Overview

AWS Identity and Access Management (IAM) provides access control for AWS users/applications to the various AWS services and resources.

Features

  • Available only in the Global region
  • Globally resiliant service
  • Always free service

Account Types

There are a number of account types that can be configured in an AWS environment.

  • Root - The email address used to sign up for the AWS account. Full administrative access.
  • User - A single physical person.
  • Group - Collection of users based on job function (admin, developer, etc).
  • Role - Control access between AWS services (EG: EC2 -> S3).

Credential Types

Credentials are used to secure access to AWS user accounts.

  • Username/Password - The default login credentials for users.
  • MFA - Multi-Factor Auth adds an additional authenticaiton mechanism to Username/Password logins.
  • Access Key ID/Secret access key - Allows programatic access to AWS resources and services.

Policy Documents

  • IAM policy documents define access permissions and can be assigned to users, groups and roles.
  • Policy documents are written in JSON format. An example AWS built-in document PowerUserAccess is below.
PowerUserAccess
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "NotAction": [
              "iam:*",
              "organizations:*",
              "account:*"
          ],
          "Resource": "*"
      },
      {
          "Effect": "Allow",
          "Action": [
              "iam:CreateServiceLinkedRole",
              "iam:DeleteServiceLinkedRole",
              "iam:ListRoles",
              "organizations:DescribeOrganization",
              "account:ListRegions"
          ],
          "Resource": "*"
      }
  ]
}

Caveates

  • By default, new users have no permissions when created.
  • There is a limit of 5000 IAM users per/account.
  • IAM users can be a member of 10 groups maximum.

Best Practices

  • Secure the root account with Multi-Factor Authentication (MFA).
  • Do not use the root account for day to day management.
  • Folow the principle of least privilege when assigning permissions.
  • Create user groups with appropriate permissions and assign users to the appropriate group(s).
  • Assign IAM policy documents to groups and/or roles. Do not assign them to users.
  • Setup a password rotation policy.

Tags