IAM (Identity and Access Management) AWS

Today we will learn about IAM.

What is IAM?

AWS Identity and Access Management (IAM) is a web service that helps us securely control access to AWS resources. With IAM, we can centrally manage permissions that control which AWS resources users can access. We can use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

Identities

1. Users
2. User Groups
3. Roles
4. Tagging IAM Resources
5. Temporary Security Credentials
6. AWS Account Root User
7. Log events in Cloud Trail

There are mainly two types of users

Root User

Which is created when you signed into the account or create your account for the first time in the cloud.

IAM User

It is created by the root user to perform a different or specific task that is assigned by the root user example is Administration User.

To perform the tasks or any related action in an IAM user you need permissions like in Administration User you need administrations permissions or access.

For this purpose we use Policies.

User Groups

We can group users for specific teams or departments for this purpose we use User Groups.

User Groups can consist of one or more users. It does not contain other groups but a user can be a part of multiple groups.

So there is no inheritance.

What are Policies?

It is a JSON document that is assigned to the user these define the permissions for the user which service is allowed or which specific task the user can perform.

You can use the least privileges principle which is to assign a minimum amount of permissions to the user.

IAM Policy Inheritance

Inline Policies

Policies assigned to a single user.

Group Policies

Policies are assigned to groups and all the members in a group can have them or inherit them so if one user is a part of multiple groups then it can have both policies in a group.

Roles

An IAM identity that we can create in our account that has specific permissions. An IAM role has some similarities to an IAM user. Roles and users are both AWS identities with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when we assume a role, it provides us with temporary security credentials for our role session.

There are following roles

• An IAM user in the same AWS account as the role
• An IAM user in a different AWS account than the role
• A web service offered by AWS such as Amazon Elastic Compute Cloud (Amazon EC2)
• An external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect, or a custom-built identity broker.

Tagging IAM Resources

Tags help you identify and organize your AWS resources. Many AWS services support tagging, so you can assign the same tag to resources from different services to indicate that the resources are related. For example, you can assign the same tag to an IAM role that you assign to an Amazon S3 bucket.

In addition to identifying, organizing, and tracking your IAM resources with tags, you can use tags in IAM policies to help control who can view and interact with your resources.

Temporary Security Credentials

To request temporary security credentials, we can use AWS Security Token Service (AWS STS) operations in the AWS API. These include operations to create and provide trusted users with temporary security credentials that can control access to our AWS resources.

To call the API operations, we can use one of the?AWS SDKs. The SDKs are available for a variety of programming languages and environments, including Java, .NET, Python, Ruby, Android, and iOS. The SDKs take care of tasks such as cryptographically signing your requests, retrying requests if necessary, and handling error responses.?

The AWS STS API operations create a new session with temporary security credentials that include an access key pair and a session token. The access key pair consists of an access key ID and a secret key. Users (or an application that the user runs) can use these credentials to access our resources. You can create a role session and pass session policies and session tags programmatically using AWS STS API operations.

Log events in Cloud Trail

IAM and AWS STS are integrated with AWS CloudTrail, a service that provides a record of actions taken by an IAM user or role. CloudTrail captures all API calls for IAM and AWS STS as events, including calls from the console and from API calls. If you create a trail, we can enable continuous delivery of CloudTrail events to an Amazon S3 bucket. If we don't configure a trail, we can still view the most recent events in the CloudTrail console in?Event history. We can use CloudTrail to get information about the request that was made to IAM or AWS STS. For example, we can view the IP address from which the request was made, who made the request, when it was made, and additional details.

Accessing IAM

We can access IAM using following

1. AWS Management Console
2. AWS Command Line Tools (CLI)
3. AWS SDKs
4. IAM Query API

Security

• IAM Credentials Report (Account Level)

It is a report which lists all the user accounts and the status of their various credentials.

Like which user is logged in.

• IAM Access Advisor (User level)

Access Advisor shows service permissions granted to a user and when those services were last accessed.

You can use this information to revise your policies.

MFA (Multi-Factor Authentication)

MFA is a way to enhance the security of any individual account. Is is a process by which you have an extra layer of security.

We can enable it and there are mainly two types.

MFA using Virtual devices.

MFA devices or hardware devices or keys.

Security best practices

• Require human users to use federation with an identity provider to access AWS using temporary credentials.
• Require workloads to use temporary credentials with IAM roles to access AWS.
• Require multi-factor authentication (MFA).
• Rotate access keys regularly for use cases that require long-term credentials.
• Safeguard your root user credentials and don't use them for everyday tasks.
• Apply least-privilege permissions.
• Get started with AWS managed policies and move toward least-privilege permissions.
• Use IAM Access Analyzer to generate least-privilege policies based on access activity.
• Regularly review and remove unused users, roles, permissions, policies, and credentials.
• Use conditions in IAM policies to further restrict access.
• Verify public and cross-account access to resources with IAM Access Analyzer.
• Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions.
• Establish permissions guardrails across multiple accounts.
• Use permissions boundaries to delegate permissions management within an account.

Difference Between Root and IAM Administrator user

An IAM administrator user can pretty much do everything that a root user can do except a few tasks that only the root user is allowed to do. for example-

• Closing your AWS account
• Changing your AWS account settings
• Changing your support plan
• Activate IAM access to Billing
• Enable MFA delete on an S3 bucket etc.

For in-depth or more information please visit

That's it for this post. I hope you find this useful.?

keep learning, keep up to date, and keep growing.

#aws ?#awscloud ?#awscommunity ?#awsdevops ?#awscommunitybuilders ?#lambda ?#ec2 ?#amazon ?#amazons3 ?#cloud ?#cloudcomputing ?#cloudarchitect ?#cloudengineer ?#cloudinfrastructure ?#fargate ?#s3 ?#amazoneks ?#amazonec2 ?#awscertified ?#awssolutionsarchitect