Table of contents
No headings in the article.
Amazon Web Services started in 2002 with a simple SQS service and now it has expanded in 2000+ services over the years. Every year AWS holds one event called AWS re: invent where all the AWS communities from the world gather together and AWS announces new services coming into play with the upcoming year. By default, all services are always available in the us-east-1 region and gradually it expands its footprint in other regions.
IAM
In this article, we'll be talking about AWS IAM i.e. AWS Identity and Access Management service which can use IAM to securely control individual and group access to your AWS resources. You can create and manage user identities ("IAM users") and grant permissions for those IAM users to access your resources.
To access IAM you need to have access to at least one AWS service that is integrated with IAM. With this, you can manage users, groups, permissions via AWS CLI or AWS Console.
Users
The users who are created with IAM are called IAM users. You've one root user who is a superuser of your AWS account and then you've IAM users. Typically in the organization, you create an Administrator user who'll take care of creating other users and groups and their related policies. Groups are created with a set of users who has common permissions. You can create more than one group and one user can be part of more than one group but one group can't be part of other groups.
Every IAM user who gets created within AWS with programmatic access has Access Key and Secret Key. These keys can be used to access all AWS services through SDK or REST API or AWS CLI. Please make sure that you never share those keys with anyone or directly use them in any code.
Policies
AWS gives you a set of standard policies with which users can access AWS services. You can use AWS Web console to assign policies or you can use JSON format. Both of these ways are available through the AWS console. Below is an example of such JSON policy for EC2 Resource.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
}
}
]
}
Security
IAM is also used to formulate security policies and enforce them on the users. These policies are mainly, setting up the minimum length of the password, strength, and combination of the password, password rotation days, MFA. MFA is multi-factor authentication that can be availed with Google Authenticator or Authy. There are other physical devices as well but usage of those devices is very rare.
Security Tools
IAM provides two security tools to run reports on your AWS account.
- IAM Credentials Report - This report provides you an account-level list of all users & the status of their various credentials.
- IAM Access Advisor - This report gives you an overview of users who received which permissions and when that permission was accessed last. Usually, to populate this report for the users, take 4 hours and the data is retained for 365 days.
Best Practices of IAM Policies
- Don't use Root User
- One Physical User = One AWS user
- Assign users to groups and assign permission to groups
- Create a strong password policy
- Enforce the use of MFA
- Create & use roles for giving permissions to AWS services
- Audit your AWS A/C permission with IAM Credentials and Access Advisor
- Never Ever Share your Access key and Secret key
- Never use them directly in your code.
- ENV files in which you've keys, shouldn't be pushed on any GIT repo.
Summary
AWS IAM is the service that helps you to govern your account and your users. With the help of the IAM users, groups and policies are created to manage AWS a/c users effectively. AWS IAM is also used to comply with your account for PCI DSS compliances. In all cases, you've to follow IAM best practices to ensure your account safety.
References