IAM is all about identifying the user & providing access to the right resource.
Three ways to get access to AWS
AWS Management Console: Open the AWS management console in the browser and log in using username & password. This also can be Protected by MFA.
AWS Command Line Interface(CLI): Protected by Access Keys. We can connect to AWS from our terminal using AWS CLI. We have to use access key & secret access, rather than using the actual username & password that is used to login from the console.
AWS Software Development Kit(SDK): Protected by Access Keys. AWS SDK will help to connect to AWS from our code. We have to use the access key & secret access same as what we use in AWS CLI.
There is one more console we should be aware of,
Billing and Cost Management console: Need to activate IAM user access to the Billing and Cost Management console for all the users who need access. we need 5 Weeks of usage data to generate budget forecasts
Root User (Account) vs IAM user
Root account will be created by default when we create an account. We should only use the root account to set up your account. Then you shouldn’t use the root account anymore or even share it.
We can create an IAM user & grant full access. Once we created an IAM user, We will get the credentials for the user to log in to the console. If the only IAM admin accidentally revokes their permissions, we can sign in as root user to edit policies & restore those permissions.
IAM Password Policy
IAM allow us to set up our own password rotation policy. We can set up a password policy with minimum password length and with specific character types like minimum upper & lower case, minimum numbers character, minimum special character.
we can stop users to reuse the passwords using the password policy. We can set expiry for the password to mandate uses to change the password. We can allow all IAM users to change their own passwords.
Multi-factor authentication (MFA)
Provides an extra level of security. By default, MFA is not enabled. We can enable & manage MFA devices. If we enable MFA, the account will not be compromised even if the password is stolen.
Once entered usename & password, it will prompt to enter authentication code. Authentication code will be generated in MFA devices. We have multiple MFA device options,
Virtual MFA device: We can download applications like Google authenticator or Amazon’s Authy. Once downloaded, we need to scan a barcode and complete the MFA device setup.
Universal 2nd Factor(U2F) security key: It’s a physical USB device provided by 3rd party. We have to plugin into our machine & use it.
Hardware Key Fob MFA Device: Same as Google authenticator or Authy. But we will have its own hardware & generate the code.
IAM Users, groups, Roles, Policy, Permission
- Users: Users are people within organization and can be grouped. User can be in multiple group & can be even without belonging to any group.
- Groups: Collection of users under one set of permissions. Groups only contain users, not other groups.
- Roles: We can create roles and then can assign them to users, applications and services to give access to AWS resources.
- Policy: Document that defines one or more permissions. IAM policy can be attached to a user, group or role.
- Permission: Policies define the permissions of the users/groups.
IAM policies
IAM Policy Structure Consists of,
- Version: policy language version, always include 2012-10-17
- Id: An Identifier for the Policy (Optional)
- Statement: one or more individual statements(required)
Statement Consists of
- Sid: an identifier for the statement (Optional)
- Effect: whether the statement allows or denies access (Allow, Deny)
- Principal: account/user/role to which this policy applied to
- Action: list of actions (or API calls) this policy allows or denies
- Resource: list of resources to which the actions applied to
- Condition: Conditions for when this policy is in effect (Optional)
IAM Roles for services
We can assign permission to AWS services with IAM roles to perform actions on our behalf. For instance, Some of the Roles are given below,
- EC2 instance Roles
- Lamda function Roles
- Roles for Cloudformation
IAM Security Tools
IAM Credentials Report: lists all users and the status of their various credentials. Audit permissions of your account with the IAM Credentials Report
IAM Access Analyzer: lists the service permissions granted to a user and when those services were last accessed.
Read this page for advanced IAM concepts