Table of contents
No headings in the article.
AWS Identity and Access Management (IAM), you can specify who or what can access services and resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions across AWS.
The below describes the definition perfectly.
Now What is IAM is understood But the next question that arises is
Why IAM?
IAM is used to manage and scale workload and workforce access securely supporting your agility and innovation in AWS.
In AWS there are 3 identities of IAM
1)IAM User
2)IAM User Groups
3) IAM roles
IAM USER: Users are those people which are within your organization. These People can be grouped.
IAM USER GROUPS: These groups contain only users, not other groups as shown in the image below.
IAM ROLES: An IAM role is an IAM identity that you can create in your account that has specific permissions.
Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
When you assume a role, it provides you with temporary security credentials for your role session.
IAM PERMISSIONS
IAM permissions can be assigned to both Groups and users and these permissions are in JSON format For Example :
In the above Image, the permissions are defined for the user. For example (See the above image)
"Effect":"Allow"
"Action":"elasticloadbalancing:Describe*"
As you can see that "Effect" is allowed and "Action" is the permission. Permission is allowed.
Note: Least Privilege Principle- Don't give more permissions than a user needs.
IAM Password Policy
In AWS, you can setup a password policy:
• Set a minimum password length
• including uppercase letters
• lowercase letters
• numbers
• non-alphanumeric characters
• Allow all IAM users to change their passwords
• Require users to change their password after some time (password expiration)
• Prevent password re-use
Multi-factor authentication (MFA)
The next feature of IAM is MFA, This feature of IAM Protects your root account and IAM users.
The root account is very important for the organization having very critical information so it's obvious to protect the root account and MFA is the best way to protect the account.
BEST ADVANTAGE OF MFA
if a password is stolen or hacked, the account is not compromised.
MFA devices options in AWS
You can find it here: https://aws.amazon.com/iam/features/mfa/
I Know The next question in your mind is:
How can users access AWS?
• To access AWS, you have three options:
• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLI): protected by access keys
• AWS Software Developer Kit (SDK) - for code: protected by access keys
•Access Keys are generated through the AWS Console
•Users manage their access keys
•Access Keys are secret, just like a password. Don’t share them
• Access Key ID ~= username
• Secret Access Key ~= password
AWS CLI
A tool that enables you to interact with AWS services using commands in your command-line shell. it is an Alternative to using AWS Management Console.
AWS SDK
AWS SDK is Software Development Kit (AWS SDK).
• It is having Language-specific APIs (set of libraries).
• It Enables you to access and manage AWS services programmatically.
• It is Embedded within your application.
•It Supports SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++) • Mobile SDKs (Android, iOS, …) and IoT Device SDKs (Embedded C, Arduino, …) .
•Example: AWS CLI is built on AWS SDK for Python.
IAM Security Tools
• IAM Credentials Report (account-level) -a report that lists all your account's users and the status of their various credentials
• IAM Access Advisor (user-level) -Access advisor shows the service permissions granted to a user and when those services were last accessed. You can use this information to revise your policies
SUMMARY
• Users: mapped to a physical user, has a password for AWS Console
• Groups: contains users only
• Policies: JSON document that outlines permissions for users or groups
• Roles: for EC2 instances or AWS services
• Security: MFA + Password Policy
• AWS CLI: manage your AWS services using the
• AWS SDK: manage your AWS services using a programming language
• Audit: IAM Credential Reports & IAM Access Advisor