Principals and Identities

IAM users

By default, a new Identity and Access Management (IAM) user has no permissions assigned to them. The user is not authorized to perform any AWS operations or access any AWS resources. An advantage of having individual IAM users is that you can assign permissions individually to each user. 

Setting permissions with IAM policies

To allow IAM users to create or modify resources and perform tasks:

  1. Create IAM policies that grant IAM users permission to access the specific resources, and API actions they will need.
  2. Attach the policies to the IAM users or groups that require those permissions.

Users only have the permissions specified in the policy. Most users have multiple policies. Together, they represent the permissions for that user.

IAM roles

IAM roles deliver temporary AWS credentials. They’re easy to manage because multiple employees and applications can use the same role. Use roles to delegate access to users, applications, or services that don’t normally have access to your AWS resources.

Roles can be assumed through the API call, using one of the following:

  • The console
  • AssumeRole API
  • AWS Security Token Service (AWS STS)

The AssumeRole action returns a set of temporary security credentials consisting of an access key ID, a secret access key, and a security token. AssumeRole is typically used for cross-account access or federation.

Policy types

Identity-based policies

You attach managed and inline policies to IAM identities. This includes users, groups to which users belong, and roles.

Resource-based policies

You attach inline policies to resources. The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies.

IAM permissions boundaries

An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. Use a managed policy as the permissions boundary for an IAM entity (user or role). The managed policy limits the permissions that the identity-based policy can grant to an entity. It does not grant permissions. 

AWS Organizations service control policies (SCPs)

Use Organizations SCPs to define the maximum permissions for account members of an organization or organizational unit (OU).

Access control lists (ACLs)

Use ACLs to control which principals in other accounts can access a resource to which the ACL is attached. ACLs are similar to resource-based policies. However, they are the only policy type that does not use the JSON policy document structure. We will discuss ACLs in more detail in Module 3.

Policy elements

ElementDescriptionEffectUse Allow or Deny to indicate whether the policy allows or denies access. PrincipalIf you create a resource-based policy, you must indicate the account, user, role, or federated user to which you want to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role. ActionInclude a list of actions that the policy allows or denies.ResourceIf you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, this element is optional. If you do not include this element, the resource to which the action applies is the resource to which the policy is attached.ConditionSpecify the circumstances under which the policy grants permission.

Explicit allow and explicit deny

Use IAM policies to allow and deny access to resources. 

"Effect": "Allow",
"Action": ["s3:ListObject”,  “s3:GetObject”],
"Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"]

The following policy denies access.

"Effect": "Deny",
"Action": [”ec2:*", "s3:*"],
"Resource": “*”

When a principal tries to use the console, the AWS API, or the AWS CLI, that principal sends a request to AWS. When an AWS service receives the request, AWS completes several steps to determine whether to grant or deny the request.

By default, all requests are denied. This is called an implicit deny. The AWS enforcement code evaluates all policies within the account that apply to the request. These include Organizations SCPs, resource-based policies, IAM permissions boundaries, role session policies, and identity-based policies. In all those policies, the enforcement code looks for a deny statement that applies to the request. This is called an explicit deny. If the code finds even one explicit deny that applies, the code returns a final decision of deny. If there is no explicit deny, the code continues.

How IAM policies interact with SCPs

An SCP is a type of organization policy that you can use to manage permissions in your organization. 

Attach identity-based or resource-based policies to IAM users, or to the resources in your organization’s accounts. Attach an SCP to an Organizations entity (root, OU, or account) to define a guardrail. The SCP sets limits upon the actions that the IAM users and roles in the affected accounts can perform.



AWS Support

AWS offers four different Support plans to help you troubleshoot issues, lower costs, and efficiently use AWS services. 

You can choose from the following Support plans to meet your company’s needs: 

  • Basic
  • Developer
  • Business
  • Enterprise

Basic Support

Basic Support is free for all AWS customers. It includes access to whitepapers, documentation, and support communities. With Basic Support, you can also contact AWS for billing questions and service limit increases.

With Basic Support, you have access to a limited selection of AWS Trusted Advisor checks. Additionally, you can use the AWS Personal Health Dashboard, a tool that provides alerts and remediation guidance when AWS is experiencing events that may affect you. 

If your company needs support beyond the Basic level, you could consider purchasing Developer, Business, or Enterprise Support.

Developer, Business, and Enterprise Support

The Developer, Business, and Enterprise Support plans include all the benefits of Basic Support, in addition to the ability to open an unrestricted number of technical support cases. These three Support plans have pay-by-the-month pricing and require no long-term contracts.

The information in this course highlights only a selection of details for each Support plan. A complete overview of what is included in each Support plan, including pricing for each plan, is available on the AWS Support site.

In general, for pricing, the Developer plan has the lowest cost, the Business plan is in the middle, and the Enterprise plan has the highest cost. 

