WEBVTT 1 00:00:00.060 --> 00:00:01.380 In this lesson, 2 00:00:01.380 --> 00:00:05.190 we will learn about Cloud Identity and Access Management 3 00:00:05.190 --> 00:00:07.950 Access and Trust Policies. 4 00:00:07.950 --> 00:00:11.490 Cloud identity and access management, or IAM, 5 00:00:11.490 --> 00:00:13.470 access and trust policies 6 00:00:13.470 --> 00:00:15.930 are used to manage and enforce 7 00:00:15.930 --> 00:00:20.850 who has access to cloud resources and under what conditions. 8 00:00:20.850 --> 00:00:25.230 Additionally, cloud IAM is a framework that is used 9 00:00:25.230 --> 00:00:27.510 to assign rules and permissions 10 00:00:27.510 --> 00:00:30.390 to users, groups, and services, 11 00:00:30.390 --> 00:00:33.210 directing what actions they can perform 12 00:00:33.210 --> 00:00:35.730 within the cloud environment. 13 00:00:35.730 --> 00:00:39.930 Trust policies are then used to define the relationship 14 00:00:39.930 --> 00:00:41.370 and trust boundaries 15 00:00:41.370 --> 00:00:44.820 between different cloud accounts or services. 16 00:00:44.820 --> 00:00:48.330 Let's learn more about cloud IAM access 17 00:00:48.330 --> 00:00:50.550 and trust policies. 18 00:00:50.550 --> 00:00:54.750 First, we have cloud IAM access policies. 19 00:00:54.750 --> 00:00:58.440 Cloud identity and access management, or IAM, 20 00:00:58.440 --> 00:01:01.320 access policies are essential tools 21 00:01:01.320 --> 00:01:04.710 for managing who can access cloud resources 22 00:01:04.710 --> 00:01:07.110 and what actions they can perform. 23 00:01:07.110 --> 00:01:10.770 Access policies do this by defining permissions 24 00:01:10.770 --> 00:01:13.410 for users, groups, and services, 25 00:01:13.410 --> 00:01:17.700 specifying what they can do within the cloud environment. 26 00:01:17.700 --> 00:01:22.290 For example, an access policy may grant a user permission 27 00:01:22.290 --> 00:01:24.930 to read data from a storage bucket, 28 00:01:24.930 --> 00:01:28.200 but not to delete or modify that data. 29 00:01:28.200 --> 00:01:31.440 In this way, access policies help ensure 30 00:01:31.440 --> 00:01:34.950 that only authorized individuals and services 31 00:01:34.950 --> 00:01:37.320 can perform specific actions, 32 00:01:37.320 --> 00:01:41.010 reducing the risk of unauthorized access. 33 00:01:41.010 --> 00:01:45.480 Access policies are common in all major cloud platforms, 34 00:01:45.480 --> 00:01:50.430 such as Amazon Web Services, or AWS; Microsoft Azure; 35 00:01:50.430 --> 00:01:54.330 and the Google Cloud Platform, or GCP. 36 00:01:54.330 --> 00:01:57.493 In AWS, access policies are defined 37 00:01:57.493 --> 00:02:02.493 using JavaScript Object Notation, or JSON, documents 38 00:02:02.550 --> 00:02:06.540 that are associated with users, groups, or roles; 39 00:02:06.540 --> 00:02:10.470 Microsoft Azure uses Role-Based Access Control 40 00:02:10.470 --> 00:02:12.060 to manage access; 41 00:02:12.060 --> 00:02:14.970 while Google Cloud allows permissions 42 00:02:14.970 --> 00:02:18.600 to be assigned directly to users or groups. 43 00:02:18.600 --> 00:02:23.220 So, each platform provides tools that allow administrators 44 00:02:23.220 --> 00:02:26.970 to create, manage, and monitor these policies, 45 00:02:26.970 --> 00:02:29.250 ensuring that access controls 46 00:02:29.250 --> 00:02:33.270 align with the organization's security requirements. 47 00:02:33.270 --> 00:02:36.930 They can also track and audit access activities 48 00:02:36.930 --> 00:02:39.750 to ensure that policies are being followed, 49 00:02:39.750 --> 00:02:44.040 providing an additional layer of security oversight. 50 00:02:44.040 --> 00:02:48.090 A common example of an access policy in action 51 00:02:48.090 --> 00:02:50.250 is granting a data analyst 52 00:02:50.250 --> 00:02:53.070 access to read from a data warehouse, 53 00:02:53.070 --> 00:02:54.870 but restricting their ability 54 00:02:54.870 --> 00:02:58.440 to alter configurations or delete resources 55 00:02:58.440 --> 00:03:00.540 within the data warehouse. 56 00:03:00.540 --> 00:03:04.140 This ensures that the analyst can perform their job 57 00:03:04.140 --> 00:03:06.330 without compromising the security 58 00:03:06.330 --> 00:03:09.420 or stability of the data warehouse. 59 00:03:09.420 --> 00:03:11.130 By carefully defining 60 00:03:11.130 --> 00:03:14.220 and applying access policies like this, 61 00:03:14.220 --> 00:03:17.070 organizations can maintain control 62 00:03:17.070 --> 00:03:19.110 over their cloud resources 63 00:03:19.110 --> 00:03:21.480 and prevent unauthorized actions 64 00:03:21.480 --> 00:03:25.650 that could lead to data breaches or service disruptions. 65 00:03:25.650 --> 00:03:30.090 Second, we have cloud IAM trust policies. 66 00:03:30.090 --> 00:03:32.790 Cloud identity and access management, 67 00:03:32.790 --> 00:03:35.070 or IAM, trust policies 68 00:03:35.070 --> 00:03:38.070 define the relationships and trust boundaries 69 00:03:38.070 --> 00:03:40.230 between different cloud accounts, 70 00:03:40.230 --> 00:03:43.200 services, or external entities. 