Identity and Access Management
What is IAM?
AWS Identity and Access Management (IAM) enables us to manage access to AWS services and resources securely. Using IAM, we can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
Why IAM is Used?
The purpose of AWS IAM is to help AWS admins to manage AWS user identities and their varying levels of access to AWS resources. For example, we can create multiple AWS users and provide them individual security credentials to connect their AWS resources. In doing so, organizations gain granular control over who has permission to access their AWS resources.
IAM allows you to manage users and their level of access to the AWS Console. Its key features as below:
- Centralized control of your AWS account
- Shared Access to your AWS account
- Granular Permissions
- Identity Federation (including Active Directory, Facebook etc)
- Multifactor Authentication
- Provide temporary access for users/devices and services where necessary
- Allows you to set up your own password rotation policy
- Integrates with many different AWS services
- Supports PCI DSS Compliance
What is the Key Terminology For IAM?
1 Users: End Users such as people, employees of an organization etc.
2 Groups: A collection of users. Each user in the group will get the permissions of the group.
3 Policies: Polices are made up of documents, called Policy documents. These documents are in a format called JSON and they give permissions as to what a User/Group/Role can do.
4 Roles: You create roles and then assign them to AWS Resources.
Let’s do hands on IAM Lab. Post practice, we will learn about IAM.
Step 1: Login to AWS Console. Navigate to IAM service.
Here we can see IAM user sign-in link. If you want to change this then we can change through Customize link. Let’s click on Customize and follow steps
After this, url is changed.
Step 2: Lets go to next step: Activate MFA on your root account. Click on Manage MFA. Post that click, we will get another page:
Click on “Continue to Security Credentials”. Now Activate MFA.
Select Virtual MFA device and continue.
If you forget credentials, then you can use QR code to reset it.
Enter details as per QR code:
And click on Assign MFA.
Now its successfully assigned.
Step 3: Navigate to home page and check access status:
We got Activate MFA on your Account status.Till now we have got two security status access. Now we will try to get 3rd security access.
Now click on Create individual IAM users and create user:
Enter Username, mark checkbox and provide next permission.
Step 4: Create Group: Provide Group Name and select AdministratorAccess. Click on Create Group.
Group is created.
Step 5: Click on next and user is created.
Here we can find Access Key ID and Secret access Key and please download csv file. Now we can see IAM status:
Now we have got four Security Status as green. We will try to get last security Status access.
Navigate to Policy and see AdministratorAccess:
Step 6: Now Navigate to Apply an IAM password policy and click on Manage Password Policy.
And select conditions as per your business need:
Apply password policy.
And navigate to Dashboard:
We can see, all 5 conditions are completed. Now security status is green.
If we will open csv file, then we can see password and other details.
Now we have seen IAM. We have Roles. Let’s create Role.
Navigate to Roles section and click on Create Role.
Select any policy name. Select S3 related policyname.
Role is created.
In this way we can create IAM ,user,group and assign permissions.
- IAM is universal. It does not apply to regions currently.
- The “root account” is simply the account created when first setup our AWS account. It has complete Admin access.
- New Users have NO permissions when first created.
- New Users are assigned Access Key ID & Secret Access Keys when first time created. These are not the same as a password. We cannot use the Access key ID & Secret Access Key to Login in to the console. We can use this to access AWS via the APIs and Command Line. We only get to view these once. If we lose them, we must regenerate them. So, we should keep this in a secure location.
- It is recommended always to setup Multifactor Authentication on our root account.
- We can create and customize our password as per rotation policies.
How Does IAM Work?
IAM works as per below process:
- we have entities as user, role or an application that can perform actions on an AWS resource.
- While performing action on resource, Authentication is required to recognize entity.
- It is required to provide its credentials or keys for authentication.
- Then a request is sent to AWS specifying the action and which resource should perform it.
- Authorization: By default, all resources are denied. IAM authorizes a request only if all parts of the request are allowed by a matching policy. After authenticating and authorizing the request, AWS approves the action.
- Actions are used to view, create, edit or delete a resource.
- Resources: A set of actions can be performed on a resource related to your AWS account.
What is aws iam role?
An IAM role is a set of permissions that define what actions are allowed and denied by an entity in the AWS console. Role permissions are temporary credentials.
Q: How do I get started with IAM?
We must subscribe to at least one of the AWS services that is integrated with IAM. Then we can create and manage users, groups, and permissions via IAM APIs, the AWS CLI. We can also use the visual editor to create policies.
Q: What problems does IAM solve?
IAM makes it easy to provide multiple users secure access to your AWS resources. IAM enables you to:
Manage IAM users and their access: You can create users in AWS’s identity management system, assign users individual security credentials (such as access keys, passwords, multi-factor authentication devices), or request temporary security credentials to provide users access to AWS services and resources. You can specify permissions to control which operations a user can perform.
Q: Who can use IAM?
Any AWS customer can use IAM. This service is offered at no additional charge. You will be charged only for the use of other AWS services by your users.
Q: What is a user?
A user is a unique identity recognized by AWS services and applications. Like a login user in an operating system like Windows, a user has a unique name and can identify itself using familiar security credentials such as a password or access key. A user can be an individual, system, or application requiring access to AWS services.
Q: What can a user do?
A user can send requests to web services such as Amazon S3. A user’s ability to access web service APIs is according to control and responsibility of the AWS account under which it is defined. You can permit a user to access any or all the services that have been integrated with IAM. In addition, if the AWS account has access to resources from a different AWS account, its users may be able to access data under those AWS accounts.
Q: How do users call AWS services?
Users can make requests to AWS services using security credentials.