Understanding AWS Identity and Access Management (IAM): A Comprehensive Guide"

Understanding AWS Identity and Access Management (IAM): A Comprehensive Guide"

Learn how to manage access to AWS services and how to manage access to AWS services and resources securely with IAM and best practices for IAM in AWS.

What is IAM (Identity Access Management)?

AWS IAM is a web service that allows you to securely manage access to AWS resources. With IAM, you can create and manage AWS users and groups, and assign permissions to them to access your AWS resources. IAM also enables you to set up permissions boundaries and easily grant or revoke access to your AWS resources as needed.

Let's understand IAM with a real-time example

Let's say you are an organization that uses AWS to host your website and application. You have multiple teams working on different aspects of the website and application, such as the front-end team, the back-end team, and the DevOps team. Each team has specific tasks that they need to perform on the AWS resources, such as launching EC2 instances, creating S3 buckets, and managing CloudFront distributions.

With IAM, you can create IAM users for each team and permit them to access only the AWS resources they need for their specific tasks.

For example, you can create an IAM user for the front-end team and permit them to access only the S3 bucket that contains the static files for the website.

Similarly, you can create an IAM user for the back-end team and permit them to access only the EC2 instances that run the application servers.

You can also create IAM groups to manage permissions for multiple users at once. For example, you can create an IAM group for the DevOps team and permit them to manage all the AWS resources related to deployment and infrastructure.

Overall, IAM allows you to manage access to your AWS resources securely, by ensuring that only authorized users and groups have access to your resources and that they have access only to the resources they need to perform their specific tasks.

What are the limitations of IAM?

  • The IAM user limit is 5000 per AWS account. You can add up to 10 users at one time.

  • You are also limited to 300 groups per AWS account.

  • The default limit of managed policies attached to an IAM role and IAM user is 10.

  • The IAM users can be a member of a maximum of 10 groups.

  • We can assign a maximum of two access keys to an IAM user.

What are the features of IAM?

1) Shared access to your AWS account:

You can grant other people permission to administer and use resources in your AWS account without having to share your access credentials.

2) Granular permission:

  • You can grant different permission to different people for different resources.

  • For instance, you can allow some users complete access to EC2, S3, Dynamo DB, and Redshift while for others, you can allow read-only access to just some S3 buckets, or permission to administer just some EC2 instances or to access your billing information but nothing else.

3) Multifactor Authentication (MFA):

You can add two-factor authentication to your account and individual users for extra security. You can use physical hardware or virtual MFA (e.g.: Google Authenticator).

4) Secure access to AWS resources for applications that run on Amazon EC2:

You can use IAM features to securely give applications that run on EC2 instances the credentials that they need to access other AWS resources. For example, include S3 buckets and RDS or Dynamo DB databases.

5) Identity federation:

You can allow users who already have passwords elsewhere. E.g.: in your corporate network with an internet identity provider get temporary access to your AWS account.

6) Identity information for assurance:

If you use AWS Cloud Trail, you receive log records that include information about those who made requests for resources in your account. That information is based on IAM Identities.

7) PCI-DSS compliance:

IAM supports the processing, storage, and transmission of credit cards by a merchant or service provider, and has been validated as being compliant with payment card industries (PCI) data security standards (DSS).

8) Eventually consistent:

  • If a request to change some data is successful, the change is committed and safely stored. However, the change must be replicated across IAM which could take some time.

  • IAM achieves high availability by replicating data across multiple servers within AWS data center around the world.

NOTE: - IAM service is free to use

AWS IAM is a feature of the AWS account offered at no additional charge. You will be charged only for the use of other AWS products by your IAM users.


Let's start with IAM

First login as a root user in your AWS account.

Click on Services

Then go to Security, Identity, and Compliance

Here you will see the IAM service click on that

Then the screen looks like below

Let's get some understanding of User groups, Users, Roles, and Policies that are in Access management.

