Cloud Notes: AWS IAM

published: 30th of June 2022

Overview

AWS Identity and Access Management (IAM) provides access control for AWS users/applications to the various AWS services and resources.

Features

  • Available only in the Global region
  • Globally resiliant service
  • Always free service

Account Types

There are a number of account types that can be configured in an AWS environment.

  • Root - The email address used to sign up for the AWS account. Full administrative access.
  • User - A single physical person.
  • Group - Collection of users based on job function (admin, developer, etc).
  • Role - Control access between AWS services (EG: EC2 -> S3).

Credential Types

Credentials are used to secure access to AWS user accounts.

  • Username/Password - The default login credentials for users.
  • MFA - Multi-Factor Auth adds an additional authenticaiton mechanism to Username/Password logins.
  • Access Key ID/Secret access key - Allows programatic access to AWS resources and services.

Policy Documents

  • IAM policy documents define access permissions and can be assigned to users, groups and roles.
  • Policy documents are written in JSON format. An example AWS built-in document PowerUserAccess is below.
PowerUserAccess 
{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "NotAction": [
            "iam:*",
            "organizations:*",
            "account:*"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "iam:CreateServiceLinkedRole",
            "iam:DeleteServiceLinkedRole",
            "iam:ListRoles",
            "organizations:DescribeOrganization",
            "account:ListRegions"
        ],
        "Resource": "*"
    }
]
}

Caveates

  • By default, new users have no permissions when created.
  • There is a limit of 5000 IAM users per/account.
  • IAM users can be a member of 10 groups maximum.

Best Practices

  • Secure the root account with Multi-Factor Authentication (MFA).
  • Do not use the root account for day to day management.
  • Folow the principle of least privilege when assigning permissions.
  • Create user groups with appropriate permissions and assign users to the appropriate group(s).
  • Assign IAM policy documents to groups and/or roles. Do not assign them to users.
  • Setup a password rotation policy.

https://aws.amazon.com/iam/

https://learn.acloud.guru/course/certified-solutions-architect-associate

https://learn.cantrill.io/p/aws-certified-solutions-architect-associate-saa-c02

# aws
# iam
# cloud