Introduction To AWS IAM

Introduction To AWS IAM

Let’s start working with Amazon Web Services, the most powerful cloud platform on earth. To start with AWS, you should learn about IAM or identity and access management. IAM is a global service where you can create users and assign them to groups. You are given a root account when you first sign up for an AWS account. Of course, the root user is all-powerful, and you can do things you might not have intended to with that much privilege. That is why one of the first things you do when working with AWS is to use IAM to create a user for your use instead of the root account.


IAM Users and Groups

An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users, making it easier to manage the permissions for those users. For example, you could have a user group called Admins and give that user group specific administrator permissions.

  • IAM = Identity and Access Management, Global service
  • Root accounts created by default shouldn’t be used or shared
  • Users are people within your organization and can be grouped
  • Groups only contain users, not other groups
  • Users don’t have to belong to a group, and users can belong to multiple groups.

IAM Permissions

Permissions let you specify access to AWS resources. Permissions are granted to IAM entities (users, groups, and roles), and these entities start with no permissions by default. In other words, IAM entities can do nothing in AWS until you grant them your desired permissions.

  • Users or Groups can be assigned JSON documents called policies
  • These policies define the permissions of the users
  • In AWS, you apply the least privilege principle: don’t give more permissions than a user needs

A user can Grant permissions to applications that run on Amazon EC2 instances using AWS Identity and Access Management (IAM).


IAM Policies Structure

IAM policies define permissions for action regardless of the method you use to operate. For example, suppose a policy allows the GetUser action. In that case, a user with that Policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API.
Consists of:

  • Version:policylanguageversion,alwaysinclude”2012-10-17″
  • Id:anidentifierforthepolicy(optional)
  • Statement:oneormoreindividualstatements(required)

An example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "service-prefix:action-name",
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"},
                "DateLessThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"}
            }
        }
    ]
}

Statements consist of:

  • Sid:anidentifierforthestatement(optional)
  • Effect:whetherthestatementallowsordeniesaccess (Allow, Deny)
  • Principal:account/user/roletowhichthispolicyappliedto
  • Action:listofactionsthispolicyallowsordenies
  • Resource:listofresourcestowhichtheactionsappliedto
  • Condition:conditionsforwhenthispolicyisineffect (optional)

IAM Password Policy

The default password policy enforces the following conditions: A minimum password length of 8 characters and a maximum length of 128 characters. Minimum of three of the following mix of character types: uppercase, lowercase, numbers, and ! @ # $ % ^ & * ( ) _ + – = [ ] { } | ‘ symbols.

  • Strong passwords = higher security for your account
  • In AWS, you can setup a password policy:
    • Set a minimum password length
    • Require specific character types:
      • including uppercase letters
      • lowercase letters
      • numbers
      • non-alphanumeric characters
    • Allow all IAM users to change their passwords – A user that has been granted permission to change their own IAM user password can use the AWS Command Line Interface (AWS CLI) or the AWS Management Console to change the Password.
    • Require users to change their Password after some time (password expiration)
    • Prevent password re-use

Multi-Factor Authentication

Multi-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and Password.

  • Users have access to your account and can change configurations or delete resources in your AWS account.
  • You want to protect your Root Accounts and IAM users
  • MFA = Password you know + security device you own
  • The main benefit of MFA: if a password is stolen or hacked, the account is not compromised

MFA devices options in AWS
More MFA Device Options AWS


How can users access AWS?

  • To access AWS, you have three options:
    • AWS Management Console (protected by Password + MFA)
    • AWS Command Line Interface (CLI): protected by access keys
    • AWS Software Developer Kit (SDK) – for code: protected by access keys. AWS software development kits allow users to connect with and deploy AWS services programmatically.
  • Access Keys are generated through the AWS Console
  • Users manage their access keys
  • Access Keys are secret, just like a password. Please don’t share them Access Key ID ~= username
  • Secret Access Key ~= Password

What is the AWS Command Line Interface?

