IAM

Ultimate AWS

IAM stands for Identity and Access Management, Global Service

General considerations

  • The Root user is created by default when we create our account.

  • Groups only contains users

  • A user can be member of multiple groups.

For security reason, never use the root user account.

IAM: Permissions

Users or Groups can be assigned JSON documents called policies. This allows them to access and use some services.

Always apply the least privilege principle.

Creating a user and a group using AWS console

Creating a new user and assign it to a group is pretty easy in the AWS console via the IAM service. The GUI is quite explicit on how to create a user/groups.

We can then create a group, assign a policy to the group and associated this user to the group. The user will inherit the access that the policy dictates via its membership of the group.

For each user account, we can create a unique alias that will be used to connect to the AWS console.

IAM Policies

Policies can be attached both to a group or to a user.

Inline policy: A policy that only apply to a specific user.

A JSON policy structure consist of:

  • version

  • id (optional)

  • Statement (1 or +)

Statements consist of:

  • Sid (optional)

  • Effect: Allows or Deny access

  • Principal: account/user/role that this policy apply to

  • Action: list of actions this policy allows or denies.

  • Resource: list of resources to which the actions applied to.

  • Condition: conditions for when this policy is in effect (option).

In the AWS Console, we can create a policy by using the graphic interface or writing our own JSON directly.

IAM Password Policy

AWS allows setting a password policy for IAM user. Password of a higher complexity increase security.

MFA

Implementing MFA is really recommended.

Support for multiple tokens on a single device.

  • Google Authenticator (phone only)

  • Authy (multi-device)

Physical devices provided by third parties

  • Physical Universal 2nd Factor (U2F) Security Key

  • YubiKey (3rd party) - Support for multiple root and IAM users using a single security key.

  • Hardware Key Fob MFA Device

  • Hardware Key Fob MFA Deice for AWS GovCloud (US).

How to Access AWS?

  • AWS Management Console (password + MFA);

  • AWS CLI (access key);

  • AWS Software Development Kit. To make AWS API call from our soure code (require access key).

Access Key

We can create an access key from the AWS management console. To allow a user to use the AWS CLI we need to create an Access Key for that user.

Access Key can be created from the AWS console. Keep Access Key Protected. The Access Key ID is similar to a username and the Secret Access Key is like the password.

AWS CLI

A good alternative to AWS Management Console. Can be used to create script to automate tasks. The AWS CLI is open source and can be found in the GitHub repo here.

Easy to install on Windows, Linux and MacOS. Here.

AWS SKD

Embodied in a web application. Supports many programming languages. Allows to manage AWS services and make API call programmatically.

PreviousECS

Last updated