🚀 Day 47: Securing the Cloud with AWS IAM, MFA, and Least Privilege 🔒

Ritesh SinghRitesh Singh
7 min read

Welcome to Day 47 of your Cloud/DevOps journey! Today, we dive into the heart of cloud security with AWS Identity and Access Management (IAM), Multi-Factor Authentication (MFA), and the Principle of Least Privilege (PoLP). This guide provides a hands-on tutorial to create IAM users and roles, apply MFA, and enforce secure access controls in AWS. Let’s build a secure cloud environment step-by-step! 🛡️

🌟 Why Cloud Security Matters

Security is the backbone of any cloud infrastructure. AWS IAM empowers you to control who can access what in your AWS environment, ensuring your resources, data, and applications stay protected. By combining IAM with MFA and PoLP, you create a robust, scalable, and compliant security framework—essential for any Cloud/DevOps engineer. 🔐

📚 Key Concepts

1. AWS IAM: The Foundation of Cloud Security

  • What: IAM manages access to AWS services and resources securely.

  • Core Components:

    | Component | Description | | --- | --- | | Users | Individuals or entities (e.g., developers) with credentials for AWS access. | | Groups | Collections of users sharing the same permissions. | | Roles | Temporary credentials for AWS services or users to assume specific permissions. | | Policies | JSON documents defining permissions (actions, resources, and effects). |

  • Use Case: Grant specific access (e.g., read-only S3 permissions) to users or services.

2. Multi-Factor Authentication (MFA)

  • What: Adds a second authentication factor (e.g., a mobile app code) beyond username/password.

  • Why: Protects against compromised credentials, critical for sensitive accounts.

  • Types in AWS:

    • Virtual MFA (e.g., Google Authenticator, Authy).

    • Hardware MFA (e.g., YubiKey).

  • Best Practice: Enable MFA for all IAM users and the root account.

3. Principle of Least Privilege (PoLP)

  • What: Grant only the minimum permissions needed to perform a task.

  • Why: Reduces the risk of accidental or malicious misuse.

  • Example: A developer needs s3:GetObject for one bucket, not full S3 access.

🛠️ Hands-On: Creating AWS IAM Users and Roles

Let’s get hands-on! We’ll create:

  • An IAM user (DevUser) with read-only access to a specific S3 bucket.

  • An IAM role for an EC2 instance to access the same bucket.

  • MFA for the IAM user to enhance security.

Note: Follow the Principle of Least Privilege by granting only necessary permissions.

🎒 Prerequisites

  • An AWS account with administrative access (use an IAM user, not root).

  • Access to the AWS Management Console via a web browser.

  • A virtual MFA app (e.g., Google Authenticator or Authy) on your smartphone.

  • Basic familiarity with AWS Console navigation.

🛠️ Step 1: Create an IAM User

We’ll create DevUser with console access and limited S3 permissions.

  1. Log In to AWS Console:

    • Navigate to AWS Management Console.

    • Sign in with an IAM user or role with administrative permissions (avoid root).

  2. Access IAM:

    • Search for IAM in the top search bar or go to Services > Security, Identity, & Compliance > IAM.

  3. Create the User:

    • Click Users in the left sidebar, then Create user.

    • User Details:

      • Name: DevUser.

      • Check Provide user access to the AWS Management Console.

      • Select I want to create an IAM user.

      • Set a Console password (custom or autogenerated).

      • Uncheck Users must create a new password at next sign-in (optional for simplicity).

    • Click Next.

  4. Set Permissions:

    • Choose Attach policies directly.

    • Click Create policy (opens a new tab).

      • In the Policy editor, select JSON and paste:

          {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "s3:GetObject",
                  "s3:ListBucket"
              ],
              "Resource": [
                  "arn:aws:s3:::my-bucket-name",
                  "arn:aws:s3:::my-bucket-name/*"
              ]
          }
      ]
  }

        Replace: my-bucket-name with your actual S3 bucket name.

      • Click Next, name the policy DevUserS3ReadOnly, add a description (e.g., “Read-only access to my-bucket-name”), and click Create policy.

    • Back in the user creation tab, refresh the policy list, select DevUserS3ReadOnly, and click Next.

    • Review and click Create user.

  5. Save Credentials:

    • Download the .csv file with the user’s console URL, username, and password.

    • Share securely (e.g., via encrypted email or AWS Secrets Manager).

🔐 Step 2: Enable MFA for the IAM User

  1. Go to User Settings:

    • In IAM, click Users > DevUser > Security credentials tab.

  2. Set Up MFA:

    • Under Multi-factor authentication (MFA), click Assign MFA device.

    • Select Virtual MFA device.

    • Follow the prompts:

      • Open your MFA app (e.g., Google Authenticator).

      • Scan the QR code or enter the setup code manually.

      • Enter two consecutive MFA codes (generated every 30 seconds).

    • Click Assign MFA.

  3. Test MFA:

    • Log out and sign in as DevUser using the credentials from the .csv file.

    • Enter the MFA code from your app to access the console.