  • A tool that enables you to interact with AWS services using commands in your command-line shell
  • Direct access to the public APIs of AWS services
  • You can develop scripts to manage your resources
  • It’s open-source https://github.com/aws/aws-cli
  • Alternative to using AWS Management Console

What is the Amazon SDK?

AWS SDKs allow you to quickly develop applications on AWS in the programming language of your choice.

  • AWS Software Development Kit (AWS SDK)
  • Language-specific APIs (set of libraries)
  • Enables you to access and manage AWS services programmatically
  • Embedded within your application
  • Supports
  • SDKs(JavaScript,Python,PHP,.NET,Ruby,Java,Go,Node.js, C++)
  • Mobile SDKs (Android, iOS)
  • IoT Device SDKs (Embedded C, Arduino)
  • Example: AWS CLI is built on AWS SDK for Python

IAM Roles for Services

An AWS Identity and Access Management (IAM) role is similar to a user, in that it is an AWS identity with permissions policies that determine what the identity can and can’t do in AWS. When a company’s web application requires AWS credentials and authorizations to use an AWS service, the IAM entity that a company should use is IAM role since it is a best practice.

  • Some AWS service will need to perform actions on your behalf
  • To do so, we will assign permissions to AWS services with IAM Roles
  • Common roles:
    • EC2 Instance Roles
    • Lambda Function Roles
    • Roles for CloudFormation

Create an IAM role with the required permissions and attach the role to the EC2 instance for the most operationally efficient solution to delegate permissions when hosting an application on an Amazon EC2 instance that needs to access several AWS resources, including Amazon S3 and Amazon DynamoDB.


IAM Security Tools

Identity and Access Management (IAM) tools are designed to manage identities (users) and access (authentication and authorization). The goal of IAM tools is to streamline the management of user accounts and privileges from all aspects. In most cases, an IAM solution will let you define a policy.

  • IAM Credentials Report (account-level)
    • a report that lists all your account’s users and the status of their various credentials
  • IAM Access Advisor (user-level)
    • Access advisor shows the service permissions granted to a user and when those services were last accessed.
    • You can use this information to revise your policies.

IAM Guidelines and Best Practices

  • Don’t use the root account except for AWS account setup One physical user = One AWS user
  • Assign users to groups and assign permissions to groups
  • Create a strong password policy
  • Use and enforce the use of Multi Factor Authentication (MFA)
  • Create and use Roles for giving permissions to AWS services
  • Use Access Keys for Programmatic Access (CLI / SDK)
  • Audit permissions of your account with the IAM Credentials Report Never share IAM users & Access Keys

You are responsible for the following:

  • Users, Groups, Roles, Policies management and monitoring
  • Enable MFA on all accounts
  • Rotate all your keys often
  • Use IAM tools to apply appropriate permissions
  • Analyze access patterns & review permissions

The root user is the first sign-in identity that is available when an AWS account is created. AWS Identity and Access Management (IAM) is always provided at no charge. Changing an AWS Support plan and Closing an AWS account are two tasks that require using the AWS account root user.


Creating An AWS Account

You’ll need to go to aws.amazon.com. Creating an account requires having a valid phone number and a credit card. To make the account, click on the button that says “Create an AWS Account.” Fill in your email address and create a password. An AWS account name is a unique username for AWS. You might have to try a few times before you hit an account no one has taken yet. Once you’re done filling out the form, click Continue. For the account type, choose Personal if you are creating this account to learn and explore. Enter your full name, phone number, as well as your address.

Make sure to read the agreement and check the box before proceeding. Once you’re done, click Create Account and Continue. The next page asks for your payment information. You are eligible for the AWS Free Tier for the first 12 months after your account creation. This means that up to a certain usage level, you can try out many of AWS’s most popular features for free. The payment information is in case you use features that require payment or if you go past your free tier limits. AWS will make a small test charge to ensure your valid payment method. It will go away once your account confirmation is complete.

