AWS IAM (Identity And Access Management)

IAM allows you to manage users and their level of access to the AWS console.

What does IAM give you?

  • Centralized control of your AWS account.
  • Access Shared access to your AWS account.
  • Granular Permission – This means you can enable a different level of access to different users within your organization.
  • Identity Federation – This means you can enable users to log in using credentials stored in the active directory, Facebook or LinkedIn.
  • Multifactor Authentication – It allows multifactor authentication. And this is where a user is granted access only after completing multiple independent authentication mechanisms. So, for example, providing a username and password as one authentication mechanism and then providing a software token. So that could be via a token generator like Google authenticator as the second authentication mechanism.
  • Temporary Access – It also provides temporary access for users or devices and services as necessary. So, for example, if you developed a web or mobile phone application. You can configure identity access management to enable users to have temporary access to resources within your account, for example, to enable access to store or retrieve data located in an S3 bucket or within a Dynamo DB database.
  • Password Policy – It allows you to set up your own password rotation policy.
  • Integrated – It integrates with many different services.
  • Compliance – It supports PCI compliance for any applications associated with the payment card industry.

There are four primary elements of IAM Or Core Concept or Critical terms

  1. User – This is the end-user or one specific individual person. So these are the people logging into the console and also interacting with us by running API commands.
  2. Groups – A collection of users under one set of permissions. For example, your marketing team might need access to read and write certain files stored in the S3 bucket and they’re going to need a specific set of permissions to allow them to do this. So it makes sense to create a group with the required permissions and then all you need to do is add the relevant users into that group and they will all have permissions.
  3. Role – You create roles and can then assign them to AWS Services, or external services/users.
  4. Policies – A document that defines one or more permissions. Policies can be attached to a user, group, or role.

IAM Policies Deep Dive

  • Anatomy of a policy: JSON doc with Effect, Action, Resource, Conditions, Policy Variables
  • Explicit DENY has precedence over ALLOW

Sample Policy JSON

{
  "Version": "2012–10–17",
  "Statement": [
    {
      "Sid": "FirstStatement",
      "Effect": "Allow",
      "Action": [
		"ec2:AttachVolume",
		"ec2:DettachVolume"
		]
      "Resource": "arn:aws:ec2:*:*:instance/*",
	  "Condition":{
		"StringsEqual": {"ec2:ResourceTag/Department": "Development"}
	  }
    },
	{
      "Sid": "SecondStatement",
      "Effect": "Allow",
      "Action": [
		"ec2:AttachVolume",
		"ec2:DettachVolume"
		]
      "Resource": "arn:aws:ec2:*:*:volume/*",
	  "Condition":{
		"StringsEqual": {"ec2:ResourceTag/VolumeUser": "${aws:username}"}
	  }
    }
  ]
}

Navigate Examples at:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html

Leave a Comment