AWS IAM for beginner's

Aman ShaikhAman Shaikh
3 min read

Table of contents

  1. This is a core AWS service that helps us provide/control access to the AWS resources

  2. Resources are the entities that you create in AWS , e.g. S3 bucket , Lambda function, etc.

  3. Users attempt to perform action on this resources , e.g. Create S3 bucket

  4. Now if the user has an authorization to perform the action on that resources is determined by a policy

  5. Policy is basically a Json file , that have entries such as user has access to which resources

  6. Now each user has its separate policy file

  7. How many ways you can login to AWS and how does AWS knows which policy do you have ?

    1. When we login AWS using console gives a prompt to login with IAM user :

      2. This way here AWS knows what is the policy attached to the user who is logging in

    2. Using AWS CLI

    3. Using AWS SDK

  8. Now in either of the 3 cases AWS needs to know who are you and what are the policies attached to you/ what are the resources you can access, so how does AWS do that ?

  9. This pretty clear for the #1 step that is using console , since you are providing user name and password, so AWS knows who you are and what are your polices

  10. Now if you try to access it programmatically(Using AWS CLI or AWS SDK) how can AWS know it's you ?

  11. Here comes the concept of Access keys and Secret Access keys

  12. When you try to create your IAM user , AWS will give you 2 strings ,i) Access key ii) Secret access key

  13. Now when you try to use AWS from CLI , you first need to configure it using "aws configure" command

  14. It will ask you for your Access Key and Secret Access Key, then from this keys AWS will know who you are and what are yours policies/what are the resources you can access

  15. If you want to access AWS using any programming language like Python, Java, etc. you can use AWS SDK for that .

  16. Now this is similar to the AWS CLI you will need to enter access key and secret access key, so that AWS knows who you are and what are your policies

    1. Eg: If you want to use it in Python ,you can use it using boto3 lib that python has for AWS SDK

  1. Okay Apart from this you can also attach the policy to a group, so if you add some one in that group he automatically gets that policy to him

  2. Groups cannot contain groups, but a single user can be in multiple groups

Roles :

    1. In this we can give temporary access to either person or service

      1. It can be given to a person to access something temporarily

      2. It can also be given to a Lambda function or other services

      3. Roles also have policy attached to them

Trust Relationships:

    1. Suppose in the same company you have 2 AWS accounts

      1. In Acc1 there is one DynamoDB table and you are in Acc2 and want to access that table in Acc1 programmatically.

      2. In this case we have to create a Role in Acc1 which will give us a temporary access to Acc1 and will have the policy to access that specific table

      3. Then we attach this role to our user (assumeRole)

Tips is learnt :

  1. Protect your root account , whatever you want to do create a user and do it

  2. Give the minimal policies needed to do the tasks

0
Subscribe to my newsletter

Read articles from Aman Shaikh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWS IAMCloudAWSpermissions

Written by

Aman Shaikh
Aman Shaikh