AWS Identity And Access Management (IAM) Service Overview
AWS Identity and Access Management (IAM) is a powerful service that enables administrators to manage access to AWS resources. IAM allows administrators to create and manage users, groups, and roles, and define permissions using policies. IAM provides a granular and controlled approach to access management, allowing administrators to define permissions that are tailored to the needs of each user, group, or role. In this article, we will explore the key features of IAM, including user and group management, roles, policies, and authentication mechanisms. We will also discuss best practices for using IAM and how to implement IAM in your AWS environment
Let’s go over some important ideas:
· IAM is a really important AWS service that helps keep your stuff safe by. controlling who can use it.
· Resources are the things you make in AWS, like Lambdas or S3 Buckets.
· Users are the people or programs that want to do something with your resources.
· Whether or not a user can do something with a resource depends on the policy you set up.
AWS IAM is the service that keeps your AWS stuff safe and under control. It handles both authentication (who can get in) and authorization (what they can do once they’re in). With IAM, you can make sure that only the right people can access your resources, and that they can only do what they’re supposed to do.
When you look at the access management section of the AWS console, you’ll see a bunch of different options:
- User groups: these are groups of users that have the same permissions.
- Users: these are individual people or programs that can access your AWS stuff.
- Roles: these are special permissions that can be assigned to users or groups.
- Policies: these are the rules that define what users or groups can do with your resources.
- Identity providers: these are external services that can be used to verify someone’s identity.
- Account settings: these are the settings that control things like password policies and how long sessions last.
By using all of these IAM concepts together, you can keep your AWS environment safe and make sure that only the right people have access. With IAM, you can create users and groups, set up policies, and use roles to define what each user can do. By doing this, you can make sure that your resources are only accessed by authorized users, and that they can only do what they’re supposed to do.
AWS users are individuals or applications that access AWS resources. Administrators can create, modify, and delete users, and define permissions using IAM policies. Users can have different levels of access, and can be assigned to groups or roles for simplified management. AWS users play a crucial role in securing and controlling access to AWS resources.
Overall, AWS users are an essential component of the AWS security model, as they enable administrators to manage access to AWS resources in a granular and controlled manner.
In the AWS console management, we can search and find IAM service
and navigate to the users field in the AWS console and create a new user by clicking the “Add users” button.
There are 2 options for AWS user access type
- Access key — Programmatic access: Enables an access key ID and secret access key for the AWS, CLI, SDK, and other development tools (If you are creating programmatic access through access keys or service-specific credentials for AWS CodeCommit or Amazon Keyspaces, you can generate them after you create this IAM user.)
- Password — AWS Management Console access: Enables a password that allows users to sing-in the AWS Management Console
Also, we can choose to autogenerate the password and require the user to reset it at the next sign-in or set a custom one and provide it to the user
Root User vs. IAM User, on the next step there are configurations about user groups and permissions (we will talk about groups and policies later). So, the next step is to review and add tags that are optional, the tags can be a good way to organize things like job titles or departments. By default, users have no permissions. And now we can create users.
On the success screen, there are instructions for how to log in. You can download all information of the credentials of a created user by clicking the Download.csv button.
Root user vs. IAM user
Root user
- One per account
- Unrestricted access
- Difficult to restrict or revoke access
- Allowed to perform:
Close an AWS account
Change an AWS support plan
Change the AWS account setting
IAM User
- Multiple per account (AWS)
- Users can be deleted or disabled
- Easy to restrict access
For the best practices
- Always work in the IAM account, not the root account
- Set up IAM users with the least number of permissions needed
User Groups
User groups in AWS IAM are collections of IAM users. By creating a group, an administrator can assign permissions to a set of users at once, instead of individually assigning permissions to each user. This can simplify the management of permissions and improve security by ensuring that users only have access to the resources they need.
When a user is added to a group, they inherit the permissions assigned to that group. This means that an administrator can simply modify the permissions assigned to a group to change the access levels of multiple users at once.
