This blog is a part of my journey “Embarking on the AWS Solution Architect Associate SAA-CO3 Certification Journey”
Table of Content
- Introduction
- IAM permission
- IAM policy structure
- IAM Policy Consists of
- IAM Policy Statement Struture
- IAM Multi-Factor Authentication (MFA):
- Password Policy
- MultiFactor Authenticator App
- How can user access AWS?
- What is AWS CLI?
- What is AWS SDK?
- What is AWS Cloud Shell?
- How to create Access Key?
- IAM Roles for AWS Services
- IAM Security Tools
- IAM Access Advisor (User Level)
- IAM Best practices
- Conclusion
Introduction
Amazon Web Services (AWS) Identity and Access Management (IAM) plays a pivotal role in securing your AWS resources and ensuring that only authorized users and services can access them. This comprehensive guide will take you through the fundamentals of AWS IAM, its core components, best practices, and security tools.
Introductory Points
- AWS IAM is a global service, not bound by AWS Region.
- Multiple users can be created within an AWS organization, each corresponding to an AWS user.
- The root user is created by default and should not be shared due to its extensive privileges.
- IAM introduces the concept of groups for organizing users.
- Groups cannot contain other groups, simplifying management.
- Users can belong to no group, one group, or multiple groups.
IAM Permissions
- Users and groups can be assigned JSON policies defining their permissions.
- The principle of least privilege should be applied, granting only necessary permissions.
- Users belonging to multiple groups inherit policies from all groups.
IAM Policy Struture
1. IAM Policy Consists of
- Version: Policy Language Version
- Id: Identifier for the policy (optional)
- Statements: Defines the permissions and restrictions for specific AWS resources and actions
2. IAM Policy Statement Struture
- Policies consist of statements that define the permissions and restrictions for specific AWS resources and actions. Each statement within an IAM policy includes the following components
- Sid: An identifier for the statement (optional)
- Effect: This specifies whether the statement allows or denies access. There are two possible values: Allow: Grants permissions to perform specified actions. Deny: Explicitly denies permissions, which can override an “Allow” statement.
- Principal: Entity for which this policy is applied to, such as users, groups, roles, and AWS services.
- Actions: List of actions this policy allows or denies
- Resource: List of resource for which action applied to.
- Condition: Conditions for which this policy is in effect (optional)
Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::my-example-bucket",
"arn:aws:s3:::my-example-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
},
"DateLessThan": {
"aws:CurrentTime": "2023-12-31T17:00:00Z"
},
"DateGreaterThan": {
"aws:CurrentTime": "2023-12-31T09:00:00Z"
}
}
}
]
}
IAM Multi-Factor Authentication (MFA):
IAM (Identity and Access Management) Multi-Factor Authentication (MFA) is required to enhance the security of AWS (Amazon Web Services) accounts and resources. MFA adds an extra layer of protection beyond just a username and password, which makes it significantly more challenging for unauthorized individuals to gain access to your AWS account
Password Policy
You can define the policy on how the password should be. Strong passwords higher security for your account. Policies that you can configure are
- You can configure minimum Password length
- Requires Specific Character Type
- Requires user to change password sometime
- Prevent password reuse
MultiFactor Authenticator App
- MFA = Password you know + security device you own
- If a password is stolen or hacked, account will not be compromised.
How can user access AWS?
1. To Access AWS, you have three options
- AWS Management Console (Protected by password + MFA)
- AWS command line interface (AWS CLI) (Protected by Access Keys)
- AWS Software developer Kit (SDK) for code. (Protected by Access Keys)
2. Access Keys are generated through AWS console.
3. Users manage their own key, Access key are like password and should be protected.
What is AWS CLI?
- A tool that enables you to interact with AWS service using commands in your command line shell
- You can access to the API provided by AWS
What is AWS SDK?
- They are Language specific libraries
- Allow us to access and manage AWS services programtically
- This is generally embeeded to your application
- Both AWS CLI and AWS SDK requires Access Key to access account’s resources.
What is AWS Cloud Shell?
- CloudShell is a free AWS service allow to us to execute commands on the resources.
- Credentails are automatically picked of the users who using the service.
- It has upload and download file feature.
How to create Access Key?
Access keys are created through the IAM console: Users → [Select User] → Security Credentials → Create Access Key.
IAM Roles for AWS Services
As we know AWS IAM Policies are for Users and Group, AWS services can be managed by IAM Roles.
- IAM roles are used to manage AWS services.
- Services can assume roles to perform actions on your behalf.
- Common roles include EC2 Instance Role, Lambda Function Role, and CloudFormation Role.
IAM Security Tools
To understand the pattern and user behaviour IAM provide 2 security tool, which can be used to take action on IAM policies or enhance security.
IAM Credential Report
- This is account level report
- This report as the list of all the users and their login and credential status. Example When password was changed, Last login, How many times user logged in etc.
IAM Access Advisor (User Level)
- Access Advisor shows the service permission granted to a user and when those service last accessed.
- You can use this information to revise policies.
IAM Best practices
- Don’t use the root account except for AWS account setup.
- Follow a one physical user to one AWS user principle.
- Organize users into groups and assign permissions to groups.
- Implement a strong password policy.
- Enforce MFA usage.
- Leverage roles for granting permissions to AWS services.
- Use access keys for programmatic access.
- Regularly audit your account permissions using IAM Credential Report and IAM Access Advisor.
- Never share passwords or access keys.
Conclusion
Understanding AWS IAM is crucial for securing your AWS resources effectively. By following best practices and leveraging the tools and features IAM provides, you can enhance the security of your AWS environment and ensure that only authorized users and services access your resources. Hands-on experience and regular aud