Now click Secure Submit. This page will ask you to verify your account creation with phone verification. They will call you so you can enter a code to confirm that you created this new account. This number can be any phone number you can receive calls at, so it can be an extension at work if needed. Put in your phone number, type in the code in the security check, and click on Contact me. When prompted, enter the four numbers that came up after clicking the button when you received the call. Once you complete the verification, click Continue. Now you’ll select a support plan for your account. There are three support plans available to you: Basic Plan, Developer Plan, and Business Plan.

There is also a fourth one, Enterprise, but that’s only for more prominent companies requiring much support. Each plan has different features, support tiers, and associated costs. You can click on the Basic Plan, as it’s free and provides you access to health status and notifications for your various services. You can learn more about each support plan by clicking on Learn More. Now we are waiting for AWS to finish creating your account. The page you’re on now helps you personalize your account by picking your role and interests while you wait for the account to be activated. Once your account is fully ready, AWS will notify you by email. There you go. You’ve successfully created an AWS account. Check your email to log in to your AWS management console for the first time.

Amazon Identity Access Management In Summary

  • Users: mapped to a physical user, has a password for AWS Console
  • Groups: contains users only
  • Policies: JSON document that outlines permissions for users or groups. Roles: for EC2 instances or AWS services
  • Security: MFA + Password Policy
  • AWS CLI: manage your AWS services using the command-line
  • AWS SDK: manage your AWS services using a programming language Access Keys: access AWS using the CLI or SDK
  • Audit: IAM Credential Reports & IAM Access Advisor

When utilizing the cloud to house any part of your technical infrastructure, you must first consider the security impacts of moving your resources onto the cloud. Unlike the on-premises data center protected by the virtual being within your physical reach, data centers hosting your cloud resources are in undisclosed data centers managed by AWS. It’s not a good idea to give full access to your IT resources. Is it better to provide granular access permissions to every user in the service while making them easy to manage? Thankfully, AWS offers this via Identity Access Management, IAM, which helps you do just that. Identity and Access Management, or IAM, is a free service provided by AWS that enables you to manage access to services and resources on the AWS cloud. You can create and manage users and groups and set permissions to allow or deny access to various resources. The permissions are global, meaning the access you set for a user or group will be valid for all regions in AWS Cloud. When providing access to users and services, you should follow the principle of least privilege. There are a few ways you can set permissions for various services or users to access your AWS resources. You can use IAM to manage users, roles, and federated users. First, you can set access by using IAM to manage users. You can create users in IAM and assign them individual security credentials. These users can have very granular permission sets so that you can control which operations a user can perform on which specific service. Users could be administrators that need console access to manage the AWS Cloud account. These end users need to access content in the AWS Cloud account or systems that require the ability to access data in the AWS Cloud account programmatically. Programmatic access means that applications directly access resources in the AWS Cloud instead of humans doing the same activity. Another way to set access is to manage IAM roles. You can create roles to manage permissions and control what these roles can do in your AWS instance. An entity assumes a role and can obtain temporary security credentials to make API calls to your AWS resources. This could provide access to a user from another AWS account to your AWS accounts, such as when an organization has separate development and production environments. The last way to set access is to manage federated users. By enabling identity federation, you can allow existing identities in your Enterprise to access your AWS cloud instance without having to create an IAM user for each user. You can use any identity management solution that supports SAML 2.0 or one of AWS’s federation samples. You’ve probably experienced identity federation when you sign up for an online service using your Facebook or Gmail account. In a corporate setting, you could have your Microsoft Active Directory users have federated access to your AWS cloud instance using identity federation. Some benefits of IAM include enhanced security, granular control, the ability to provide temporary credentials, flexible security credential management, leveraging external identity systems using federated access, and seamlessly integrating various AWS services within the AWS Cloud infrastructure.