AWS IAM (Identity and Access Management)

AWS IAM:

AWS IAM (Identity and Access Management): It helps you to control the access to AWS resources securely. It is the set of policies that ensures the right users have the permissions to access AWS resources.

With AWS IAM, you can specify who or what can access resources and services on Amazon.

Basically, AWS IAM sets out who can access what resources on AWS.

IAM is one central place from where you can manage all the permissions and control the access to AWS cloud platform.

AWS IAM Users and Groups:

On AWS Root account, created by default, shouldn’t be used or shared. Users are people in any organization and can be grouped. We can create user groups like developers, Operations, etc.

Groups only contain users, not other groups. Some users don’t have to belong to a group, users can be a part of multiple groups.

Users and groups can be assigned JSON documents called policies. e.g.

{
  "Version": "2023-02-04",
  "Statement": [
    {
      "Sid": "Firstt",
      "Effect": "Allow",
      "Action": ["iam:ChangePassword"],
      "Resource": "*"
    },
    {
      "Sid": "Second",
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    },
    {
      "Sid": "Third",
      "Effect": "Allow",
      "Action": [
        "s3:List*",
        "s3:Get*"
      ],
      "Resource": [
        "arn:aws:s3:::confidential-data",
        "arn:aws:s3:::confidential-data/*"
      ],
      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
    }
  ]
}

These policies define permissions of the user. In AWS, you apply the least privilege principle, i.e. Don’t give a user more permission than a user needs. Just create only required permission and assign it to that user.

IAM Policy Structure:

Effect: Allow or Deny

Action: what kind of action is allowed or denied.

Resource: Target resource written using ARN (Amazon Resource Name).

Condition: Target entity of policy (IAM user, group or role).

AWS IAM BEST PRACTICES

• Lock the access keys of root user and do not use it unnecessarily.
• Use IAM groups to assign permissions to IAM users.
• Always set least privilege to users and groups.
• Instead of creating new policies use the existing provide by AWS.
• Use a customer management policy, not an inline policies.
• Use access levels to manage IAM permissions.
• Set strong password policy for your users.
• Enable MFA (Multi Factor Authentication).
• Use IAM roles for application running on EC2 instances.
• Don’s share the access keys with others.
• Change or updates authentication information on regular basis.
• Always monitor the activity of your AWS account.
• Use IAM access analyzer to generate least-access policies

IAM is used for user management in AWS. By Default, account is root account. IAM policies are applied to IAM users and roles to give them permissions to use AWS resources.

Key Features of AWS IAM at a Glance

1. User Management
   IAM allows you to easily create and manage users, assign them unique access credentials (including access keys and secret access keys ) for AWS resources, as well as specify which actions these users can perform on those resources.
2. Group Management
   IAM allows you to easily create and manage groups, assign policies that determine what actions members of these groups can perform on AWS resources, as well as maintain group membership without impacting individual user accounts.
3. Role Management
   IAM allows you to define and administer roles, which specify permissions for specific job functions. These roles may be assumed by users, applications or AWS services in order to gain access to AWS resources.
4. Policy Management
   IAM allows you to easily create and administer policies, which outline permissions for users, groups, and roles. Policies can then be attached to individual users so you can control what actions they can perform on AWS resources.

Next Topic : AWS LAMBDA

Checkout Our Git More