AWS IAM Introduction :
- AWS Identity and Access Management (IAM) is a service that allows you to manage users and their access to AWS.
- Your whole AWS security revolves around IAM.
- It is a global service. It’s not bound to any specific region.
- It allows you to control
- Identity: who can use your AWS resources (Authentication)
- Access: what resources they can use (Authorization)
- When you create AWS account, that very first account is called as Root account.
- When you first start with AWS you get a root access key. Root access key provides complete access to your AWS account and you should never use them.
- So you basically need to delete your root access key.
- You can set up MFA (Multi-Factor Authentication) for extra security.
AWS IAM Features :
- IAM provides you with centralized control of your AWS account.
- It provides shared access to your AWS account.
- You can grant other people access to your AWS account.
- It allows you to set Granular permissions.
- You can grant specific permission to specific users. For example, you might allow a user access to only some set of services like S3 only.
- Identity Federation (including Active Directory, Facebook, LinkedIn etc)
- Users can log in by using their company credentials without having an account with AWS.
- Multifactor Authentication
- This is two-factor authentication. User not only need to provide password or access key but also code from physical devices such as android or IOS smartphone.
- Support PCI DSS compliance.
- IAM supports the processing, storage, and transmission of credit card data
- Provide application running on EC2 access to AWS resources.
- You can have your application running on EC2 secure access to AWS resource.
- IAM integrates with almost every AWS service.
- Since it’s a fundamental or core service that provides security, IAM integrates with almost all AWS services.
- Free to use
- IAM is a completely free service to use.
IAM Components :
- User is an AWS identity.
- It is basically a physical person.
- This physical person will get an account in IAM.
- New users have no permission when first created.
- Group basically means a set of IAM users.
- They are basically defined by their function for example Developers, Admin etc.
- Instead of assigning the same permission to every other user individually, you can assign that permission to group and add all the users in that group.
- All the users in this group will inherit the permission of the group.
- Role is an IAM identity that has specific permissions.
- It is similar to User.
- But it is not associated with a specific person, a role is assumed by anyone who needs it.
- It doesn’t have standard long term credentials such as password, it works on temporary security credentials for a session.
- It can be assigned to :
- An IAM user in the same account as role in.
- An IAM user in a different account than the role.
- An AWS service such as EC2 (Elastic Cloud Compute).
- Policies are JSON documents.
- They define what User, Group and Roles can do or cannot do.
- Permissions are governed by policies.
- AWS provides you with many built-in policies that already have permissions according to use cases. This is the AWS managed policies.
- You can also create your own policy as well.
- IAM Federation is a feature which can be used by big enterprises.
- Generally, big enterprises have their own repository of users.
- Using IAM Federation such enterprises can integrate their own repository of users with IAM.
- This way users of such enterprises can log in into AWS using their company credentials.
- Identity Federation uses the SAML standard
How IAM works diagrammatic explanation :
- As you can see in the above diagram (I hope you liked it), there are two IAM users i.e. User A and User B and they need permissions to access S3.
- But as you can see we didn’t assign that permission or policy individually to those users.
- We have placed those users in a group (Grey cube) named S3DeveloperGroup and then we assigned S3 access to that group which resulted in both users to automatically inherit the permissions of the group.
- In this way, our IAM users are able to access S3.
IAM security best practices :
- Lock away root account access key
- The root account has complete access to your AWS resources. That’s why it’s best to lock away its access key and never use root account again after the initial setup is done.
- Create individual IAM users
- If you have 5 employees who need to work on AWS, then create 5 individual IAM users for them instead of having all of them share one single IAM user account.
- Use groups to assign permissions to users.
- Don’t define permission to individual users, instead create a group, assign permission to that group that relate to job function. And then add users to that group.
- All the users will inherit the permissions of that group.
- Grant least privilege
- Give users only a minimal amount of permission they need to perform their job.
- Configure a strong password policy for your users
- You can configure a strong password policy that compels your users to use a strong password.
- Enable MFA
- By enabling MFA you have extra security on your AWS account. Even if your password or access key get compromised, your account will still be secure because of addition authentication requirement of MFA.
- Use roles when you want user from other AWS account to have access on the resource of your AWS account.
- Instead of giving away the credentials, create a role and assign that role to the user from other AWS account.
- Never share your access key.
- Since access keys provide programmatic access to AWS.
- Rotate credentials regularly.
- Make sure your IAM users regularly change their password and access key.
- Never ever write IAM credentials in code.
IAM is one of the most basic and fundamental services in AWS. This chapter covers an overview of IAM.
I hope you guys liked the article. We will be posting even more blog with deep dive in IAM. Stay tuned.