AWS for DevOps - Part 02

Prerequisites:

To continue this blog you must have created an account on AWS. if you haven't made one, then try this blog to create one.

This blog

That's great, You've created your account on AWS.

What is IAM?

AWS IAM (Identity and Access Management) is a vital service provided by Amazon Web Services, enabling organizations to manage access to their AWS resources securely. Let's explore a real-life scenario to better understand its significance.

As a new DevOps engineer joining a company, you need access to the organization's code and cloud resources. However, sharing direct credentials or granting full access poses security risks. Additionally, adding you as a member to a shared cloud account might not be practical.

AWS IAM - the solution to these challenges. IAM allows the organization's administrators to allocate specific permissions to you, the new user, ensuring you can access the necessary files and resources without compromising security. By granting granular permissions, IAM enhances the principle of least privilege, enabling you to perform your duties effectively while maintaining a secure cloud environment.

With IAM, you can access the company's cloud resources seamlessly and contribute to projects without any disruptions, all while adhering to stringent security practices. It provides a fine-grained control mechanism, offering a robust and safe foundation for your work within the organization's AWS environment.

Let us try to learn what are authentication and authorization to understand how IAM works easily.

Authentication

Imagine you have a secret club, and only your best friends are allowed to join and play together. But how will you know if someone is really your friend and not a stranger trying to sneak in? That's where authentication comes in!

Authentication is like a special secret password or a secret handshake that only your true friends know. When someone wants to join your club, they need to say the secret password or do a secret handshake to prove they are your friend. If they get it right, you know they are a real friend, and you let them in to play with you.

When you use a device, sometimes you need to prove that you are the real you before you can do certain things. It's like having a secret password for your devices. This way, only you can access your games, pictures, and other important stuff on your device. It keeps your things safe and makes sure no one else can pretend to be you.

Just like in your secret club, authentication helps make sure only the right people can use certain things or access certain places. It's like having a magic password that only you and your friends know to keep everything secure.

Authorization

For example, some friends might have a badge that lets them go to the secret room, while others can only play in the main area.

Authorization is like having these special badges. It decides what each club member is allowed to do in the treehouse based on their badge level. Only the members with the right badges can go to certain areas or use specific toys.

In the digital world, authorization works the same way. When you use a computer, website, or app, you might have different levels of access to different parts of it. Some parts might be off-limits unless you have the right "digital badge" or permission.

That's authorization in action! It's like having a special key that opens only the doors you're allowed to go through.

Authorization keeps everything organized and fair, just like your treehouse club. It makes sure everyone can enjoy the parts they're supposed to and keeps the things they're not supposed to use safe and secure. So, just like your special badges, authorization helps make sure everyone gets to have fun in the right places.

How Does IAM Work?

These guardians are called "IAM users" and "IAM roles." They have unique names and special powers, known as "permissions."

Now, let's see how it all works together:

1. Creating Guardians (IAM Users/Roles): You, as the owner of the castle (AWS account), can create different guardians (IAM users/roles) for different purposes. For example, you might create a guardian named "Bob" with powers to manage the treasure room and another guardian named "Alice" with powers to control the dragon in the castle garden.
2. Defining Powers (Permissions): You can give specific powers (permissions) to each guardian. For example, you might give Bob the ability to read and write to the treasure room, but not to access the castle garden. Alice, on the other hand, might have the power to feed the dragon in the castle garden but not to touch the treasure room.
3. Guardian Interaction (Authentication): When a guardian (IAM user/role) wants to enter the castle and access a room or treasure, they must prove their identity. This is like using a secret password or magical item to prove who they are. Once their identity is verified, they can interact with the castle based on their powers (permissions).
4. Access Control (Authorization): Once inside, each guardian can only access the rooms and treasures they have permission to use. This ensures that no one can go where they shouldn't and that each guardian can perform only the actions they are allowed to.
5. Guardian Actions (API Calls): Each guardian can perform actions within their allowed powers. For example, Bob can read and write data in the treasure room, while Alice can feed the dragon.
6. Monitoring and Auditing: Finally, the castle owner (you) can monitor and review all the activities of the guardians. This way, you can keep an eye on who does what, ensuring everything is secure and under control.

Basic Terms in IAM

1. IAM User: An IAM User is like having a unique character in a video game. Each user has their own name and special abilities (permissions) to interact with the AWS services.
2. IAM Role: An IAM role is like a special costume that a character can wear to gain extra powers temporarily. Roles are used by services and applications to access AWS resources securely.
3. Permissions: Permissions are like magical spells that grant abilities to IAM users and IAM roles. These spells determine what actions they can perform on AWS resources, like reading, writing, or deleting.
4. MFA (Multi-Factor Authentication): MFA is like having an extra layer of security, just like using a fingerprint or face scan to unlock a magical treasure chest. It ensures that only the right person can access AWS resources.
5. Policies: Policies are like rulebooks that define what spells (permissions) each character (IAM User or Role) can use. They are written in a special language called JSON.
6. Root Account: The Root Account is like the owner of a magical kingdom. It has full control over everything in the AWS account and should be kept safe and secure.
7. Groups: Groups are like teams of characters who share the same abilities. You can put IAM users into groups to make it easier to manage their permissions.
8. Audit: Auditing is like reviewing a magical journal to see what each character has been doing. It helps keep track of all the actions and activities in the AWS account.

Basic Operations of IAM

1. CreateUser: This operation allows you to create a new IAM user with a unique name and assign access credentials to the user.
2. DeleteUser: This operation lets you delete an IAM user. Once deleted, the user will no longer have access to AWS resources.
3. CreateGroup: With this operation, you can create a new IAM group and associate multiple IAM users with the group.
4. DeleteGroup: This operation allows you to delete an IAM group. When a group is deleted, its associated users' permissions are no longer inherited.
5. CreateRole: This operation allows you to create an IAM role, which is an identity that has specific permissions and is assumed by another entity, such as an AWS service or an IAM user.
6. DeleteRole: This operation lets you delete an IAM role. When a role is deleted, the permissions granted to the role are revoked.
7. AttachGroupPolicy: This operation allows you to attach an IAM policy to an IAM group. The policy defines the permissions that the group members will inherit.
8. DetachGroupPolicy: This operation lets you detach an IAM policy from an IAM group, removing the permissions from the group members.
9. AttachUserPolicy: With this operation, you can attach an IAM policy directly to an IAM user, granting user-specific permissions.
10. DetachUserPolicy: This operation allows you to detach an IAM policy from an IAM user, revoking the permissions associated with that policy.
11. AttachRolePolicy: This operation lets you attach an IAM policy to an IAM role, defining the permissions the role will have when assumed by another entity.
12. DetachRolePolicy: With this operation, you can detach an IAM policy from an IAM role, removing the permissions granted by that policy.
13. ListUsers: This operation lets you list all IAM users in your AWS account.
14. ListGroups: This operation lets you list all IAM groups.
15. ListRoles: This operation allows you to list all IAM roles.

I'm thrilled to give a massive shoutout to Mariusz Michalowski ??

In this article, I've poured out everything I've absorbed through practical experience and dedicated learning from online resources. Yet, there's an immense distinction between a learner's viewpoint and that of a seasoned industry professional.

If you're eager to grasp the ins and outs of the IAM service, I wholeheartedly recommend delving into Mariusz's comprehensive article on IAM services. His insights are a game-changer, offering a deep dive into the topic from an expert perspective. Don't miss out! ??

I hope you guys learned something new from this blog and also if you like this, please share it with people who you feel deserve it. To not miss the next upcoming blog on AWS or DevOps-related blogs please follow me.