User's groups: -

In AWS Identity and Access Management (IAM), user groups are a way to manage permissions for multiple users at once. Instead of assigning permissions to each user individually, you can create a group and assign permissions to the group. Users can then be added to the group, inheriting the permissions assigned to the group.

For example, if you have a team of developers who need access to your AWS resources, you can create a developer group and assign permissions to that group. Then, you can add all of your developers to the group, allowing them to access the resources they need without having to individually assign permissions to each one.

User groups in IAM can be managed using the AWS Management Console, AWS CLI, or AWS SDKs. You can create new groups, add or remove users from existing groups, and assign or revoke permissions from groups. This makes it easy to manage access to your AWS resources, especially as your organization grows and you have more users and resources to manage.

User's: -

In AWS Identity and Access Management (IAM), users have identities that represent individual people or applications that need access to AWS resources. Users can be assigned unique security credentials (such as a password or access key) and specific permissions to access the resources they need.

For example, if you have a developer named John who needs access to your AWS resources, you can create an IAM user for him and assign him specific permissions to access only the resources he needs for his job.

IAM users can also be organized into groups to simplify permission management. By assigning permissions to groups, you can grant permissions to multiple users at once, rather than having to assign permissions to each user individually.

IAM Roles: -

IAM Roles are a feature in AWS IAM that allows you to define a set of permissions that can be assumed by an entity, without the need for access keys or credentials. IAM Roles are used to granting permissions to AWS services, such as EC2 instances or Lambda functions, or to external accounts, such as those belonging to your partners or customers.

There are two types of IAM Roles: AWS-managed roles and customer-managed roles.

AWS-managed roles are predefined roles that provide specific sets of permissions for specific AWS services. For example, the AmazonEC2RoleforSSM managed role allows EC2 instances to execute commands against other instances using the AWS Systems Manager service.

Customer-managed roles, on the other hand, are roles that you create and manage yourself, and can be used to define custom sets of permissions for specific use cases. For example, you might create a customer-managed role that grants read-only access to a specific S3 bucket for a third-party application that needs to retrieve data from that bucket.

To create an IAM Role, you first define a set of permissions that you want the entity to have access to. This can be done using an IAM policy, which is a document that specifies the permissions and resources that the role can access.

Next, you create the role itself, which is simply a container for the permissions that you defined in the policy. You can assign one or more policies to the role, and you can also specify which entities are allowed to assume the role.

Finally, you can associate the role with the entity that needs to assume it, such as an EC2 instance or an external account. When the entity needs to access AWS resources, it can assume the role to obtain temporary security credentials that permit it to access those resources. These credentials are automatically rotated regularly to improve security.

Overall, IAM Roles are a powerful feature in AWS IAM that allows you to grant permissions to entities that you define in your account without the need for access keys or credentials, and provide an additional layer of security for accessing your AWS resources.

Policies: -

In AWS Identity and Access Management (IAM), policies are documents that define permissions and access control rules for AWS resources. Policies can be attached to IAM users, groups, or roles to grant or restrict access to AWS resources.

Policies can be either AWS-managed policies or customer-managed policies. AWS-managed policies are pre-defined policies that are created and maintained by AWS, while customer-managed policies are created and managed by the customer.

AWS-managed policies include policies that define permissions for specific AWS services, such as Amazon S3 or AWS Lambda, as well as policies that define common permissions scenarios, such as read-only access to resources or full administrative access to an AWS account.

Customer-managed policies are created and managed by the customer and can be used to define permissions that are specific to their needs. These policies can be created from scratch or based on existing AWS-managed policies.

Policies are written in JSON format and consist of a set of statements that define permissions, conditions, and resources. Each statement can specify the action, effect, resource, and condition elements, allowing you to define granular permissions and access control rules.

Overall, policies in IAM allow you to define fine-grained access control rules for your AWS resources, ensuring that only authorized users and services can access them.

What are the best practices for IAM?

  1. Create individual IAM users: Instead of sharing access keys and passwords among multiple users, create individual IAM users for each person who needs access to your AWS account. This helps you to enforce individual accountability and better control over who has access to your AWS resources.

