Day 3: Introduction to AWS Identity and Access Management (IAM) | #100DaysOfCode

Guransh DeolGuransh Deol
3 min read

Introduction: On Day 3 of my #100DaysOfCode challenge, I explored AWS Identity and Access Management (IAM), a core component of securing AWS resources. IAM provides fine-grained control over who can access and perform specific actions on AWS resources. This post will delve into IAM's basic concepts, users, groups, policies, and some essential security best practices.

What is IAM?

AWS Identity and Access Management (IAM) is a web service that allows you to manage access to your AWS account and its resources. It enables both authentication (verifying identities) and authorization (granting permissions). IAM eliminates the need to share your root account’s credentials by allowing you to create individual users or roles with specific permissions for different AWS services.

Key IAM Features

  1. Global Access: IAM configurations are not restricted to a specific region, so they can be managed globally.

  2. Password Policies: You can enforce password strength and rotation requirements.

  3. Multi-Factor Authentication (MFA): Additional security by requiring a second authentication factor.

  4. Federation: Allows users to access AWS using credentials from external identity providers.

  5. Cost: IAM is free of charge and available to all AWS customers.

IAM Users and Their Credentials

An IAM user represents a person or service needing access to your AWS account. These users can be assigned:

  • Console Access: Login via username and password.

  • Programmatic Access: AWS CLI and API access through generated access keys.

As organizations grow, managing permissions for each user individually can be time-consuming. Instead, it’s recommended to organize users into IAM groups.

IAM Groups

IAM groups simplify permission management by allowing you to assign permissions at the group level. For instance, developers and security engineers can be part of their respective groups, each with permissions relevant to their roles. Changes to a user's job role can be reflected simply by switching their group, ensuring a more scalable and manageable system.

Key features of IAM Groups:

  • Groups can have many users, and users can belong to multiple groups.

  • Permissions are inherited by users from their group.

  • IAM groups do not allow group nesting (i.e., one group cannot belong to another group).

IAM Policies

IAM policies are documents written in JSON that define the permissions assigned to IAM users, groups, and roles. AWS evaluates these policies every time a request is made to determine if an action is allowed or denied.

Example: Administrator Access Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

In this example, the policy allows all actions (*) on all resources (*), granting full administrative access.

Example: More Granular Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iam:ChangePassword", "iam:GetUser"],
      "Resource": "arn:aws:iam::123456789012:user/${aws:username}"
    }
  ]
}

This policy allows users to change their own passwords and retrieve information about their IAM profile, but only for their own identity.

IAM Best Practices

1. Lock Down the AWS Root User

  • Avoid using the root user for daily tasks and secure it with MFA.

  • Consider deleting root user access keys.

2. Follow the Principle of Least Privilege

  • Always grant only the permissions necessary for users to perform their tasks.

3. Use IAM Roles

  • Assign roles to services and applications instead of using IAM users for better security. IAM roles provide temporary credentials that expire, unlike permanent credentials tied to users.

4. Use an Identity Provider (IdP)

  • As your organization grows, managing identities using a third-party IdP (like AWS IAM Identity Center) is a more scalable and secure approach than manually managing individual IAM users.

Conclusion

Understanding IAM is crucial for managing and securing your AWS environment. By using IAM's robust features like users, groups, and policies, and following best practices, you can protect your AWS resources and control access efficiently.

Stay tuned for Day 4, where I’ll dive deeper into role-based access and other key AWS security features!

0
Subscribe to my newsletter

Read articles from Guransh Deol directly inside your inbox. Subscribe to the newsletter, and don't miss out.

100DaysOfCode100DaysOfCloudCloudCloud ComputingAWSIAMIAM,MFA,Access key ID,Secret access keyiam role in aws

Written by

Guransh Deol
Guransh Deol