AWS Identity and Access Management Service

cloud

AWS

Jul 8, 2022

5 minutes

Go Back

Blog

Home

Identity And Access Management

It is a Global Service
Root Account is created by default, this shouldnt be used or shared since with great power comes great responsiblity!
Users are people within your organisation. [each user should have only one account]
Users can be grouped into a “User Group” A group cannot contain other groups.
User/Group can be assigned JSON documents called policies.
Policies define the permission of user/s or groups
Note: In cloud we use “Principle of Least Privilage” which says, don’t give more permission than a user requires.

"IAM Group"

Here is a good sample policy:

{
    "Id" : "S3-Account-permission",         //Id is optional
    "Version" : "2023-05-17",               //Policy Language Version
    "Statement": [                          // A statement field is mandatory and consists of one or more individual statements
        {
            "Effect" : "Allow",
            "Action" : "ec2:Describe",
            "Resource": "*"
        },
        {
            "sid"       : "1",              //Sid is Statement ID and is optional
            "Effect"    : "Allow",          //Effect can be: Allow/Deny
            "Action"    : "elasticloadbalancing:Describe",
            "Resource"  : "*"
        },
        {
            "Effect" : "Allow",
            "Action" : [                    //Action can also be an array
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricsStatistics",
                "cloudwatch:Describe*"
            ]
            "Resource": "*"
        },
        {
            "sid" : "2",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : ["arn:aws:iam::123456789012:root"]
            },
            "Action" : [
                "s3:getObject",
                "s3:putObject"
            ],
            "Resource": ["arn:aws:s3::mybucket/*"]
        }
    ]
}

Please do not be intimidated by the above monstrosity, you will get used to it once you understad what everything does. Here is an explaination of all the items in the Policy:

Item	Explaination
sid	Identifier for Statement
Effect	Wheather the statement allows/denies access (Allow/Deny)
Principal	Account/User/Role to which policy is being applied to
Action	List of action, this policy allows or denies
Resource	List of Resource to which action is applied to
Condition	Condition for when the policy is in effect

IAM - Multifactor Authentication (MFA)

User has access to your account & can possibly configure or delete resources in your AWS account. You want to protect your root account & IAM users. MFA = Password you know + Security Device you own.

MFA supports the following MFAs:

Google Authenticator (Phone)
Authy (any device)
YubiKey (3rd party physical key)
Hardware KeyFab Device
Hardware KeyFab Device for AWS GovCloud - United States (SurePassId)

How can a user access AWS

To Access AWS, you have 3 options:

AWS management console (protected by password + MFA)
AWS CLI - protected by access keys.
AWS SDK - for code, protected by access keys.

ACCESS_KEYS are generated using AWS Console and User manage their own access keys.

Word of Warning : DO NOT SHARE ACCESS KEYS PLZ.!!

Roles in IAM

Some AWS service need to peform action on your (User’s) behalf.
To do so, we will assign permission to AWS services with IAM roles.
Note: Roles are assigned to services & not to users.
- Common Roles:
- EC2 Instance Role
- Lambda Function Role
- Roles for CloudFormation

"EC2 with Policy"