What is AWS IAM Identity Center? Explained for Beginners (the theory)
Vložit
- čas přidán 12. 06. 2024
- If you’ve tried to create an IAM user in AWS lately, you’ve surely seen the messages and recommendations about using IAM Identity Center. But what exactly is it, and how does it differ from “regular” IAM?
In this short explainer video, I’ll overview what IAM Identity Center is (formerly called AWS Single Sign-On, or SSO), why you’d use it, and how it differs from IAM. I also briefly touch on AWS Organizations and how they work with Identity Center.
This video is all theory. For a hands-on tutorial of how to set up and use Identity Center, check out this video: • How to Set Up AWS IAM ... .
For a video about IAM basics, check out this video: • AWS Identity and Acces...
🌟🌟If you’re interested in getting AWS certifications, check out these full courses. They include lots of hands-on demos, quizzes and full practice exams. Use FRIENDS10 for a 10% discount!
- AWS Certified Cloud Practitioner: academy.zerotomastery.io/a/af...
- AWS Certified Solutions Architect Associate: academy.zerotomastery.io/a/af...
00:00 - What is AWS Identity Center when creating a new IAM user?
00:59 - AWS Identity Center (formerly AWS Single Sign-On or SSO), Explained
02:05 - What is the login experience with IAM Identity Center?
03:38 - Differences between IAM and IAM Identity Center
04:00 - A brief overview of AWS Organizations - Věda a technologie
What else do you want to learn about AWS? Let me know below in the comments! 🤓🤓
Can you help with setting up and using CLI's? Thanks for the fantastic tutelage!
Ooh, great suggestion! I'll add this to my list. 😊
Maybe about Iot Greengrass and more about Iot 😅
hey, yes please , if you can make a tuto about aws Control tower ( landing zones and account factory + aws identity center =) ) thanks
Just obtained my certified SA a week ago and found this video on my recommendation feed. Finally get to enhance my understanding and knowing which is more suitable for my daily use case. Thank you!
Oh yay!! CONGRATS on the SA! That's awesome. And thanks for supporting the channel! 🙏🤓🌟
Thank you very very very very much! Unlike other instructors, your hands on demo & very little jargons makes AWS easy to understand, practice skills and learn to use!
Oh, I'm so glad!! Thanks for such a nice comment! 🙏🤓🌟
Your voice is soothing, the lecture is so easy to understand. Thanks so much for the Lecture.
Oh, you're very kind!! Thanks for watching!! 🤓🙏🌟
Thank you for simplifying the new IAM Identity Center, it's really worth the time.
Glad it was helpful! Thanks for watching! 🙏🌟🤓
Best AWS channel I've stumbled across!
Oh, you are too kind!!! Thanks so much, and welcome onboard! 🌟🤓🙏
Am so glad I cam across this video. I've been confused as to which I should use btwn the old IAM & the new IAM Identity Center for my personal account. I ❤❤ your content. Absolute practical tutorials 💯
Thanks for the kind words!! 🥰 I'm so glad it helped. 🌟🤓
Your explanation is amazing, and the way you narrow is also great, I found your videos valuable Keep it up, thank you!
Glad you like them! Thanks for the kind words! 🌟🤓🙏
Very interesting and valuable, as usual ! Thanks!
Glad you enjoyed it! Thanks for supporting the channel!! 🙏🤓🌟
Well taught! Good to learn the difference bw IAM and IAM identity center.
I'm glad it helped! Thanks for watching, and for such a nice comment! 🙏🤓🌟
Very Helpful. Thanks for the Video
I'm so glad it helped! Thanks for watching! 🙏🤓🌟
Awesome video thank you so much! I will really appreciate information about account management and account security!
Glad it was helpful! Thanks for watching! 🙏🌟🤓
Thank you very much.
Great video. I'd like to learn more about encryption keys and security in general, always struggling to fully understand these concepts.
Thanks for watching, @Reflet0r! 🤓🙏 Security is a huge topic in AWS, but definitely a good one to know. A good place to start might be the "Learn about exam topics" section from the AWS Security Certification (aws.amazon.com/certification/certified-security-specialty/). Not that you have to get the certification, but the study materials for it would be a good starting point (like AWS Security Fundamentals and the Cloud Quest Security Role linked from that page). There are also several AWS security courses on Udemy too, if that's more your style. Hope that helps, and good luck! 💪🔥
@@TinyTechnicalTutorials Thanks for the great tips!
Hi Amber, couple of qns:
1. On the organisation slide, you show Legal and Finance dept account. My understanding (clearly wrong) was thar AWS management was the domain of only IT personnel. Can you explain why a non IT department might need their own account? I dont see them creating/configuring IT infrastracture.
2. What happens if a company has been using IAM to setup identities, and now want to start using Identity Centre. Do they have an option to completely migrate over? The other point being as you highlighted in your setup video that IAM identities are setup for an account whereas Identity Centre operates outside an account ie you create a standalone users/groups
and THEN assign them to account(s). Can you please provide your perspective on how this should be approached?
