What is IAM?
- AWS Identity and Access Management (IAM) enables us to manage access to AWS services and resources securely.
- Using IAM, we can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
As an added layer of security for AWS management, what should you do ?
We can create IAM users
Your team is planning on using the AWS loT Rules service to allow loT enabled devices to write information to Dynamo DB. What action must be done to ensure that the rules will work as intended?
Answer : Ensure that the right lAM permissions to AWS Dynamo DB is given.IAM user – An IAM user is an identity within your AWS account that has specific custom permissions (for example, permissions to create a table in DynamoDB).
What are IAM components?
Ans:-Users,Roles,Policies and Groups
I have created one EC2 Instance and it does not have the permissions to perform an API call PutObject on S3. What should I do?
Ans:- I should ask an admin to attach a Policy to the IAM Role on my EC2 Instance that authorises it to do the API call
Are IAM Users defined on a per-region basis?
Your team lead wants to test whether my EC2 machine is able to perform the termination of EC2 instances. There is an IAM role attached to my EC2 Instance. what should i do?
ans:- Use the IAM Policy Simulator OR the dry run CLI option
John is a AWS solutions architect at Medium corp and one person has recently joined his team. He needs to gives access to the new joinee so that he can manage the AWS infrastructure along with John. How will john give him access ?
Ans:-Create a new IAM user for the new joinee and share the IAM user’s credentials.
Can EC2 Instances retrieve the IAM Role policy JSON document that’s attached to them using the CLI without any role attached?
Ans:- No. EC2 Instances can not retrieve the IAM Role policy JSON document that’s attached to them using the CLI without any role attached
As a Solution Architect what will you do for keeping secure system respective to users? Our engineers should not reinvent every time whenever new person joins?
Ans: I’ll create multiple IAM users and groups, and assign policies to groups. New users will be added to groups
Can An IAM user belong to multiple groups?
Why IAM is Used?
- The purpose of AWS IAM is to help AWS admins to manage AWS user identities and their varying levels of access to AWS resources. For example, we can create multiple AWS users and provide them individual security credentials to connect their AWS resources.
- Doing so, organizations gain granular control over who has permission to access their AWS resources.
- IAM allows you to manage users and their level of access to the AWS Console. Its key features as below:
- Centralized control of your AWS account
- Shared Access to your AWS account
- Granular Permissions
- Identity Federation (including Active Directory, Facebook etc)
- Multifactor Authentication
- Provide temporary access for users/devices and services where necessary
- Allows you to set up your own password rotation policy
- Integrates with many different AWS services
- Supports PCI DSS Compliance
What is the Key Terminology For IAM?
- Users: End Users such as people, employees of an organization etc.
- Groups: A collection of users. Each user in the group will get the permissions of the group.
- Policies: Polices are made up of documents, called Policy documents. These documents are in a format called JSON and they give permissions as to what a User/Group/Role can do.
- Roles: You create roles and then assign them to AWS Resources.
How will you create IAM role and perform its actions?
- Step 1: Login to AWS Console. Navigate to IAM service.
- Here we can see IAM user sign-in link. If you want to change this then we can change through Customize link. Let’s click on Customize and follow steps
- After this, url is changed.
Step 2: Lets go to next step: Activate MFA on your root account. Click on Manage MFA. Post that click, we will get another page:
Click on “Continue to Security Credentials”. Now Activate MFA.
Select Virtual MFA device and continue.
If you forget credentials, then you can use QR code to reset it.
Enter details as per QR code:
And click on Assign MFA.
Now its successfully assigned.
Step 3: Navigate to home page and check access status:
We got Activate MFA on your Account status.Till now we have got two security status access. Now we will try to get 3rd security access.
Now click on Create individual IAM users and create user:
Enter Username, mark checkbox and provide next permission.
Step 4: Create Group: Provide Group Name and select AdministratorAccess. Click on Create Group.
Group is created.
Step 5: Click on next and user is created.
Here we can find Access Key ID and Secret access Key and please download csv file. Now we can see IAM status:
Now we have got four Security Status as green. We will try to get last security Status access.
Navigate to Policy and see AdministratorAccess:
Step 6: Now Navigate to Apply an IAM password policy and click on Manage Password Policy.
And select conditions as per your business need:
Apply password policy.
And navigate to Dashboard:
We can see, all 5 conditions are completed. Now security status is green.
If we will open csv file, then we can see password and other details.
Now we have seen IAM. We have Roles. Let’s create Role.
Navigate to Roles section and click on Create Role.
Select any policy name. Select S3 related policyname.
Role is created.
In this way we can create IAM ,user,group and assign permissions.
Do we use IAM only for 1 region?
- IAM is universal. It does not apply to regions currently.
- The “root account” is simply the account created when first setup our AWS account. It has complete Admin access.
- New Users have NO permissions when first created.
- New Users are assigned Access Key ID & Secret Access Keys when first time created. These are not the same as a password. We cannot use the Access key ID & Secret Access Key to Login in to the console. We can use this to access AWS via the APIs and Command Line. We only get to view these once. If we lose them, we must regenerate them. So, we should keep this in a secure location.
- It is recommended always to setup Multifactor Authentication on our root account.
- We can create and customize our password as per rotation policies.
How Does IAM Work?
IAM works as per below process:
- we have entities as user, role or an application that can perform actions on an AWS resource.
- While performing action on resource, Authentication is required to recognize entity.
- It is required to provide its credentials or keys for authentication.
- Then a request is sent to AWS specifying the action and which resource should perform it.
- Authorization: By default, all resources are denied. IAM authorizes a request only if all parts of the request are allowed by a matching policy. After authenticating and authorizing the request, AWS approves the action.
- Actions are used to view, create, edit or delete a resource.
- Resources: A set of actions can be performed on a resource related to your AWS account.