Introduction To AWS IAM

Introduction To AWS IAM

Let’s get started working with Amazon Web Services, the biggest cloud platform on earth. To get started with AWS you should begin by learning about IAM or identity and access management. IAM is a global service where you can create users and assign them to groups. When you first sign up for an AWS account, you are assigned a root account. Of course, the root user is all-powerful and you can do things you might not have intended to with that much privilege. That is why one of the first things you do when working with AWS is to make use of IAM to create a user that will be for your use instead of the root account.

IAM Users and Groups

An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a user group called Admins and give that user group typical administrator permissions.

  • IAM = Identity and Access Management, Global service
  • Root account created by default, shouldn’t be used or shared
  • Users are people within your organization and can be grouped
  • Groups only contain users, not other groups
  • Users don’t have to belong to a group, and users can belong to multiple groups

IAM Permissions

Permissions let you specify access to AWS resources. Permissions are granted to IAM entities (users, groups, and roles) and by default these entities start with no permissions. In other words, IAM entities can do nothing in AWS until you grant them your desired permissions.

  • Users or Groups can be assigned JSON documents called policies
  • These policies define the permissions of the users
  • In AWS you apply the least privilege principle: don’t give more permissions than a user needs

IAM Policies Structure

IAM policies define permissions for action regardless of the method that you use to perform the operation. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API.
Consists of:

  • Version:policylanguageversion,alwaysinclude”2012-10-17″
  • Id:anidentifierforthepolicy(optional)
  • Statement:oneormoreindividualstatements(required)

An example policy:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "service-prefix:action-name",
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"},
                "DateLessThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"}

Statements consist of:

  • Sid:anidentifierforthestatement(optional)
  • Effect:whetherthestatementallowsordeniesaccess (Allow, Deny)
  • Principal:account/user/roletowhichthispolicyappliedto
  • Action:listofactionsthispolicyallowsordenies
  • Resource:listofresourcestowhichtheactionsappliedto
  • Condition:conditionsforwhenthispolicyisineffect (optional)

IAM Password Policy

The default password policy enforces the following conditions: A minimum password length of 8 characters and a maximum length of 128 characters. Minimum of three of the following mix of character types: uppercase, lowercase, numbers, and ! @ # $ % ^ & * ( ) _ + – = [ ] { } | ‘ symbols.

  • Strong passwords = higher security for your account
  • In AWS, you can setup a password policy:
    • Set a minimum password length
    • Require specific character types:
      • including uppercase letters
      • lowercase letters
      • numbers
      • non-alphanumeric characters
    • Allow all IAM users to change their own passwords
    • Require users to change their password after some time (password expiration)
    • Prevent password re-use

Multi Factor Authentication

Multi-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password.

  • Users have access to your account and can possibly change configurations or delete resources in your AWS account
  • You want to protect your Root Accounts and IAM users
  • MFA = password you know + security device you own
  • Main benefit of MFA: if a password is stolen or hacked, the account is not compromised

MFA devices options in AWS
More MFA Device Options AWS

How can users access AWS?

  • To access AWS, you have three options:
    • AWS Management Console (protected by password + MFA)
    • AWS Command Line Interface (CLI): protected by access keys
    • AWS Software Developer Kit (SDK) – for code: protected by access keys
  • Access Keys are generated through the AWS Console
  • Users manage their own access keys
  • Access Keys are secret, just like a password. Don’t share them Access Key ID ~= username
  • Secret Access Key ~= password

What is the AWS Command Line Interface?

  • A tool that enables you to interact with AWS services using commands in your command-line shell
  • Direct access to the public APIs of AWS services
  • You can develop scripts to manage your resources
  • It’s open-source
  • Alternative to using AWS Management Console

What is the Amazon SDK?

AWS SDKs allow you to easily develop applications on AWS in the programming language of your choice.

  • AWS Software Development Kit (AWS SDK)
  • Language-specific APIs (set of libraries)
  • Enables you to access and manage AWS services programmatically
  • Embedded within your application
  • Supports
  • SDKs(JavaScript,Python,PHP,.NET,Ruby,Java,Go,Node.js, C++)
  • Mobile SDKs (Android, iOS, …)
  • IoT Device SDKs (Embedded C, Arduino, …)
  • Example: AWS CLI is built on AWS SDK for Python

IAM Roles for Services

An AWS Identity and Access Management (IAM) role is similar to a user, in that it is an AWS identity with permissions policies that determine what the identity can and can’t do in AWS.

  • Some AWS service will need to perform actions on your behalf
  • To do so, we will assign permissions to AWS services with IAM Roles
  • Common roles:
    • EC2 Instance Roles
    • Lambda Function Roles
    • Roles for CloudFormation

IAM Security Tools

Identity and Access Management (IAM) tools are designed to manage identities (users) and access (authentication and authorization). The goal of IAM tools is to streamline the management of user accounts and privileges from all aspects. In most cases, an IAM solution will let you define a policy.

  • IAM Credentials Report (account-level)
    • a report that lists all your account’s users and the status of their various credentials
  • IAM Access Advisor (user-level)
    • Access advisor shows the service permissions granted to a user and when those services were last accessed.
    • You can use this information to revise your policies.

IAM Guidelines and Best Practices

  • Don’t use the root account except for AWS account setup One physical user = One AWS user
  • Assign users to groups and assign permissions to groups
  • Create a strong password policy
  • Use and enforce the use of Multi Factor Authentication (MFA)
  • Create and use Roles for giving permissions to AWS services
  • Use Access Keys for Programmatic Access (CLI / SDK)
  • Audit permissions of your account with the IAM Credentials Report Never share IAM users & Access Keys

You are responsible for the following:

  • Users, Groups, Roles, Policies management and monitoring
  • Enable MFA on all accounts
  • Rotate all your keys often
  • Use IAM tools to apply appropriate permissions
  • Analyze access patterns & review permissions

Amazon Identity Access Management In Summary

  • Users: mapped to a physical user, has a password for AWS Console
  • Groups: contains users only
  • Policies: JSON document that outlines permissions for users or groups Roles: for EC2 instances or AWS services
  • Security: MFA + Password Policy
  • AWS CLI: manage your AWS services using the command-line
  • AWS SDK: manage your AWS services using a programming language Access Keys: access AWS using the CLI or SDK
  • Audit: IAM Credential Reports & IAM Access Advisor