How IAM works??

What is IAM?

IAM is a crucial aspect of cloud security. All kinds of businesses require a secure environment across their application life cycle. AWS delivers a great baseline for implementing a least privileged approach to permissions.

?

Identity and Access Management

Identity and access management is a key component of any security architecture. It is a framework that ensures the right people can access the right resources or services securely. It’s all about identifying the user and giving the user access to the resources.

How IAM works?

Before we create users we need to understand how IAM works. IAM is a global service and provides the necessary infrastructure that can centrally manage the following elements

·???????Identification- Identifying the user

• ???????Authentication – Recognizing the user
• ???????Authorization – Determining if the user is allowed to access the resources

AWS Identity and Access Management (IAM) enables AWS customers to manage users and user permissions. AWS has some specific components of its IAM systems. AWS uses the concept of principals

Principals

In AWS, a principal is an IAM entity (who takes the action) that is permitted to access AWS resources. AWS further breaks down the principal concept into root users, IAM users, and roles.

?

In the AWS environment, there are 3 types of users.

• ???????Root user
• ???????IAM user
• ???????Federated users

Root user

The root user is the owner of the account (the person who created the AWS account).

• ???????The root user is very powerful and has full access to all the resources
• ???????The root user can access the console and has programmatic access to AWS resources.
• ???????The root user can create or delete the account and upgrade and downgrade the support plan.
• ???????It is best to use the root user at the time of creation and after that set up an IAM user account to use AWS resources

IAM USER

• ???????IAM user is a person who is created by a root user to interact with AWS resources.
• ???????IAM users can sign in to the AWS management console and can make a request to the AWS services.
• ???????The newly created IAM user does not have any permission by default, to access AWS resources root user has to assign administrative permissions to the IAM user
• ???????IAM users can be human users or application users (called service users) with associated permission in order to access the AWS services.
• ???????A human user can access AWS resources through the management console as well as programmatically whereas a service user can access AWS resources only programmatically.

IAM group

• ???????A group is a collection of IAM users which is made to grant permission for the same kind of users.
• ???????If permission is attached to a group, any user of that group automatically has the same permission which is easy to manage.
• ???????Use the principle of least privilege when assigning permissions in a group.
• ???????In AWS, you cannot nest groups (groups within groups).

?

IAM Roles·???????In AWS we create IAM roles to delegate access

• ???????These roles are attached to AWS resources which determine what the identity can and cannot do
• ???????For this, we need to attach permission to the IAM role and also need to specify the trust relationship.
• ???????There are no credentials associated with a role (password or access keys).
• ???????IAM users can temporarily assume a role to take on permissions for a specific task.
• ???????A role can be assigned to a federated user who signs in using an external identity provider.
• ???????Temporary credentials are primarily used with IAM roles and automatically expire.

?

Example: roles are used to grant permissions to applications running on an instance that need to use a bucket in Amazon s3. For this kind of scenario, you need to attach permission for IAM roles by creating a policy in JSON format.

There are 4 types of IAM roles

• ???????Service role
• ???????Service-linked role
• ???????Role for Cross account access
• ???????Role for identity provider access

A service role is basically a role that any AWS service assumes in your account on your behalf

IAM role is used by an AWS service to access another service,

• ?????Example: EC2
• ??????Accessing Dynamo DB.

Here are some important features of IAM

Policy

• ????????Policies are documents in AWS that when associated with an entity or resource, define their permissions
• ???????Can be applied to users, groups, and roles.
• ???????Policy documents are written in JSON (key-value pair that consists of an attribute and a value).
• ????????All permissions are implicitly denied by default

AWS supports 3 types of policies·????????Managed policies.

• ???????Customer managed policies.
• ????????Inline policies.

Managed Policy:

• ???????Created and administered by AWS.
• ??????Used for common use cases
• ?????Can be attached to multiples user, groups, and roles
• ???????Cannot change the permissions assigned.

Customer Managed Policy:

Standalone Policy that you create and administer in your own AWS account. (Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name).

AWS-managed policies are designed to provide permissions for many common use cases

?

• Can be attached to multiple users, groups, and roles – but only within your own account.
• Can be created by copying an existing managed policy and then customizing it.
• Can be used where AWS Managed Policies don’t meet the needs of your environment.

Inline Policy:

• Inline policies are policies that you create and manage and embed directly into a single user, group, or role to which it is applied.
• Strict 1:1 relationship between the entity and the policy.
• When you delete the user, group, or role in which the inline policy is embedded, the policy will also be deleted.
• In most cases, AWS recommends using Managed Policies instead of inline policies.
• Inline policies are useful when you want to be sure that the permissions in a policy are not assigned to any other user, group, or role.

Identity-based policies – You can attach managed and inline policies to IAM identities (users, groups, and roles).

Resource-based policies?– Resource-based policies grant permissions to the resource (account, user, role, or federated user) specified as the principal.

IAM permissions boundaries?– Permissions boundaries are used to define the maximum permission that an entity can have.

AWS Organizations service control policies (SCPs)?– Organizations SCPs specifies the maximum permissions for an organization or organizational unit (OU).

Session policies – Session policies are advanced policies that you pass as parameters when you programmatically create a temporary session for a role of a federated user.

?

AWS Security Token Service

The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users).

By default, it is a global service, and all AWS STS requests go to a single endpoint

You can send your AWS STS requests to endpoints in any region which helps to reduce latency.

There are a couple of ways STS can be used.

Scenario 1:

• ???????Develop an Identity Broker to communicate with LDAP (Light Weight Directory Access Protocol) and AWS STS.
• ???????Identity Broker always authenticates with LDAP first, then with AWS STS.
• ???????Application then gets temporary access to AWS resources.

Scenario 2:

• ???????Develop an Identity Broker to communicate with LDAP and AWS STS.
• ????????Identity Broker authenticates with LDAP first, then gets an IAM role associated with the user.
• ???????Application then authenticates with STS and assumes that IAM role.
• ????????Application uses that IAM role to interact with the service.

To make a request in a different account the resource in that account must have an attached resource-based policy with the permissions you need.

Or you must assume a role (identity-based policy) within that account with the permissions you need.

?

IAM Best Practices

To secure AWS resources, it is recommended that you follow these best practices:

• Lock away your AWS account root user access keys.
• Use roles to delegate permissions.
• Grant least privilege.
• Get started using permissions with AWS-managed policies.
• Validate your policies.
• Use customer-managed policies instead of inline policies.
• Use access levels to review IAM permissions.
• Configure a strong password policy for your users.
• Enable MFA.
• Use roles for applications that run on Amazon EC2 instances.
• Do not share access keys.
• Rotate credentials regularly.
• Remove unnecessary credentials.

Conclusion

Security is everything for any kind of business, whether you need to deploy a cloud or an On-premises solution, AWS helps you establish trust, protects against vulnerabilities, and delivers secure access to your resources. AWS IAM protects against outside and inside threats and provides security without affecting efficiency. A cloud provider like AWS helps customers to solve security problems with tools like AWS access analyzer, which analyze and recommend best practices.

Pravin Mishra My website Shefali Arora Bhavesh Atara Satish Pandey Ruchita Tandon Thank you so much all for your constant support and guidance