Ketan's Blog
AWS IAM (Identity and Access Management)

AWS IAM (Identity and Access Management)

Ketan's photo
Ketan
·

6 min read

INTRODUCTION

AWS Identity and Access Management (IAM) allows you to securely control access to AWS resources. With IAM, you can do the following:

  • Centrally manage users and their permissions

  • Assign granular permissions to each user

  • Enable temporary access for users and applications

  • Integrate with existing authentication systems

  • Audit usage to ensure compliance

IAM works by creating unique identities for entities like users, applications, and roles. You then use policies to attach permissions to these identities, granting them access to specific AWS resources.

Some key concepts in IAM are:

Principals

Principals are the entities that can make requests, such as IAM users, roles, and federated users. When a principal makes a request, IAM authenticates the principal and authorizes the request based on policies.

Policies

Policies are JSON documents that define one or more permissions. You attach policies to IAM identities to grant them access to specific AWS resources.

Actions

Actions represent what an IAM user can do, like ec2:RunInstances to launch an EC2 instance. Policies grant permissions to perform specific actions.

Resources

Resources represent the actual AWS items you want to grant access to, like an S3 bucket or DynamoDB table. Policies specify which resources a user can access.

Authentication and Authorization

IAM first authenticates the principal making a request. Then it authorizes the request by checking attached policies and determining if the principal has permission to perform that action on the specified resource.

The main benefits of IAM are increased security and control over your AWS environment. By granting least privilege access and auditing usage, you can implement tighter access controls and reduce risk of data loss. IAM also makes it easier to manage access for your users and applications at scale.

IAM USERS

AWS Identity and Access Management (IAM) allows you to create users within your AWS account that have permissions to access AWS resources. IAM users provide a way to grant access to individuals while maintaining control over which resources they can access.

How IAM Identifies a User

When you create an IAM user, AWS assigns:

  • A friendly name (e.g. John or Jane) that you specify. This is the name you see in the AWS Console.

  • An Amazon Resource Name (ARN) that uniquely identifies the user across all of AWS. The ARN has the format:

arn:aws:iam::account-ID-without-hyphens:user/path/username
  • A unique identifier that is only returned when using the AWS CLI, API, or Tools for Windows PowerShell. You do not see this ID in the console.

IAM User Credentials

IAM users can access AWS in different ways:

  • Console password - Allows the user to sign in to the AWS Console. Disabling the password prevents console access but does not change API/CLI access.

  • Access keys - Used for programmatic access. Best practice is to create access keys only when needed and rotate them frequently.

  • SSH keys - For use with AWS CodeCommit repositories.

  • Multi-factor authentication (MFA) - Best practice is to require MFA for all IAM users.

IAM User Permissions

By default, a new IAM user has no permissions. You assign permissions to IAM users using:

  • Managed policies - Reusable policies that can be attached to multiple users.

  • Inline policies - Policies embedded in a single user. Managed policies are preferred.

You can limit the maximum permissions an IAM user has using a permissions boundary.

Managing IAM Users

You can manage IAM users by:

  • Listing users

  • Renaming a user

  • Deleting a user

  • Deactivating a user (by denying all actions)

You can also manage:

  • User passwords

  • User access keys

  • MFA devices

  • Policies attached to a user

IAM Groups:

IAM groups are collections of IAM users. They are a way to simplify the management of permissions for multiple users who require the same level of access. Here's how IAM groups work:

  • Group Membership: Users can be added to one or more groups. This is useful when you have a set of users who share similar job roles or responsibilities, as they can be added to a group that defines their common permissions.

  • Policy Attachment: Instead of attaching policies to individual users, you attach policies to IAM groups. All users in the group inherit the permissions defined in the group's policies. This makes it easier to ensure that users with similar roles have consistent access.

  • Scalability and Efficiency: IAM groups make it more efficient to manage permissions. If you need to change permissions for multiple users at once, you can update the group's policies, and all group members receive the changes.

IAM Roles:

IAM roles are a bit different from users and groups. They are meant for scenarios where permissions need to be granted to AWS services, temporary access for trusted entities, or cross-account access. Here's how IAM roles work:

  • Trust Relationships: Roles are defined with trust relationships, specifying which entities or services can assume the role. For example, you can create a role that allows an EC2 instance to access an S3 bucket.

  • Temporary Permissions: Roles provide temporary access. When a user or service assumes a role, they receive temporary security credentials, which are valid for a limited time. This adds a layer of security, and you can set specific permissions for the duration of the role's use.

  • Cross-Account Access: Roles are used when you want to give another AWS account access to your resources. The other account assumes the role to access your resources securely, without having to share access keys.

In summary, IAM users are individual entities with their own credentials and permissions. IAM groups help manage users with similar permissions collectively. IAM roles are used to grant temporary, controlled access to AWS services or entities and can be utilized for cross-account access. Together, these IAM components allow you to efficiently manage and secure access to your AWS resources.

IAM POLICIES

IAM policies are JSON documents that define the permissions for an AWS identity (user, group, or role). They allow you to specify which AWS resources can be accessed and what actions can be performed on those resources.

IAM Policy Types and When to Use Them

There are several types of IAM policies in AWS:

  • Identity-based policies: These are policy documents that are attached to IAM principals (users, groups, and roles). They control what actions the principal can perform and on which resources. They include:

    • AWS managed policies: Created and managed by AWS. Used as a starting point for custom policies.

    • Customer managed policies: Created and managed by you. Can be attached to multiple principals.

    • Inline policies: Attached to a single principal. Used when least-privilege access is needed for that principal.

  • Resource-based policies: Policy documents attached to AWS resources like S3 buckets. They grant access to specific principals. Used for:

    • Granting cross-account access

    • Granting access to AWS services

    • Applying additional protection for sensitive resources

  • Service control policies (SCPs): Policies attached at the AWS Organizations level. They specify the maximum permissions for AWS accounts and units. Used as coarse-grained guardrails.

  • Permissions boundaries: Set the maximum permissions for an identity-based policy

That's a wrap................

TrainWithShubhamAWSAWS IAMkunalkushwahaWeMakeDevs