one of the more fundamental things that you're going to need to do is create users, create groups and create roles. So let's go through and look at the IAM console and take a look. So inside this IAM console you have this ability to again create users, groups, roles and policies, and also you can look at their different credentials. So what I'm going to do here is I'm going to go to users, and you can see that if I go through and I create a new user, this can be, let's say, CP User, I have the choice whether I want to give them access to an API. So if I'm setting this up for myself, this is a good idea. I would go through here and select programmatic access, and also I want to select whether I want them to have access to the console. So depending on what it is, you're doing many cases, maybe you don't want to give someone on your team access to the console. You just want to have them work on a project where they use programmatic access to s 3. Likewise, it may be the case that maybe you're working with a business professional and they don't need access to the programmatic access keys, which introduces security holes. So it's really up to you to decide how you want to set that up. Now again, the principle of least privilege is very, very important. So let's go ahead and create this, user here, and we'll give them access to both will say CP User. Next. Typically, what's a good idea is to then create a group. So in this case, let's go ahead and create a policy. If we wanted to, and we could choose which services, let's say it's s 3. We could say that we want this group to have maybe only read access to S 3. And then I could review this policy. Great. It looks, fine. And then from here, I could assign that policy if I wanted to, to that user. So that's definitely one way to do it. Another one is I could also just search my policy right so I could either created by hand or I could go through here and just select and Amazon s 3 policy. If we go over here, that looks like that is what I want. And I can go ahead and again select that once that's selected mow I can go through. And I can assign that policy if I want to to that group. So, again, with when you're creating these new groups here, we will go through here and we'll call the students, go through and say next step. And then I could also attach that policy here. So we'll use that same thing I was using before s 3 Access, great. Create the group. And now that I've created that students group, what I can do is I can add a user so I can go through and I can search for a user. In this case, I didn't create users before, so let's go ahead and finish that workflow that I abandoned. We'll go through here and we'll call this CP student. We'll give them again access will say next. And then we'll assign them to that group that I just created, which was students. There we go and we'll review and we'll create the user. Now, the first time you create it, it will give you access to, the ability to download all this as a CSP if you want to. You can also email those instructions, so that's really the gist of it. As users groups remember that you should always do group level permissions when you want to sign a bunch of people the same thing, and that allows you to have centralized access of it. And it also lets you have a really simple way of taking away control. So let's say that, that group that you've set up here, the CP students, it had it had some problems, and there's some people that are abusing their privileges. Well, really easy to change all that. I just go to the students group here, and I actually go to permissions and I go through and I detach the policy. And now nobody in that group has access to do anything so they can still log in. They even their API keys, are going to be able to do anything because they have no permissions to read from s 3, so very powerful way to take away permissions. The final thing I want to show here is a is if you go to roles and this comes up quite a bit. If you're let's say you're writing Lambda functions or you're using E C 2, you're going to need to give it the correct permissions to make an API call. And typically that's what happens. You want to make an API call on your behalf, so let's go ahead and do one of those. Let's pick a Lambda right. That's my favorite way to write code. We'll pick Lambda, and I have to tell it what I wanted to do. So for prototyping, it's not a horrible decision to give an administrator access, but you have to be very careful and that you're not doing something very dangerous. Probably a safer approach, though, would be to very specifically add what it is you wanted to do. So let's say you're writing a lambda function that needs to read, some some data from s 3. You just go through again and say s 3 read access. So maybe it's going to respond to some events from s 3 rights, and then that's it. And then we would say, Lambda Roll s 3 read, write. You give it some kind of a useful, role name here so that you can remember it when you associated with it. And you can say, you know, this is a role I set up for giving my lambda function access to read from s 3. There we go, and we can go through and create this role. And once you've got that set up, now if I go back to Lambda and let's go through and let's go make a Lambda real quick, let's go to Lambda. We can associate that role. So if I go here and let's say that marco function that we wrote earlier, I want to make it a little more powerful. So marco is going to get the ability to, talk to s 3. How do you do that? So you'd look where there's this execution role and you can see this existing role that has no privileges. And so instead, what we're going to do is we're going to find that role that we created, which was I think it was called Lambda Roll s 3 read. And then if I associate this to save it, that's all I have to do. And now, if I write some code that reads from s 3. I've got access. So what we did here is we showed how, IAM rples can associate users groups, with certain policies that give them the ability to do something. And also we showed how roles can be set up for both E C 2 or Lambda functions. And again, the very big takeaway is principle of least privilege. Always assign just the amount of privileges you need to do something. Otherwise, that's how you get into big security gaps.
