How to Use AWS Identity and Access Management

Introduction

Welcome to our AWS journey! Today we'll dive into AWS Identity and Access Management (IAM) a critical service for managing access and permissions securely in AWS. Understanding IAM is essential for protecting your AWS resources and ensuring that the right individuals have appropriate access. This blog will cover the basics of IAM including setting up users and groups, creating roles and managing policies for secure access control. We'll also provide examples to illustrate these concepts in practice.

What is AWS IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM you can manage users and their permissions to ensure that only authorized users can access specific resources. IAM allows you to create and manage AWS users and groups, use permissions to allow and deny their access to AWS resources and securely manage credentials such as access keys and passwords.

Key Components of IAM

1. Users :- Individuals or services that interact with AWS resources.

2. Groups :- Collections of users that share common permissions.

3. Roles :- Permissions assigned to AWS resources or services to perform actions on your behalf.

4. Policies :- Documents that define permissions and access controls.

Setting Up Users and Groups

Creating IAM Users

IAM users are entities that you create in AWS to represent individuals or services. Each user has unique credentials and permissions.

Step-by-Step Guide to Create an IAM User :-

1. Sign in to the AWS Management Console.

2. Navigate to the IAM Dashboard.

3. Click on "Users" in the left navigation pane.

4. Click the "Add user" button.

5. Enter the username for the new user.

6. Select the type of access :-

   • Programmatic access :- Allows the user to interact with AWS services using the AWS CLI, SDKs or APIs.

   • AWS Management Console access :- Allows the user to sign in to the AWS Management Console.

7. Click "Next : Permissions" to set permissions.

Assigning Permissions to IAM Users

Permissions determine what actions users can perform and what resources they can access. Permissions are granted using policies.

Step-by-Step Guide to Assign Permissions :-

1. Attach existing policies directly :- Choose from AWS managed policies or custom policies you have created.

   • Example :- Attach the AmazonS3ReadOnlyAccess policy to allow read-only access to Amazon S3.

2. Add user to group :- Place the user in a group that has the necessary permissions.

   • Example :- Create a group called S3ReadOnlyGroup and attach the AmazonS3ReadOnlyAccess policy to it. Add the user to this group.

3. Click "Next : Tags" to add optional metadata to the user.

4. Click "Next : Review" to review the user's details and permissions.

5. Click "Create user" to finalize the creation.

Example :- Creating a User with S3 Read-Only Access

Suppose you need to create a user JohnDoe who should have read-only access to Amazon S3.

1. Create the user :-

   • Username :- Nikunj

   • Access type :- Programmatic access and AWS Management Console access.

2. Attach the policy :-

   • Use the AmazonS3ReadOnlyAccess AWS managed policy.

3. Review and create the user.

Creating IAM Groups

IAM groups are collections of users that share common permissions. Instead of managing permissions for each user individually you can assign permissions to a group and add users to that group.

Step-by-Step Guide to Create an IAM Group :-

1. Navigate to the IAM Dashboard.

2. Click on "Groups" in the left navigation pane.

3. Click the "Create New Group" button.

4. Enter a name for the group (e.g. Developers ).

5. Attach policies to the group :-

   • Example :- Attach the AmazonEC2FullAccess policy to allow full access to Amazon EC2.

6. Click "Create group" to finalize.

Example :- Creating a Group with EC2 Full Access

Suppose you need to create a group Developers with full access to Amazon EC2.

1. Create the group :-

   • Group name :- Developers

2. Attach the policy :-

   • Use the AmazonEC2FullAccess AWS managed policy.

3. Add users to the group :-

   • Add existing users such as Nikunj to the Developers group to grant them EC2 full access.

Creating IAM Roles

IAM roles are similar to users in that they have permissions but they are intended to be assumed by anyone who needs them including AWS services. Roles are essential for granting AWS services permissions to interact with other AWS services.

Creating a Role for AWS Services

Step-by-Step Guide to Create an IAM Role :-

1. Navigate to the IAM Dashboard.

2. Click on "Roles" in the left navigation pane.

3. Click the "Create role" button.

4. Select the type of trusted entity :-

   • AWS service :- Allows AWS services (e.g. EC2, Lambda) to assume this role.

5. Choose the service that will use this role :-

   • Example :- Select EC2 to create a role that EC2 instances can assume.

6. Attach policies to the role :-

   • Example :- Attach the AmazonS3FullAccess policy to allow full access to Amazon S3.

