AWS Identity and Access Management (IAM): A Beginner's Guide

Siddhartha GauravSiddhartha Gaurav
8 min read

Introduction to IAM

AWS Identity and Access Management (IAM) is a service that allows you to manage access to AWS resources securely. With IAM, you can control who is authenticated (signed in) and authorized (has permissions) to use resources in AWS. It plays a crucial role in ensuring that the right people and services have the right level of access to your AWS environment.

IAM works on a principle called least privilege, meaning users or services should only have the permissions they need to perform their tasks, nothing more. This minimizes the risk of security breaches and helps maintain control over your AWS resources.

Key Concepts in IAM:

  • Users: Individual identities with specific permissions.

  • Groups: A collection of users managed together.

  • Policies: Documents defining what actions are allowed or denied.

  • Roles: Identities for AWS services to assume permissions.

Let's dive deeper into each concept.

1. Users, Groups, and Policies in IAM

IAM Users

An IAM user is an entity that represents a person or application interacting with AWS. A user can have:

  • A username and password for AWS Management Console access.

  • Access keys for programmatic access through CLI or SDK.

Each IAM user can be assigned specific permissions using policies to control what they can and cannot do within your AWS account.

How to Create an IAM User:

  1. Go to the IAM dashboard in the AWS Console.

  2. In the left navigation pane, click Users and then Add User.

  3. Enter a username.

  4. Choose AWS Management Console access (for UI access) or Programmatic access (for CLI/SDK).

  5. Set permissions:

    • Select an existing group or attach policies directly.

    • Alternatively, choose Attach policies directly to assign specific permissions.

  6. Review and click Create User.

The user will be created, and you will receive access credentials (password for console, access key/secret key for programmatic access).

IAM Groups

An IAM group is a collection of IAM users. Groups allow you to manage permissions for multiple users simultaneously. For example, you can create a group called "Developers" and assign it specific permissions, such as access to EC2 or S3. Any user in this group automatically inherits the permissions attached to the group.

How to Create an IAM Group:

  1. Go to the IAM dashboard.

  2. In the left navigation pane, click Groups and then Create Group.

  3. Enter a Group Name.

  4. Attach policies to the group (e.g., S3 read-only access, EC2 administrator access).

  5. Add users to the group, or do it later.

  6. Review the settings and click Create Group.

IAM Policies

IAM policies are JSON documents that define what actions are allowed or denied for users, groups, or roles. Policies define the permissions granted to users for specific AWS resources.

How to Create a Custom IAM Policy:

  1. In the IAM dashboard, click Policies.

  2. Click Create Policy.

  3. You can use the Visual editor or JSON editor to define the policy:

    • In the visual editor, choose a service (e.g., S3), select the actions (e.g., List, Get, Put), and specify resources (e.g., all S3 buckets or specific ones).

    • Alternatively, in JSON, define the policy like this:

        {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
      }
    ]
  }

  4. Review the policy and click Create Policy.

This example policy grants full access to all S3 resources. Policies can be highly granular, allowing you to control actions like reading from or writing to a specific S3 bucket.

You can now attach this policy to a user, group, or role.

2. IAM Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring not only a username and password but also a one-time security code (typically generated by a device like a mobile phone app). Enabling MFA for users increases security by preventing unauthorized access even if the user's password is compromised.

How to Enable MFA for an IAM User:

  1. Go to the IAM dashboard.

  2. In the left navigation pane, click Users.

  3. Select the user you want to enable MFA for.

  4. Click the Security credentials tab, scroll to Assigned MFA device, and click Manage.

  5. Choose a virtual MFA device (like Google Authenticator) or a hardware MFA device.

  6. Use the app to scan the QR code provided, then enter two consecutive OTPs to verify.

  7. Click Activate MFA.

Types of MFA devices:

  • Virtual MFA (e.g., Google Authenticator, Authy).

  • Hardware MFA (physical token).

  • SMS-based MFA (via a phone number).

3. AWS Access Keys

Access keys allow programmatic access to AWS services using the AWS CLI, SDKs, or APIs. They consist of:

  • Access Key ID: Public identifier.

  • Secret Access Key: Private key used to sign API requests.

Access keys are important for automated tasks and applications interacting with AWS, but they must be handled securely:

  • Rotate keys regularly.

  • Never share access keys.

  • Disable unused keys.

How to Create Access Keys for an IAM User:

  1. Go to the IAM dashboard.

  2. In the left navigation pane, click Users.

  3. Select the user for whom you want to generate access keys.

  4. Click the Security credentials tab, scroll to Access keys, and click Create access key.

  5. The access key and secret key will be generated. Make sure to download or copy them, as the secret key cannot be retrieved later.

4. AWS CLI and SDK

The AWS CLI (Command Line Interface) and AWS SDK (Software Development Kit) are tools that allow you to interact with AWS services programmatically.

AWS CLI

The CLI allows you to perform AWS tasks directly from your terminal or command prompt, making it easier to automate tasks or interact with AWS resources without using the AWS Management Console.