Hi Praveen! 👋
1. It's a fair point. In most organizations, it's usually only the IT folks who have accounts, but I worked at one company where the Finance department had developers on their team, and they developed some in-house Finance apps (on AWS) that the rest of the company used. Finance is usually also involved with the root account so they can do consolidated billing and auditing. Same could be true for Legal. A lot of HR departments also have "HR tech" teams that do development and infrastructure stuff. I guess the point of the diagram is that you can have as many accounts as you want, for whomever you want. 😊
2. You're right..."regular" IAM and Identity Center are two separate services, and live side-by-side without impacting the other. So if you already had IAM users set up for everyone, then set up Identity Center for all those users, they could log in both ways. Interestingly, I'm not really finding a "migration" solution between the two. These days, I think most companies do some initial consultation work with AWS (or use tools like the Cloud Adoption Framework) before moving to the cloud, and AWS likely nudges them towards Identity Center from the beginning, so they wouldn't have legacy IAM users to deal with. But if you started with IAM, it seems you'd have to manually set up Identity Center, then manually remove IAM users and tell people to only log in with Identity Center. If you come across a more streamlined solution, feel free to share it here!
thanks for another great video!
each account in the organization by default cannot access the resources created in other accounts, so how is Identity center and Organization used in practice? does each account build infra separately from other accounts? like account A is only responsible for security, account B for networking, etc.?
Thanks for watching, Alice! 🙏🤓🌟 I was writing up an answer to this, then got curious how ChatGPT would do with this kind of a question. And it did better than I was doing! 😂 Maybe this will help...
AWS Organizations
Think of AWS Organizations like a big family where you have the parents (the main account) and the children (all the other accounts). Just like in a family, where each member might have their own room (resources), by default, they can't just barge into each other's rooms without permission. This setup helps keep things organized and secure. Within this family, the parents can set rules (policies) on what the children can and cannot do, providing a way to manage all these accounts efficiently and securely.
AWS Identity Center
Now, AWS Identity Center acts like the house keys. Instead of each family member having a key to only their room, Identity Center gives a master key (single sign-on) to family members, allowing them to access different rooms, but only if the parents have said it's okay. This means you can have one identity (like an email and password) that gives you access to multiple accounts (rooms), but always within the rules set by the parents.
How They Work Together
In practice, AWS Organizations and AWS Identity Center work together to create a structured yet flexible environment. Here's how:
Security Infrastructure: One account might be dedicated to security, like a room where all the family's security systems are managed. This account can handle things like identity management, data encryption, and security monitoring for all other accounts.
Networking Infrastructure: Another account could focus on networking. Think of this as the hallway that connects all the rooms. This account manages how data moves between accounts (rooms) and ensures that communication is smooth and secure.
Development and Production Environments: You might have separate accounts for development and production environments, akin to having a workshop room for projects and a display room for finished pieces. This separation helps in minimizing risks; if something goes wrong in the workshop (development), it doesn't necessarily break the display pieces (production).
Real-World Examples
A Financial Services Company: This company might have an account for its online banking platform (production), another for developing new banking features (development), and a third for all its security and compliance monitoring. AWS Identity Center ensures that the right employees can access these accounts as needed, while AWS Organizations helps enforce security policies across all accounts.
An E-commerce Retailer: They could use separate accounts for their website, order processing system, and customer support services, with specific accounts dedicated to analytics and marketing campaigns. Each department accesses only what they need, maintaining separation for security and organizational clarity.
A Game Development Studio: Here, different game projects might be isolated in separate accounts to prevent any mishaps from affecting other projects. A central account might manage shared resources like player databases and game analytics.
In all these examples, AWS Organizations provides the framework for managing multiple accounts easily, applying broad policies and automating account creation. AWS Identity Center, on the other hand, simplifies access management, letting users switch between accounts and resources as needed, based on permissions.
Thanks! haha that makes sense. i like the parent-children living in a house with different rooms analogy @@TinyTechnicalTutorials
I tried to look for your name but can’t find it 😅. Could I ask where would you point someone who doesn’t have any experience with technologies? I’m not sure what an EC2 is?
Hi Tere!! 👋 I've got quite a few "for beginners" videos on the channel for the various services (there are TONS of services!). For EC2 specifically, those are your virtual servers (rather than a server sitting in your office, it sits in AWS). Here's a video for that: czcams.com/video/eaicwmnSdCs/video.html. The GUI in the AWS Console has changed a little bit since it was recorded, but the concepts are still the same. Hope that helps!! 🌟🤓
Why would I ever have more than a single AWS account? My company just has a single website, with the typical EC2/S3/RDS stack. The few dev-ops who manage AWS have their IAM user accounts (but not sure what use case you're going on about with dev/prod/test accounts) So like why would we need something more complicated than what's working for us? This just feels like AWS is catering only to large business and then small business feel the need to follow "standard practices" which weren't meant for them. Tell me I'm wrong.
Hey Brian! 👋 I would agree that Services like AWS Organizations and Identity Center tend to make more sense for large companies/smaller companies who will need to scale. But there are benefits to having separate accounts for dev/test/prod like security isolation, being able to test/roll back code without impacting production, separate billing/resource tracking, etc. But yeah, if you just have a simple website and don't need all of that, then you don't have to use it. You can still just use "regular" IAM accounts, at least for now. 😊
why, as the root user, don't i have permission to do everything...
Hi @trashdaytheband! 👋 Can you add more detail? The root user *should* be able to do everything...
@@TinyTechnicalTutorials Thanks for the reply. I'm trying to change "Bucket policy" for adding a custom url.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"PublicRead",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}
]
}
I have the bucket set to No Public acces as I'm ussing a CDN.