Developer Support

Customers in the Developer Support plan have access to features such as:

  • Best practice guidance
  • Client-side diagnostic tools
  • Building-block architecture support, which consists of guidance for how to use AWS offerings, features, and services together

For example, suppose that your company is exploring AWS services. You’ve heard about a few different AWS services. However, you’re unsure of how to potentially use them together to build applications that can address your company’s needs. In this scenario, the building-block architecture support that is included with the Developer Support plan could help you to identify opportunities for combining specific services and features.

Business Support

Customers with a Business Support plan have access to additional features, including: 

  • Use-case guidance to identify AWS offerings, features, and services that can best support your specific needs
  • All AWS Trusted Advisor checks
  • Limited support for third-party software, such as common operating systems and application stack components

Suppose that your company has the Business Support plan and wants to install a common third-party operating system onto your Amazon EC2 instances. You could contact AWS Support for assistance with installing, configuring, and troubleshooting the operating system. For advanced topics such as optimizing performance, using custom scripts, or resolving security issues, you may need to contact the third-party software provider directly.

Enterprise Support

In addition to all the features included in the Basic, Developer, and Business Support plans, customers with an Enterprise Support plan have access to features such as:

  • Application architecture guidance, which is a consultative relationship to support your company’s specific use cases and applications
  • Infrastructure event management: A short-term engagement with AWS Support that helps your company gain a better understanding of your use cases. This also provides your company with architectural and scaling guidance.
  • A Technical Account Manager

AWS database services

Amazon Relational Database Service (Amazon RDS)

In a relational database, data is stored in a way that relates it to other pieces of data. 

An example of a relational database might be the coffee shop’s inventory management system. Each record in the database would include data for a single item, such as product name, size, price, and so on.

Relational databases use structured query language (SQL) to store and query data. This approach allows data to be stored in an easily understandable, consistent, and scalable way. For example, the coffee shop owners can write a SQL query to identify all the customers whose most frequently purchased drink is a medium latte.

Amazon DynamoDB

In a nonrelational database, you create tables. A table is a place where you can store and query data.

Nonrelational databases are sometimes referred to as “NoSQL databases” because they use structures other than rows and columns to organize data. One type of structural approach for nonrelational databases is key-value pairs. With key-value pairs, data is organized into items (keys), and items have attributes (values). You can think of attributes as being different features of your data.

In a key-value database, you can add or remove attributes from items in the table at any time. Additionally, not every item in the table has to have the same attributes. 

Amazon Redshift

Amazon Redshift is a data warehousing service that you can use for big data analytics. It offers the ability to collect data from many sources and helps you to understand relationships and trends across your data.

Amazon DocumentDB

Amazon DocumentDB is a document database service that supports MongoDB workloads. (MongoDB is a document database program.)

Amazon Neptune

Amazon Neptune is a graph database service. 

You can use Amazon Neptune to build and run applications that work with highly connected datasets, such as recommendation engines, fraud detection, and knowledge graphs.

Amazon Quantum Ledger Database (Amazon QLDB)

Amazon Quantum Ledger Database (Amazon QLDB) is a ledger database service. 

You can use Amazon QLDB to review a complete history of all the changes that have been made to your application data.

Amazon Managed Blockchain

Amazon Managed Blockchain is a service that you can use to create and manage blockchain networks with open-source frameworks. 

Blockchain is a distributed ledger system that lets multiple parties run transactions and share data without a central authority.

Amazon ElastiCache

Amazon ElastiCache is a service that adds caching layers on top of your databases to help improve the read times of common requests. 

It supports two types of data stores: Redis and Memcached.

Amazon DynamoDB Accelerator

Amazon DynamoDB Accelerator (DAX) is an in-memory cache for DynamoDB. 

It helps improve response times from single-digit milliseconds to microseconds.



Creating a Kubernetes Cluster Environment But this Time OCI

let’s talka about DevOps but this time on OCI, one section of it, which is kuberneters.

There are different ways to do that, either by CLI or console

Using CLI

To create a a Kubernetes cluster environment, run the create-oke-cluster-environment command:

oci devops deploy-environment create-oke-cluster-environment


  1. Open the navigation menu and click Developer Services. Under DevOps, click Projects.
  2. Create project for the kuberenetes.
  3. For Environment type, select Oracle Kubernetes Engine.
  4. Enter a name and optional description for the environment.
  5. (Optional) To add tags to the environment, click Show tagging options. Tagging is a metadata system that lets you organize and track the resources in your tenancy. If you have permissions to create a resource, you also have permissions to add free-form tags to that resource. To add a defined tag, you must have permissions to use the tag namespace.
  6. Click Next.
  7. Select the region where the cluster is located.
  8. Select the compartment in which the cluster is located.
  9. Select an OKE cluster. You can select either a public or a private cluster.
  10. Click Create environment.