7. Add tags (optional) to add metadata to the role.

8. Review and create the role.

Example :- Creating a Role for EC2 to Access S3

Suppose you need to create a role that allows EC2 instances to access S3 with full permissions.

1. Create the role :-

   • Trusted entity :- AWS service

   • Service :- EC2

2. Attach the policy :-

   • Use the AmazonS3FullAccess AWS managed policy.

3. Review and create the role.

Assigning the Role to an EC2 Instance

1. Launch or select an existing EC2 instance.

2. In the instance settings choose "Actions" > "Instance Settings" > "Attach/Replace IAM Role".

3. Select the role you created (e.g. EC2S3AccessRole ).

4. Attach the role.

Managing IAM Policies

IAM policies are JSON documents that define permissions. They specify who can do what to which resources under what conditions.

Types of IAM Policies

1. AWS Managed Policies :- Predefined policies managed by AWS.

2. Customer Managed Policies :- Policies created and managed by you.

3. Inline Policies :- Policies embedded directly in a user, group or role.

Writing a Customer Managed Policy

Example :- Creating a Policy for Read-Only S3 Access

{
  "Version": "2012-07-30",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::nikks-bucket",
        "arn:aws:s3:::nikks-bucket/*"
      ]
    }
  ]
}

Step-by-Step Guide to Create a Customer Managed Policy :-

1. Navigate to the IAM Dashboard.

2. Click on "Policies" in the left navigation pane.

3. Click the "Create policy" button.

4. Select the JSON tab and enter the policy JSON :-

   • Example policy for read-only S3 access (as shown above).

5. Click "Review policy".

6. Name and describe the policy :-

   • Name :- S3ReadOnlyPolicy

   • Description :- Read-only access to a specific S3 bucket.

7. Click "Create policy".

Attaching Policies to Users, Groups and Roles

Step-by-Step Guide to Attach a Policy :-

1. Navigate to the IAM Dashboard.

2. Select the user, group or role to which you want to attach the policy.

3. Click on "Add permissions".

4. Choose "Attach policies directly".

5. Select the policy you created (e.g. S3ReadOnlyPolicy ).

6. Click "Next : Review" and then "Add permissions".

Best Practices for IAM

1. Follow the Principle of Least Privilege :- Grant only the permissions needed to perform a task.

2. Use Groups to Assign Permissions :- Manage permissions for multiple users easily by assigning them to groups.

3. Enable Multi-Factor Authentication (MFA) :- Add an extra layer of security for users.

4. Rotate Credentials Regularly :- Regularly rotate access keys and passwords to reduce the risk of compromised credentials.

5. Monitor IAM Activity :- Use AWS CloudTrail to monitor and log IAM activities.

6. Use Roles for Applications and Services :- Instead of using long-term credentials, use IAM roles to grant permissions to applications and services.

Real-World Examples and Case Studies

Example 1 :- Secure Access Control for a Development Team

A development team at a company uses AWS for hosting and development. The team needs different levels of access based on roles.

Setup :-

• Create Groups :-

  • Admins with full access to all AWS services.

  • Developers with full access to EC2 and limited access to S3.

  • Testers with read-only access to S3.

• Create Users :- Create individual users for each team member and add them to the appropriate group.

• Create Policies :- Define and attach policies to groups to control access.

Outcome :- The team can securely access AWS resources based on their roles minimizing the risk of unauthorized access.

Example 2 :- Using Roles for Cross-Account Access

A company has multiple AWS accounts for different departments. They need to allow the billing team in one account to access S3 buckets in another account.

Setup :-

• Create a Role in the Target Account :-

  • Define a role with S3 access and specify the source account as a trusted entity.

• Create a Policy in the Source Account :-

  • Define a policy that allows assuming the role in the target account.

• Attach the Policy :-

  • Attach the policy to the users or groups in the source account that need access.

Outcome :- The billing team can securely access S3 buckets in the target account using cross-account roles.

Conclusion

AWS Identity and Access Management (IAM) is a powerful tool for managing access to AWS resources securely. By understanding and implementing IAM's features you can ensure that only authorized individuals have the necessary access to perform their tasks. In this blog post we've covered the basics of IAM, including setting up users and groups, creating roles and managing policies. We've also provided real-world examples to illustrate these concepts.

Stay tuned for more insights and best practices in our upcoming blog posts.

Connect and Follow:

LinkedIn | Twitter | GitHub

Like👍 | Share📲 | Comment💭