search
GitHub

Identity and Access Management (IAM)

hashtag
What is IAM

  • A web service that allows you to securely control access to your AWS resources.

    • Manage permissions that control which resources Users can access.

hashtag
Features

  • IAM is eventually consistent

    • Meaning that achieves high availability by replicating data across multiple servers around the world.

    • However these changes may take some time to replicate.

    • AWS recommeds that IAM changes should not be included in critical, high-availability code paths of the application. And be sure to verify that the changes have been propagated before production workflows depend on them.

  • Shared access to your AWS account.

  • Granular permissions.

  • Secure access to AWS resources for applications that run on Amazon EC2.

  • Identity Federation to grant permissions for users outside of AWS.

  • Access log auditing using CloudTrail.

  • Payment Card Industry (PCI) Data Security Standard (DSS) Complience.

  • IAM is integrated with many AWS services likearrow-up-right.

  • Free to use.

hashtag
How it Works

hashtag
Initial Steps

  1. When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources.

    • This identity is called the AWS account root user.

    • You can access it by the email and password provided when the account was created.

    • AWS strongly recommends that you don't use the root user for everyday tasks. (Use it only to perform tasks that only root user can perform likearrow-up-right)

  2. Use IAM to setup IAM Users in addition to the root, and grant them access to the resources they need to succeed in their tasks.

    • These new users will use their sign-in credentials to authenticate.

hashtag
Cycle

  1. A human or application uses their sign-in credentials to authenticate with AWS.

    • Authentication is provided by matching the sign-in credentials to a principal (IAM User, Federated User, IAM Role, or application).

  2. Next, a request is made to grant the principal access to resources.

    • E.g: When you firts sign in and are on the console Home page, you aren't accessing a specific service.

    • When you select a service, the request for authorization is sent to that service to see:

      • if you are in the list of authorized users,

      • what policies are being enforced to control the level of access granted,

      • and any other policies that might be in effect.

hashtag
IAM Common Terms

hashtag
Principals

  • A person or application that uses the AWS account root user, an IAM User, or an IAM Role to sign-in and make requests to AWS.

    • Can be granted either permanent or temporary crendentials.

      • Typically IAM Users and root user are granted permanent.

      • While IAM Roles are granted temporary.

  • Principals include Feredated Users and assumed roles.

hashtag
IAM Entity

  • Are IAM Resources that AWS uses for authentication.

  • Entities can be specified as a Principal in a resource-based policy.

  • Includes:

    • IAM Users

    • IAM Roles

hashtag
IAM Identity

  • Are IAM Resources that can be authorized in policies to perform actions and to access resources.

  • Includes:

    • IAM Users

    • IAM Groups

    • IAM Roles

hashtag
IAM Resource

  • Are stored in IAM, you can add, edit, and remove them from IAM.

  • The number and size of IAM Resources in AWS are limited.

hashtag
IAM User

  • Represent the person or application accessing your account to interact with AWS.

  • Consist of a name and credentials.

    • Are identified by:

      • A friendly name;

      • Amazon Resource Name (ARN);

        • arn:aws:iam::account-ID-without-hyphens:user/Bill

      • Unique identifier which is returned only when you use the API, SDK, Tools for Windows Powershell, or AWS CLI to create the user.

  • Credentials can be assossiated to a user:

    • Console password.

    • Access keys. (access key ID and a secret access key)

    • SSH keys. (for use with CodeCommit)

  • It is associated with one and only one AWS account.

hashtag
IAM Group

  • Are collections of IAM users.

  • Groups let you specify permissions for multiple users.

    • Users assume the permissions of the group.

  • Users can belong to multiple groups.

  • Groups cannot be nested, can only contain Users.

hashtag
IAM Role

  • It is an IAM Identity that you can create that has specific permissions.

  • Roles are intended to be assumed by one or more Users or Applications.

  • Does not have standard long-term credentials.

    • When you assume a Role, it provides you with temporary security credentials for your Role session.

  • You can use Roles to delegate access to Users, applications, or services that don't normally have access to your AWS resources.

    • E.g: Allow EC2 intances to access other AWS resources.

    • Identity federation using:

      • AWS Cognito.

      • OAUTH.

      • Enterprise Single Sign On with LDAP or Active Directory.

hashtag
Identity Providers and Federation

  • If you already manage users outside of AWS, you can use Identity Providers instead of creating IAM Users.

    • They can use OpenID Connect (OIDC), or SAML 2.0.

  • Are IAM Role can be used to specify permissions for externally identified (federated) users.

  • Max 5000 IAM users per account. Identity Federation enables unlimited temporary credentials.

  • Can be identified by your organization or a third-party identity provider like:

hashtag
Access Management

LogoPolicies and permissions in AWS Identity and Access Management - AWS Identity and Access ManagementAWS Identity and Access Managementchevron-right

  • You manage access in AWS by creating Policies and attaching them to IAM Identities or AWS Resources.

  • AWS checks each Policy that applies to the context of the request.

    • If a single Policy denies the request, AWS denies the entire request and stops evaluating policies. (Explicit Deny)

    • By default, all requests are implicitly DENIED.

Policy

  • Are JSON documents in AWS that, when attached to an Identity or Resource, define their Permissions.

    • A Policy may have one or more Permissions.

  • AWS evaluates these Policies when an IAM Principal makes a request.

Permission

  • What determine whether the request is allowed or denied in Policies.

hashtag
AWS Organizations

  • Allows multiple AWS accounts used by an organization to be part of an Organization Unit (OU).

  • Service Control Policies (SCPs) allow the whitelisting or blacklisting of services within an Organization Unit.

    • A blacklisted service will not be available even if the IAM user or group policy allows it.

hashtag
Benefits

  • Centrally manage policies across multiple AWS accounts.

  • Control access to AWS services.

  • Automate AWS account creation and management programatically with APIs.

  • Consolidate billing across multiple AWS accounts.

hashtag
IAM Best Practices

  • Grant Least Privilege access.

    • Give people access only to the minimum that they need.

  • Lock away your AWS account Root User Access Keys.

  • Require human users and workloads to use temporary credentials.

    • Rotate Credentials regularly.

  • Require Multi-Factor Authentication (MFA).

  • Regularly review and remove unused users, roles, permission, policies and credentials.

  • Monitor activity in your AWS Account. (eg. CloudTrail)

  • Use conditions in IAM Policies for further restrict access.

  • Use IAM Access Analyser to validate you IAM Policies and ensure functional permissions.

  • Delegate by using Roles instead of by sharing credentials.

PreviousResponsability ModelNextEC2

Last updated