  • Install it from the AWS website.

  • Configure it by running aws configure to set your access keys and default region.

How to Configure AWS CLI:

  1. Install the AWS CLI from the AWS CLI download page.

  2. Open a terminal and run the command:

     aws configure

  3. Enter your Access Key ID, Secret Access Key, default region, and output format.

Example CLI command:

aws s3 ls

This lists all the S3 buckets in your account.

AWS SDK

The AWS SDKs are available in multiple programming languages (e.g., Python, Java, JavaScript) and allow developers to integrate AWS services into their applications. They simplify tasks like uploading files to S3 or interacting with databases hosted on AWS.

How to Use the AWS SDK:

  1. Install the SDK in your programming environment.

  2. Configure it with your AWS credentials.

  3. Call AWS services from your application, for example, uploading a file to S3 using Python:

     import boto3
 s3 = boto3.client('s3')
 s3.upload_file('local_file.txt', 'my-bucket', 'file.txt')

5. AWS CloudShell

AWS CloudShell is a browser-based shell that provides access to AWS services using the AWS CLI. You don't need to install or configure anything; simply open CloudShell in the AWS console, and you're ready to run CLI commands. It comes pre-installed with popular developer tools and provides 1GB of storage for files.

How to Use AWS CloudShell:

  1. Open the AWS Console and click on CloudShell in the top-right corner.

  2. A terminal will open in your browser with the AWS CLI ready for use.

  3. Run any AWS CLI command, such as:

     aws ec2 describe-instances

6. IAM Roles for AWS Services

IAM roles are similar to users but intended for services rather than individuals. Roles are used to grant AWS services (like EC2 or Lambda) permissions to perform actions on your behalf.

For example:

  • An EC2 instance needs to read from S3, but rather than using access keys, you assign an IAM role to the instance with the necessary permissions. This method is more secure because it avoids embedding credentials directly into your application code.

How to Create an IAM Role for an EC2 Instance:

  1. Go to the IAM dashboard.

  2. In the left navigation pane, click Roles and then Create Role.

  3. Choose the AWS service that will use the role (e.g., EC2).

  4. Attach a policy that grants the required permissions (e.g., S3 read access).

  5. Name the role and click Create Role.

After creating the role, you can assign it to an EC2 instance:

  1. Go to the EC2 Dashboard.

  2. Select an instance, click Actions > Security > Modify IAM role.

  3. Assign the newly created role to the instance.

7. IAM Security Tools

IAM Access Analyzer

IAM Access Analyzer helps you identify policies that grant public or cross-account access to resources. It continuously monitors your environment to detect any policy changes that could pose a security risk.

How to Use IAM Access Analyzer:

  1. Go to IAM > Access Analyzer.

  2. Click Create Analyzer to start monitoring your account.

  3. The analyzer will review your policies and flag any that grant external or public access.

AWS Trusted Advisor

AWS Trusted Advisor provides real-time guidance to help you optimize your AWS environment, including security checks like ensuring you don’t have unused or overly permissive IAM users or policies.

AWS Identity Center (formerly SSO)

AWS Identity Center allows centralized access management across multiple AWS accounts. It simplifies managing user permissions across different accounts and makes it easier to enforce security policies consistently.

8. IAM Best Practices

To ensure your AWS environment remains secure, follow these IAM best practices:

  1. Follow the Principle of Least Privilege: Only grant users the permissions they absolutely need.

  2. Use Groups to Assign Permissions: Instead of assigning permissions directly to individual users, create groups and assign permissions at the group level.

  3. Enable MFA for All Users: Add an extra layer of security by requiring MFA for all users, especially those with administrative privileges.

  4. Rotate Access Keys Regularly: Regularly update access keys and disable any that are no longer in use.

  5. Use IAM Roles for AWS Services: Avoid embedding access keys in your applications. Use IAM roles for EC2 instances or Lambda functions to access AWS resources securely.

  6. Audit and Monitor IAM Permissions: Use tools like AWS CloudTrail to track API activity and AWS Config to monitor changes to your IAM policies and roles.

Conclusion

AWS IAM is a critical service that helps you control who has access to your AWS resources. By understanding users, groups, policies, roles, and security tools, you can ensure that your environment remains secure and manageable. Always follow best practices to safeguard your AWS infrastructure from potential security breaches.

0
Subscribe to my newsletter

Read articles from Siddhartha Gaurav directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSIAMIAM,MFA,Access key ID,Secret access keyAWS Certified Solutions Architect Associateaws security

Written by

Siddhartha Gaurav
Siddhartha Gaurav

I'm a passionate DevOps engineer with a knack for streamlining development workflows and ensuring seamless deployment pipelines. With experience in managing cloud infrastructure, implementing DevOps best practices, and leveraging automation tools, I thrive on tackling complex challenges and driving efficiency in software delivery. Let's connect and explore how I can contribute to your projects!