🌱 JYunth's Garden

Recent Posts

AWS IAM

Nov 28, 20245 min read

AWS Identity and Access Management (IAM)

  • AWS Identity and Access Management (IAM) is a web service that provides secure control over access to AWS resources. IAM enables you to manage users, groups, roles, and access policies, determining who can perform specific actions on which AWS resources.
  • IAM is crucial for securing your AWS environment. You can use it to manage users, groups, roles, and access policies to control which entities are authorized to perform actions on AWS resources. The level of access that a user has over an AWS account can also be controlled by IAM. IAM controls both centralized and fine-grained API resources, as well as a management console.

How IAM Functions

IAM controls authentication and authorization for your AWS account.

  • First, a user or application authenticates with AWS by providing sign-in credentials. IAM matches the sign-in credentials to a principal (an IAM user, federated user, IAM role, or application). If the credentials match a trusted principal, AWS is granted permission to access AWS.
  • Next, IAM receives a request from the principal to access specific resources. Based on the principal’s identity, associated policies, and other factors, IAM grants or denies access. For instance, when you select a service on the AWS Management Console, you are sending an authorization request to IAM for that particular service. IAM verifies your identity, determines the applicable policies, and evaluates any other policies that may be in effect before granting access. Authorized principals can perform actions or operations on resources in your AWS account, such as launching an EC2 instance, modifying IAM group membership, or deleting S3 buckets.

Six Steps of How IAM Works

  1. Principal: A principal is an entity that can perform actions on an AWS resource. A user, role, or application can be a principal.
  2. Authentication: The process of verifying the identity of the principal attempting to access an AWS product. The principal must provide credentials or keys for authentication.
  3. Request: A principal sends a request to AWS, specifying the action and resource.
  4. Authorization: IAM authorizes a request if a matching policy allows all parts of the request. After authenticating and authorizing the request, AWS approves the action. By default, access to all resources is denied.
  5. Actions: Actions involve viewing, creating, editing, or deleting a resource.
  6. Resources: A set of actions can be performed on a resource related to your AWS account.

IAM Components

IAM uses several components to manage access and permissions.

  • Users: Entities created to represent individuals or services needing access to AWS resources. You can create an IAM user for each person or application and assign specific permissions. IAM users are distinct from the root user and can have administrative permissions that differ from the root user. IAM users can be granted specific permissions, such as read-only access to a particular service, by creating an IAM user and attaching policies to it.
  • Groups: Collections of IAM users managed as a single entity. All users in a group inherit the same permissions assigned to the group. Groups allow for efficient permission management for multiple users. For example, you can create a group for users who need to manage an Auto Scaling group and another group for users who need to manage both Auto Scaling groups and EC2 instances.
  • Roles: Enable delegating access to AWS resources without sharing long-term security credentials. They are useful for granting temporary access to users, services, or applications. IAM roles function similarly to IAM users but cannot be directly assigned policies. Instead, policies are attached to a role, and the role is then assigned to the entity that needs those permissions. For example, you can create a role that allows Amazon EKS to access and manage EC2 instances.
  • Policies: JSON documents defining permissions in AWS. They specify allowed or denied actions for users, groups, or roles. Policies are attached to entities and determine the level of access they have to AWS resources. Policies can be attached to IAM identities or resources. When a user or resource makes a request to AWS, IAM validates these policies and confirms whether the request should be allowed or denied.

Principles of IAM

IAM adheres to security best practices, including the following principles:

  • Least Privilege: Only grant necessary permissions for users to perform their tasks.
  • Fine-Grained Permissions: You can control access to specific actions and resources at a granular level.
  • Temporary Credentials: Issue temporary credentials to enhance security by reducing the risk associated with long-term credentials.

Key Features of IAM

  • Confirmation: IAM allows you to create and manage identities such as users, groups, and roles. This lets you issue and enable authentication for resources, people, services, and applications within your AWS account.
  • Approval: Access management in IAM is composed of policies and permissions that define and enforce access control rules.
  • Fine-grained consents: IAM offers fine-grained control over permissions. You can configure permissions based on the needs of your users.
  • Common admittance to AWS accounts: IAM allows you to delegate access between multiple AWS accounts without sharing credentials. This enables secure access management across various accounts without compromising security. AWS recently released Control Tower to further streamline multi-account designs.
  • AWS Organizations: You can use AWS Organizations to group accounts and assign permission limits for fine-grained control of different AWS accounts.
  • Personality Federation: IAM lets you combine access from other identity providers like Okta, G Suite, or Active Directory.

Root User

The root user is created when you first create an AWS account and has complete access to all AWS services and resources. It holds all administrative rights and access to all parts of the account. It’s vital to protect the root account’s credentials and avoid using it for everyday tasks. It is recommended to create an admin user with fewer powers to control the entire AWS account.

Graph View

Backlinks