  2. Grant least privilege access: Use the principle of least privilege to grant only the minimum permissions necessary to perform a specific task. This helps to reduce the risk of accidental or intentional access to sensitive resources.

  3. Use IAM Roles for EC2 instances: When possible, use IAM Roles for EC2 instances instead of storing access keys and secrets on the instances themselves. This helps to improve security by reducing the exposure of credentials and simplifying credential management.

  4. Rotate credentials regularly: Regularly rotate your access keys and secrets, as well as temporary security credentials obtained through IAM Roles. This helps to reduce the risk of unauthorized access and maintain control over who has access to your AWS resources.

  5. Enable CloudTrail logging for IAM activity: Enable AWS CloudTrail to log all API calls to your AWS account, including IAM activity. This helps you to track changes to your IAM policies and user activity and to detect potential security issues.

  6. Use Multi-Factor Authentication (MFA): Enable Multi-Factor Authentication (MFA) for your IAM users to provide an additional layer of security. MFA requires a second form of authentication, such as a mobile app or physical token, in addition to a password, to access AWS resources.

  7. Regularly review IAM permissions: Regularly review and audit your IAM policies and user permissions to ensure that they are still necessary and appropriate. This helps you to maintain control over who has access to your AWS resources and reduce the risk of unauthorized access.

By following these best practices, you can help to ensure the security and integrity of your AWS resources and maintain control over who has access to them.

IAM in AWS provides a wide range of use cases

  1. Delegating permissions to third-party users: With IAM, you can create and manage temporary credentials for third-party users, such as contractors or consultants, to access your AWS resources. You can set specific permissions and expiration dates for these temporary credentials to ensure that they have the access they need only for a limited period.

  2. Controlling access to resources for different teams: IAM allows you to create different groups and roles for different teams or departments within your organization, and to assign permissions to these groups and roles based on the specific needs of each team. This helps to ensure that users only have access to the resources they need to perform their job functions.

  3. Securing cross-account access: If you have multiple AWS accounts, you can use IAM to securely grant users in one account access to resources in another account. This allows you to control and monitor access to resources across multiple accounts and maintain a centralized view of user activity.

  4. Enforcing security policies: You can use IAM to enforce security policies, such as requiring Multi-Factor Authentication (MFA) or setting password policies for IAM users. This helps to ensure that users are following best practices for security and reduces the risk of unauthorized access.

  5. Federating access: IAM allows you to federate access to AWS resources using external identity providers, such as Microsoft Active Directory or Google. This allows users to sign in using their existing credentials and provides a more seamless and integrated experience across multiple systems.

  6. Managing access to specific resources: IAM allows you to create fine-grained permissions for specific AWS resources, such as S3 buckets or DynamoDB tables. This helps to ensure that users only have access to the specific resources they need to perform their job functions.

Conclusion

IAM plays a critical role in securing your AWS resources and managing user access to them. By following best practices such as creating individual IAM users, granting least privilege access, using IAM Roles for EC2 instances, rotating credentials regularly, and enabling CloudTrail logging for IAM activity, you can ensure that your AWS resources remain secure and protected.

IAM provides a wide range of use cases, such as delegating permissions to third-party users, controlling access to resources for different teams, securing cross-account access, enforcing security policies, federating access, and managing access to specific resources. By leveraging IAM in your AWS environment, you can achieve a more secure, efficient, and centralized management of your AWS resources.

In today's fast-paced and rapidly evolving digital landscape, it's more important than ever to prioritize security and safeguard your organization's sensitive data and resources. With IAM, you can take control of user access to your AWS environment and reduce the risk of unauthorized access, data breaches, and other security threats.

Summary

IAM is a vital component of any organization's security strategy when it comes to managing AWS resources. By implementing the best practices discussed in this blog and leveraging IAM's capabilities, you can ensure that your AWS resources remain secure and protected, giving you peace of mind and allowing you to focus on your core business objectives.