IAM (Identity and Access Management)

IAM :

AWS identity access management is a web service that help you securely control access to AWS resources. You use IAM to control who is authenticated (signed-in) and authorized (has permissions) to used resources.

• When you first create an AWS account, you begin with a single sign-in identity that has completely access to all AWS services and resources in the account.
• This identity is called the AWS account “Root user” and is accessed by signing-in with the email address and password that you used to create the account.
• Aws strongly recommends that you do not use the root user for your everyday task, even the administrative ones.
• Use other IAM user account to manage the administrative task of your account and securely lock away the root user credentials and use them to perform only a few accounts and service management task.
• IAM user limit is 5000 user per AWS account. You can add upto 10 user at one time.
• You are also limited to 300 groups per AWS account.
• You are limited to 1000 IAM roles under AWS account.
• Default limits of managed policies attached to an IAM role and IAM user is 10.
• IAM user can be a member of 10 groups (max)
• We can assign two access keys (max) to an IAM user.

Principle:

A principal is a person or application that can make a request for an action or operation on an AWS resources.

• Your administrative IAM user is your first principle.
• You can allows users and services to assume a role.
• IAM user, role, federated user and application are all AWS principle.
• You can support federated users or programmatic access to allow an application to access your AWS account.

Request:

When a principle tries to use the AWS management console, the AWS API, or the AWS, CLI that principle sends a request to AWS. The request includes the following information.

• Actions : That the principle want to perform.
• Resources : upon which the actions are performed.
• Principle : Information including the environment from which the request was made.
• Environment data : such as IP address, user agent, SSL enabled status, or the time of day.
• Resources data : data related to the resources that is being requested.

Authentication :

A principle sending a request must be authenticated (signed in to AWS) to send a request to AWS.

Authentication takes place whenever a user attempts to access the organization’s network or assets. Verified credentials serve as a passport that allows users to access data, systems, applications, and resources.

With data breaches becoming more common, user authentication is vital to security. Organizations are prioritizing advanced security through sophisticated additional authentication methods. For instance, your IAM would secure your access management with two-factor or multi-factor authentication by pairing a username and password with a key card or OTP token, a fingerprint, or facial recognition. Every user has unique credentials, and IAM authenticates the user data to confirm that the user is a member of the organization.

Using a strong password policy can also improve authentication security. Verifying whether your IAM allows you to configure and customize your password policy is essential in providing a comprehensive authentication process.?

Authorization :

To authorize request, IAM uses value from the request context to check from matching policies and determine whether to allow or deny the request.

While authentication verifies the users’ identity, the authorization aspect of IAM is what grants the user access to data based on their identity and defined access rules. While the two are related, they are not interchangeable.

In a sense, authorization is the second step to authentication – think of a night club, where the bouncer allows you entry after checking your ticket stamp (authentication), following which another staffer inside decides if your stamp allows you access to every area of the club or restricts you to select areas (authorization).

In organizations, users are granted authorizations according to their roles. Proper authorization is important to prevent data breaches.

For secure authorization, follow the zero trust principle and provide minimum possible access to each active user and immediately deprovision ex-employees. These two steps ensure that the risk of data breaches caused by improper authorization or disgruntled employees is reduced.

Resource Based Polices:

specify permission allowed/denied for resources popular for granting cross account permission.

IAM checks each policy that matches the context of your request.

If a single policy includes a denied actions, IAM denies the entire request and stop evaluating. This is called explicit deny.

The evaluation logic follows these rules:

• By default, all request are denied.
• An explicit allow overrides this default.
• An explicit deny overrides any allows.

You can create a new IAM policy in the AWS management console using one of the following ways:

• JSON : you can create your own JSON syntax.
• Visual editor : you can construct a new policy from scratch in the visual editor. If you can use the visual editor. You do not have to understand json syntax.
• Import :? you can import a managed policy within your account and then edit the policy to customize it to your specific requirement.

Actions :

Actions are defined by a services, and are the things that you can do to a resources, such as viewing, creating, editing and deleting that resources.