🖥️ Step 3: Create an IAM Role for EC2

We’ll create a role for an EC2 instance to access the same S3 bucket.

  1. Navigate to Roles:

    • In IAM, click Roles > Create role.

  2. Select Trusted Entity:

    • Choose AWS service > EC2 under Use case.

    • Click Next.

  3. Add Permissions:

    • Search for and select the DevUserS3ReadOnly policy.

    • Click Next.

  4. Name the Role:

    • Name: EC2S3ReadOnlyRole.

    • Description: “Allows EC2 instances to read from my-bucket-name”.

    • Click Create role.

  5. Attach Role to EC2:

    • Go to the EC2 dashboard.

    • For an existing instance:

      • Right-click the instance > Actions > Security > Modify IAM role.

      • Select EC2S3ReadOnlyRole > Update IAM role.

    • For a new instance, attach the role during launch.

  6. Test the Role:

    • SSH into the EC2 instance (assuming SSH is configured).

    • Run:

        aws s3 ls s3://my-bucket-name

    • The instance should list bucket contents without explicit credentials.

✅ Step 4: Apply Principle of Least Privilege

  • Policy Review:

    • The DevUserS3ReadOnly policy grants only s3:GetObject and s3:ListBucket for a specific bucket, adhering to PoLP.

    • The EC2S3ReadOnlyRole uses the same policy for minimal permissions.

  • Tip: Use IAM Access Analyzer to identify overly permissive policies.

🧹 Step 5: Verify and Clean Up

  1. Verify User Access:

    • Sign in as DevUser, go to S3, and confirm read-only access to my-bucket-name.

    • Test that other actions (e.g., delete) are denied.

  2. Verify EC2 Access:

    • From the EC2 instance, confirm S3 read access works and other actions fail.

  3. Clean Up (Optional):

    • Delete the user: Users > DevUser > Delete.

    • Delete the role: Roles > EC2S3ReadOnlyRole > Delete.

    • Delete the policy: Policies > DevUserS3ReadOnly > Delete.

🔍 How IAM Works

  1. Authentication:

    • Users: Authenticate via username/password (Console) or access keys (CLI/API).

    • Roles: Assumed by services/users for temporary credentials.

    • MFA: Adds a second factor for users.

  2. Authorization:

    • Policies (JSON) define permissions:

        {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket-name/*"
  }

  3. Evaluation:

    • AWS uses a deny-by-default model: only explicitly allowed actions are permitted.

🛡️ Security Best Practices

  • 🔐 Enable MFA: Mandatory for all IAM users and the root account.

  • 🎯 Follow PoLP: Grant minimal permissions; avoid broad policies like AmazonS3FullAccess.

  • 🤖 Use Roles for Services: Assign roles to EC2, Lambda, etc., instead of access keys.

  • 👥 Group Users: Assign policies to groups (e.g., “Developers”) for easier management.

  • 🔄 Rotate Credentials: Regularly update passwords and access keys.

  • 📊 Monitor with CloudTrail: Log IAM actions for auditing.

  • 🔎 Use Access Analyzer: Detect unused or overly permissive permissions.

🛠️ Troubleshooting

IssueSolution
Access DeniedCheck policy attachment, verify ARN, ensure bucket exists.
MFA Not WorkingSync MFA app time, re-register if codes fail.
EC2 Role FailureConfirm role is attached, AWS CLI is installed, and region is set.
Console Access IssuesVerify console access is enabled and MFA is configured correctly.

☁️ Cloud-Specific Tips

  • Multi-Account Strategy:

    • Use AWS Organizations with Service Control Policies (SCPs) for centralized IAM control.

  • Integration:

    • Combine IAM with Security Groups for network-level security.

    • Use roles with Lambda, ECS, or EKS for secure service access.

  • Auditing:

    • Enable AWS Config to track IAM changes.

    • Use AWS Trusted Advisor for security recommendations.

🎉 Conclusion

Mastering AWS IAM, MFA, and the Principle of Least Privilege is crucial for securing cloud environments. This hands-on exercise demonstrated how to create IAM users and roles, apply MFA, and enforce minimal permissions, preparing you for production-grade security. Keep practicing to build a secure and scalable cloud! 🚀

📚 Additional Resources

0
Subscribe to my newsletter

Read articles from Ritesh Singh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

SecurityCloudAWSDevopsDevops articlesDevOps Journey

Written by

Ritesh Singh
Ritesh Singh

Hi, I’m Ritesh 👋 I’m on a mission to become a DevOps Engineer — and I’m learning in public every single day.With a full-time commitment of 8–10 hours daily, I’m building skills in: ✅ Linux✅ Git & GitHub✅ Docker & Kubernetes✅ AWS EC2, S3✅ Jenkins, GitHub Actions✅ Terraform, Prometheus, Grafana I post daily blogs on Hashnode, push projects to GitHub, and stay active on LinkedIn and Twitter/X. Let’s connect, collaborate, and grow together 🚀 #100DaysOfDevOps #LearningInPublic #DevOps