IAM users to rotate their passwords, and you can choose how often they must do so.
You may follow below to setup your password rotation policy.
Account Password Policy Setting
The resources are mainly referenced from below URL:
http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
If you would like to know more about IAM, feel free to explore on the above AWS IAM documentation. However, this blog purpose is to demostrate how I utilize the AWS resources for Big data Analytic, so it is sufficient for now.
Nice work, your blog is concept oriented ,kindly share more blogs like this <a href="https://onlineitguru.com/aws-online-training-placement.html" title="AWS Online Training | AWS Certification Online Course in India | Online IT Guru\” rel=\”nofollow\”>AWS Online Course
It's so nice article thank you for sharing a valuable content. Power BI Online Training