AWS IAM: Taking a Deep Dive

SS's photo
SS
ยท

6 min read

Table of contents

AWS IAM is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users and applications can access. You can also use IAM to enable authentication and authorization for your AWS workloads.

In this blog post, we will dive deep into AWS IAM and explore its components, features, and best practices. We will also learn how to use IAM to manage users, groups, roles, policies, and more.

What is AWS IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.

However, using the root user for your everyday tasks is not recommended. Instead, you should create individual IAM users for yourself and others who need access to your account and enable MFA for extra security. You can also create IAM groups to organize your users and assign permissions to them. You can also create IAM roles to delegate permissions to trusted entities, such as AWS services, applications, or external identities.

With IAM, you can also enable multi-factor authentication (MFA) for your account and users for extra security. MFA requires users to provide not only a password or access key but also a code from a specially configured device or app.

Additionally, you can use IAM to monitor and audit the activity in your account using features such as AWS CloudTrail, IAM Access Analyzer, and IAM Access Advisor.

How does AWS IAM work?

AWS IAM works by using the following components:

  • Identities: These are the entities that can be authenticated and authorized to access AWS resources. Identities include IAM users, groups, roles, and federated users.

  • Principals: These are the entities that perform actions on AWS resources. Principals can be authenticated by AWS or by a trusted external identity provider (IdP). Principals include IAM users, federated users, applications, or AWS services that assume an IAM role.

  • Authentication: This is the process of verifying the identity of a principal. Authentication can be done by using a password, an access key, a temporary security token, or an external IdP.

  • Authorization: This is the process of determining what actions a principal can perform on which resources. Authorization is done by using policies that specify the allowed or denied actions and resources.

  • Policies: These are JSON documents that define the permissions for principals. Policies can be attached to identities or resources. Policies can be managed by AWS or created by you.

  • Resources: These are the AWS entities that principals can access. Resources include EC2 instances, S3 buckets, DynamoDB tables, Lambda functions, etc. Resources have unique identifiers called Amazon Resource Names (ARNs).

What are the features of AWS IAM?

AWS IAM provides the following features:

  • Shared access to your AWS account: You can grant other people permission to administer and use resources in your AWS account without having to share your password or access key.

  • Granular permissions: You can grant different permissions to different people for different resources. For example, you might assign Billing dashboard access to certain teams. For another user, you can assign completed access on S3, EC2 etc based on the requirement.

  • Secure access to AWS resources for applications that run on EC2: You can use IAM roles to securely provide credentials for applications that run on EC2 instances. These credentials provide permissions for your application to access other AWS resources. Examples include S3 buckets.

  • Multi-factor authentication (MFA): You can add two-factor authentication to your account and users for extra security. With MFA you or your users must provide not only a password or access key to work with your account but also a code from a specially configured device or app.

  • Identity federation: You can allow users who already have identities defined outside of AWS to access AWS resources. For example, you can allow users who sign in to your corporate network or your online application to access AWS resources without creating IAM users. You can use identity providers such as AWS Single Sign-On, AWS Directory Service, Amazon Cognito, or third-party providers such as Okta, Ping Identity, or Microsoft Active Directory.

  • Identity information for assurance: You can use IAM features to verify who made requests to access resources in your account. You can also use IAM to add conditions to control how a user can use AWS, such as time of day, their originating IP address, or whether they are using SSL.

  • Free to use: IAM is a feature of your AWS account offered at no additional charge. You will be charged only for the use of other AWS services by your users.

How to get started with AWS IAM?

To get started with AWS IAM, you can follow these steps:

  1. Sign in to the AWS Management Console as the root user and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Create an IAM user for yourself and add it to an IAM group with administrative permissions. This way, you can avoid using the root user for your everyday tasks.

  3. Enable MFA for your root user and your IAM user for extra security.

  4. Create IAM users for other people who need access to your account and assign them to appropriate IAM groups or attach individual policies to them.

  5. Create IAM roles for applications or AWS services that need to access your resources and specify the trusted entities that can assume them.

  6. Use IAM policies to define the permissions for your users, groups, and roles. You can use AWS managed policies or create your own custom policies.

  7. Use IAM features such as CloudTrail, Access Analyzer, and Access Advisor to monitor and audit the activity and permissions in your account.

For more information and detailed steps, you can refer to the official doc IAM User Guide.

Conclusion

In this blog post, we have learned about AWS IAM and its components, features, and best practices. We have also learned how to use IAM to manage users, groups, roles, policies, and more.

We hope that this blog post has helped you understand AWS IAM better and how to use it effectively. If you have any questions or feedback, please feel free to leave a comment below.

References:

DevopsCloudsoftware development
ย