User groups can be created, modified, and deleted by AWS account administrators, who can also define permissions for each group using IAM policies. IAM policies can be attached to groups to define their level of access to AWS resources.
IAM policies can be created at the group level or at the user level, and both types of policies can be used to control access to AWS resources. However, policies attached to groups can simplify the management of permissions, as they can be used to define common permissions for a set of users.
Overall, user groups are a useful tool for managing permissions and improving security in AWS IAM. By using groups, administrators can assign permissions to users in a more organized and efficient way, making it easier to manage access to AWS resources.
To create a new group in the console, click on the “Create group” button located in the top-right corner of the page. To add users to an existing group, click on the group and then click on the “Add users” button.
Roles
AWS roles are a way to grant temporary permissions to entities that are not normally associated with AWS users, such as applications running on EC2 instances or AWS Lambda functions. Roles can be assumed by trusted entities to gain access to AWS resources for a limited time, without the need for a permanent set of credentials.
Roles are defined using AWS Identity and Access Management (IAM) and consist of a set of permissions that can be assigned to the entity assuming the role. When a role is assumed, the entity is assigned a set of temporary security credentials that can be used to access AWS resources.
AWS roles can be created, modified, and deleted by AWS account administrators, who can also define permissions for each role using IAM policies. IAM policies can be attached to roles to define their level of access to AWS resources.
Roles can be assumed by trusted entities in a number of ways, including through the use of AWS services such as EC2 and Lambda, or through the use of AWS SDKs and APIs. When a role is assumed, the entity is granted temporary access to the AWS resources defined in the role’s IAM policies.
Roles can also be used to enable cross-account access, allowing entities in one AWS account to access resources in another AWS account. This can be useful for organizations that need to share resources across multiple AWS accounts.
Roles don’t have credentials (passwords or keys). A role can be assumed temporarily by anyone or anything that needs it, but if that still doesn’t make it any more clear, let’s go through an example to hopefully illustrate why roles even exist.
For example, if we have an EC2 instance that is our virtual server to host an application, then this application needs to be able to use S3 (simple storage service) to store and retrieve pictures.
So to deal with this we need to create an IAM role for the application with appropriate permissions for S3, then assign that role to the EC2 instance. By doing this, the EC2 instance assumes that role and will have access to S3 without the credentials required.
Policies
AWS policies are documents that define permissions for AWS resources. Policies are used to control who can access resources and what actions they can perform on those resources.
AWS policies are defined using AWS Identity and Access Management (IAM) and can be attached to users, groups, and roles to define their level of access to AWS resources. Policies are written in JSON format and can be created, modified, and deleted by AWS account administrators.
Simply to say, a policy says who can do what to which resources, and when.
Examples
Example of an S3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-ID:user/USER-NAME"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/*"
}
]
}This policy grants the specified IAM user permission to read objects in a specific S3 bucket. The policy applies to all objects within the bucket (arn:aws:s3:::BUCKET-NAME/*). The policy only allows the s3:GetObject action, and the effect is set to Allow.
Example of an EC2 instance profile policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET-NAME",
"arn:aws:s3:::BUCKET-NAME/*"
]
}
]
}This policy grants EC2 instances that assume the specified instance profile permission to access an S3 bucket. The policy allows all actions (s3:*) on the specified bucket (arn:aws:s3:::BUCKET-NAME) and its objects (arn:aws:s3:::BUCKET-NAME/*). The effect is set to Allow. This policy could be used to allow an application running on an EC2 instance to read or write data to an S3 bucket.
Overall
AWS Identity and Access Management (IAM) is a powerful tool for managing access to AWS resources. IAM allows administrators to create and manage users, groups, and roles, and define permissions using policies.
IAM supports a wide range of authentication mechanisms, including username and password, AWS access keys, and multi-factor authentication (MFA). IAM policies can be used to control access to AWS services from outside of AWS, using web identity federation or cross-account access.
IAM is a critical component of the AWS security model, providing a flexible and secure way to grant access to AWS resources. By using IAM, administrators can ensure that users only have access to the resources they need, improving security and simplifying the management of permissions.