71 00:03:43.200 --> 00:03:45.090 Trust policies are used 72 00:03:45.090 --> 00:03:48.090 to specify which entities are trusted 73 00:03:48.090 --> 00:03:52.290 to assume certain roles or access specific resources 74 00:03:52.290 --> 00:03:54.180 within a cloud environment. 75 00:03:54.180 --> 00:03:59.180 For example, in a multi account environment within AWS, 76 00:03:59.280 --> 00:04:01.890 a trust policy can be configured 77 00:04:01.890 --> 00:04:05.580 to allow an administrator in one AWS account 78 00:04:05.580 --> 00:04:08.970 to assume a role in another AWS account, 79 00:04:08.970 --> 00:04:11.340 providing them with specific permissions 80 00:04:11.340 --> 00:04:14.790 that are needed for cross-account operations. 81 00:04:14.790 --> 00:04:15.930 In this case, 82 00:04:15.930 --> 00:04:20.100 trust policies play a key role when different cloud accounts 83 00:04:20.100 --> 00:04:23.010 need to interact with each other securely. 84 00:04:23.010 --> 00:04:27.000 For instance, an organization might have separate accounts 85 00:04:27.000 --> 00:04:30.870 for the development, testing, and production environments. 86 00:04:30.870 --> 00:04:33.390 A trust policy may be established 87 00:04:33.390 --> 00:04:36.480 to allow resources in the development account 88 00:04:36.480 --> 00:04:39.480 to communicate with resources in the testing account 89 00:04:39.480 --> 00:04:41.700 under controlled conditions. 90 00:04:41.700 --> 00:04:45.360 This setup would help maintain security boundaries 91 00:04:45.360 --> 00:04:49.200 while enabling necessary interactions between accounts, 92 00:04:49.200 --> 00:04:52.920 reducing the risk of unauthorized access. 93 00:04:52.920 --> 00:04:56.900 Well-known cloud platforms, like AWS, Azure, and GCP, 94 00:04:58.560 --> 00:05:02.791 provide robust tools for managing trust policies. 95 00:05:02.791 --> 00:05:07.791 AWS uses trust policies as part of its IAM roles, 96 00:05:08.010 --> 00:05:12.180 allowing one service or account to assume a role in another; 97 00:05:12.180 --> 00:05:15.390 in Azure, trust relationships can be established 98 00:05:15.390 --> 00:05:18.810 using service principles and managed identities; 99 00:05:18.810 --> 00:05:20.010 and Google Cloud 100 00:05:20.010 --> 00:05:22.680 allows the configuration of trust boundaries 101 00:05:22.680 --> 00:05:25.080 between projects and services, 102 00:05:25.080 --> 00:05:29.940 each of these enabling secure cross-environment operations. 103 00:05:29.940 --> 00:05:33.210 An example of a trust policy in action 104 00:05:33.210 --> 00:05:36.930 would be an AWS Lambda function in one account 105 00:05:36.930 --> 00:05:40.590 needing to access resources in another account. 106 00:05:40.590 --> 00:05:44.730 A trust policy could be set up so that the Lambda function 107 00:05:44.730 --> 00:05:47.490 assumes a role in the second account, 108 00:05:47.490 --> 00:05:50.250 giving it the necessary permissions it needs 109 00:05:50.250 --> 00:05:52.230 to perform its task. 110 00:05:52.230 --> 00:05:55.020 By defining these trust relationships, 111 00:05:55.020 --> 00:05:58.350 organizations can safely manage cross-account 112 00:05:58.350 --> 00:06:00.210 and cross-service access, 113 00:06:00.210 --> 00:06:03.210 ensuring that only authorized entities 114 00:06:03.210 --> 00:06:05.610 can assume specific roles. 115 00:06:05.610 --> 00:06:10.610 So, remember, cloud identity and access management, or IAM, 116 00:06:11.250 --> 00:06:13.800 access and trust policies 117 00:06:13.800 --> 00:06:16.800 manage who can access cloud resources 118 00:06:16.800 --> 00:06:19.380 and under what conditions. 119 00:06:19.380 --> 00:06:23.160 Access policies define roles and permissions 120 00:06:23.160 --> 00:06:25.920 for users, groups, and services, 121 00:06:25.920 --> 00:06:28.980 specifying what actions they can perform 122 00:06:28.980 --> 00:06:31.170 within the cloud environment. 123 00:06:31.170 --> 00:06:35.490 Trust policies establish relationships and trust boundaries 124 00:06:35.490 --> 00:06:38.610 between different cloud accounts or services, 125 00:06:38.610 --> 00:06:42.720 specifying which entities can assume specific roles 126 00:06:42.720 --> 00:06:44.610 or access resources. 127 00:06:44.610 --> 00:06:48.480 These policies individually help maintain security 128 00:06:48.480 --> 00:06:51.840 by ensuring that access is controlled, monitored, 129 00:06:51.840 --> 00:06:55.320 and compliant with organizational requirements. 130 00:06:55.320 --> 00:06:58.380 And access and trust policies work together 131 00:06:58.380 --> 00:07:00.300 by using access policies 132 00:07:00.300 --> 00:07:03.090 to define permissions and trust policies 133 00:07:03.090 --> 00:07:06.540 to manage how those permissions are securely shared 134 00:07:06.540 --> 00:07:09.003 between accounts and services.