Skip to main content

Amazon Web Services

AWS Identity and Access Management (IAM) Fundamentals

Abstract colorful grid surrounded by glowing particles

AWS Identity and Access Management (IAM) provides safe access control techniques for all of your AWS services. The core of AWS security is AWS IAM since it gives you the ability to manage access by setting up multi-factor authentication for greater security, creating users and groups, giving specific permissions and policies to desired users, and so much more. The icing on the cake is that IAM is free to use!

Let’s get going!

 

AWS IAM Explained:

One of the Major Challenges to adopting the cloud is Security. Given the scrutiny and media attention that major Cloud platforms are receiving, it is commendable that AWS IAM takes such a meticulous approach to granting rights and controlling access to your environments. IAM enables you to manage Who can access your resources (authentication) and How (authorization). Because of this, AWS may be used to build incredibly secure environments.

There are many kinds of security services available, however AWS frequently uses certain of them, including:

  • IAM
  • Key Management System (KMS)
  • Cognito
  • Web Access Firewall (WAF)

 

The Key Features of AWS IAM

IAM should be viewed as the initial step in Safeguarding all your AWS Resources and Services. Let’s examine some of the primary characteristics:

Authentication:

AWS IAM enables you to issue and activate authentication for resources, people, services, and apps within your AWS account. It also allows you to create and manage identities, such as users, groups, and roles.

Permissions:

If the developer team needs full access to the EC2 service and the marketing team needs access to certain S3 buckets. You can set up and fine-tune these permissions using IAM in accordance with the requirements of your users.

Authorization:

IAM’s access management or authorization is made up of two main parts: permissions and policies.

Shared access to AWS accounts:

Most businesses have multiple AWS accounts and sharing access between them is occasionally necessary. You can accomplish this without disclosing your login information using IAM.

Identity Federation:

Your company may frequently have to federate access from different identity providers like Okta, G Suite, or Active Directory. You may achieve this thanks to IAM’s Identity Federation capability.

 

IAM Authentication

The following identities are used for authentication or identity management in AWS IAM:

Users: IAM users are those who require access to your AWS resources or services, either through the AWS Console or the AWS CLI.

Groups: IAM groups are collections of users with rights attached to them. By classifying users according to their job function/role, department, or any other necessity, groups offer an easy approach to manage permissions for users with comparable demands. Then, the group may be used to handle all those users’ permissions at once.

Roles: IAM roles are entities within AWS that provide the permissions that a role may exercise and the types of entities that may assume that role. A role can be used by any resource that it allows authorization to, rather than being directly associated with a specific person or service. Roles enable you to provide users, services, and applications outside of your company access to multiple accounts for your AWS resources.

 

IAM Authorization

In IAM, Policies that give Permissions govern authorization or access management.

Permissions: A policy must be added to a newly established user or group to grant it the permissions necessary to perform operations on AWS resources.

To any AWS identities, you can provide permissions (users, groups, and roles). Assigning permissions can be done in one of Two Ways:

Identity-Based: Policies that are affixed to specific individuals, groups, or positions

Resource-Based: Rules that are connected to AWS resources like S3 buckets, ECR repositories, and more

 

 

Drafting New Policies:

Manage IAM Permissions: This page provides quick links to assist you in assigning and managing IAM permission.

Actions, Resources, and Condition Keys for AWS Services: Keys for actions, resources, and circumstances A complete list of all activities that may be performed on different AWS services. To learn more, you can click here.

Policy Simulator on AWS: Create access simulations to verify that freshly defined policies are functional from beginning to end. To learn more, you can click here.

In general, rules should adhere to the concept of least privilege.

Policies can be rather Detailed for instance, have a look at the following code block:

{

  "Statement": [

    {

      "Action": [

        "iam:ChangePassword",

        "iam:CreateLoginProfile",

        "iam:DeleteLoginProfile",

        "iam:GetLoginProfile",

        "iam:GetUser",

        "iam:UpdateLoginProfile"

      ],

      "Effect": "Allow",

      "Resource": "*",

      "Sid": "AllowManageOwnPasswords"

    }

  ],

  "Version": "2012-10-17"

}

 

Using IAM, set up a password policy for your AWS Account

We’ll assist you in setting up your AWS account password policy in this section.

  1. Click on “Account settings” in the AWS IAM console, as shown here:

 

  1. Next, select the button labelled “Set password policy”.

 

  1. You can now Create Your Password Policy by specifying a set of guidelines and choosing the minimum level of complexity for a password that an IAM user may create. The following illustration satisfies the criteria advised by the Centre for Internet Security (CIS):

Conclusion:

IAM is the most important of all the security measures established by AWS, the largest cloud platform and provider, to improve security. AWS created the Shared Duty Model to establish and divide the responsibility for security and compliance between customers and AWS.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Sanket Dudhe

Sanket Dudhe is a Technical Consultant at Perficient. He has an experience of 4+ years as SDET. He loves technology and hence is curious to learn about new emerging technologies #lovefortechnology.

More from this Author

Follow Us