AWS Identity and Access Management (IAM) enables you to manage access to AWS
services and resources securely. Using IAM, you can create and manage AWS users
and groups, and use permissions to allow and deny their access to AWS resources.
Feature of Identity and Access Management
- Centralize control of your AWS account
- Shared access to your AWS account
- Granular permission
- Identity federation (facebook, linkedin, Active Directory)
- Multifactor Authentication
- Provide temporary access to user/devices/Services
- Allow to set up own password rotation policies.
Different Components Of IAM
User
An IAM user is an entity that you create in AWS. The IAM user represents the person or service who uses the IAM user to interact with AWS. A primary use for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI.
Group
An IAM group is a collection of IAM users. You can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users.
Role
An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. Role does not have any credentials (password or access keys) associated with it.
Policies
A policy is an entity that, when attached to an identity or resource, defines their permissions. Policies are stored in AWS as JSON documents and are attached to principals as identity-based policies in IAM. You can attach an identity-based policy to a principal (or identity), such as an IAM group, user, or role. Identity-based policies include AWS managed policies, customer managed policies, and inline policies.
Different Types of Policies
AWS Managed Policies
An AWS managed policy is a standalone policy that is created and administered by AWS. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name.- A single manage policy can be attached to multiple user, group or rules within sane AWS count or across different account.
- You cannot change the permission define in a AWS manage policy.
Customer Managed Policies
You can create standalone policies that you administer in your own AWS account, which we refer to as customer managed policies. You can then attach the policies to multiple principal entities in your AWS account.- You can be attached this policy to multiple user, group or rules within your own account.
- You can copy existing AWS manage policy and customize it and create Customer manage policy.
Inline Policies
An inline policy is a policy that's embedded in a principal entity (a user, group, or role)-that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later.- When you delete user, group and roles then policy will be deleted.
- Inline policy useful when you want to be sure that the permission in policy are not assigned to other user, group or roles.
Example Of Policy
{"Version": "2012-10-17",
"Id": "S3-Account-Permissions",
"Statement": [{
"Sid": "1",
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root"]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}]
}
Version: Specify the version of the policy language,use the latest 2012-10-17 version.
Statement: Use this main policy element as a container for the following elements. You can include more than one statement in a policy.
Sid: Optional statement ID to differentiate between your statements.
Effect: Use Allow or Deny to indicate whether the policy allows or denies access.
Principal: Indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating a policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
Action: Include a list of actions that the policy allows or denies.
Resource: Specify a list of resources to which the actions apply.
Condition (Optional): Specify the circumstances under which the policy grants permission.
Different ways that IAM authenticates a principal
User Name/PasswordWhen a principal represents a human interacting with the console, the human will provide a user name/password pair to verify their identity. IAM allows you to create a password policy enforcing password complexity and expiration.
Access Key
An access key is a combination of an access key ID (20 characters) and an access secret key (40 characters). When a program is manipulating the AWS infrastructure via the API, it will use these values to sign the underlying REST calls to the services. The AWS SDKs and tools handle all the intricacies of signing the REST calls, so using an access key will almost always be a matter of providing the values to the SDK or tool.
Access Key/Session Token
When a process operates under an assumed role, the temporary security token provides an access key for authentication. In addition to the access key (remember that it consists of two parts), the token also includes a session token. Calls to AWS must include both the two-part access key and the session token to authenticate.
Important Point Of IAM
- IAM is universal, does not apply to region.
- New user have no permission when first created.
- Access key and Secrete access key used to login with command line not AWS consol.
- You can assign a role to an EC2 instance that is already running using command line or AWS consol.
- You can only associate one IAM role with an EC2 instance at this time
- You can create custom policies using the visual editor or JSON.
- Once attached role take effect immediately.
- Any policy change also takes effect immediately.
Multi-Factor Authentication (MFA)
AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor-what they know), as well as for an authentication response from their AWS MFA device (the second factor-what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.- You can enable MFA using the command line and consol.
- MFA can be enabled on both root and user account.
- You can enforce the used of MFA with the CLI by using the STS token service.
- You can report on who's using MFA on a per user basis using credential report.