• IAM support approx. 40 actions for a user resources including create users, delete user etc.
• Any actions or resources that are not explicitly are denied by default.
• After your request has been authenticated and authorized aws approves the actions in your request.

Resource :

• A resource is an entity that exist within a service.
• Example are EC2 instance, s3 bucket, iam user, dynamodb table.
• Each aws services defines a set of actions that can be performed on each resources.
• After aws approves the actions in your request, those actions can be performed on the related resources within your account.
• If you create a request to perform an unrelated actions on a resource, that request is denied.
• When you provides permission using an identify based policy in IAM, then you provide permission to access resources only within the same account.

IAM Identities :

• IAM identities is what you create under your AWS account to provide authentication for, people application and processes in your AWS account.
• Identities represent the user and can be authenticated and then authorized to perform actions in AWS.
• Each of these can be associated with one or more policies to determine what actions a user role or member of group can do with which resources and under what conditions.
• IAM group is a collection of IAM users.
• IAM role is very similar to IAM users.

IAM Users:

• An IAM User is an entity created in AWS that provides a way to interact with AWS resources.
• The main purpose of IAM Users is that they can sign in to the AWS Management Console and can make requests to the AWS services.
• The newly created?IAM users?have no password and no access key. If a user wants to use the AWS resources using the AWS Management Console, you need to create the user password. If a user wants to interact using the AWS programmatically (using the CLI (Command Line Interface)), you need to create the access key for that user. The credentials created for IAM User are what exactly uniquely identify themselves to AWS.
• The security of the user's credentials can be enhanced by using the feature, i.e., Multi-Factor Authentication.
• The newly created IAM Users do not have permissions, i.e., they are not authorized to access the AWS resources.
• An advantage of using individual IAM Users is that you can assign the permissions individually. You can even assign the administrative permissions, who can administer your AWS resources and also administer other IAM Users.
• Mainly, the user's permissions are set to AWS tasks and resources, i.e., the job assigned to the IAM User. For example, you create an IAM User whose name is Advita, you create a password for the user and set the permissions that let her start Amazon EC2 instances and read the data from Amazon RDS database.
• Each IAM User is associated with one and only one AWS account.
• Users are defined within your account, so users do not have to do payment. Any AWS activity performed by a user is billed to your account.

IAM Groups:

• An IAM Group is a collection of users.
• Group specifies the permission for a collection of users, and it also makes it possible to manage the permissions easily for those users.
• You created a group known as Admin and assigned the permissions to the group that administrators typically need. Any user joins the admin group; then the user will have all the permissions that are assigned to the group. If a new user joins the organization, then he should have administrator privileges, and you can assign the appropriate permissions by adding him to the group. If a person changes his job profile, instead of editing his permissions, you can remove him from a group and add him to the group.
• A group is a collection of users, and a user can also belong to multiple groups.
• Groups cannot be nested, i.e., a group cannot contain another group.
• No default group that automatically includes all the users in AWS account. If you want a group like this, create a group and then add the users in a group.
• There is a limit to the number of groups that you can have and also have a limit to the number of groups that a user can belong to.

IAM Role:

• A role is a set of permissions that grant access to actions and resources in AWS. These permissions are attached to the role, not to an IAM User or a group.
• An IAM User can use a role in the same AWS account or a different account.
• An IAM User is similar to an IAM User; role is also an AWS identity with permission policies that determine what the identity can and cannot do in AWS.
• A role is not uniquely associated with a single person; it can be used by anyone who needs it.
• A role does not have long term security credential, i.e., password or security key. Instead, if the user uses a role, temporarily security credentials are created and provided to the user.
• You can use the roles to delegate access to users, applications or services that generally do not have access to your AWS resources.

IAM Temporary Credentials:

• Temporary credentials are primary used with IAM roles, but there are also other uses.
• You can request temporary credentials that have a more restricted set of permission then your standard IAM users. This present you from accidentally performing task that are not permitted by the more restricted credentials.
• A benefit of temporary credentials is that they expire automatically after a set period of time.

Pricing:

• Amazon provides IAM services at no additional charge
• You will be charged for the services used by your account holders.

?

Thank you for reading! I hope you find this article helpful.

Happy learning ??