In this series of articles, we'll look into some of the basic concepts and purposes surrounding AWS Identity and Access Management (IAM).
Now, IAM or some components of IAM might be used by different AWS users, external applications, and some on-premise data centers in a hybrid environment, like the S3 bucket can be accessed using IAM components like Users, Groups, Roles Policies, and API Keys.
IAM Essentials
IAM is where you can manage your AWS users, groups and roles, and their access to AWS account and services. It provides access and access permissions to AWS resources like EC2, S3, and DynamoDB etc.
It is global to all regions, creating a user account will apply to all the regions. With the help of IAM, you can manage several activities which are listed below.
- Users
- Groups
- Roles
- IAM Access Policies
- API Keys
Specify the password policy as well as managed MFA requirements on a per-user basis.
Whenever you create a new IAM user in AWS account, it will be created with NO access to any AWS Services. It is known as “Non-explicit deny role”.
For all users, the permissions must be given to grant access to AWS which is done through IAM policies except Root user.
Some of the best practices in “Security Status” in IAM that must be followed after AWS Root account is created are listed below:
- Delete Root access keys
- Activate MFA on your Root account.
- Create an individual IAM user
- User groups to assign permissions
- Apply an IAM password policy
- Rotate your access keys
Activate MFA on your Root account
When you use MFA, you can use MFA by the below two options
- A virtual MFA device
- A hardware MFA device
Create an individual IAM user
Create IAM users and give them only the permissions they need. Do not use your AWS root account for day-to-day interaction with AWS, because the root account provides unrestricted access to your AWS resources.
You can create IAM users using the below options,
- Creating IAM Users (Console)
- Creating IAM Users (AWS CLI)
- Creating IAM Users (AWS API)
While creating users you need to specify,
- User name,
- Access type
- Programmatic access, which has access key Id and secret access Key
- AWS management console which has a password for using AWS console
- Assign permissions to the user.
User groups to assign permissions
Use IAM groups to assign permissions to your IAM users to simplify managing and auditing permissions in your account. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need.
While group user you need to specify
- Group Name
- Attach the policy to the group
Apply IAM password policy
Use a password policy to require your IAM users to create a strong password and to rotate their password regularly.
Rotate your access keys
Change your access keys regularly (at least once per year) and delete unused access keys to reduce your risk in case of accidental exposure.
The best practice is to log in and do daily work as an IAM user who is not a Root user.
You must always practice the Principle of Least privilege when administrating AWS accounts, user groups, and roles, like if you have to provide access to your user for handling activities inside S3 bucket then you should provide access to that specific bucket rather than providing access to complete S3 service.
In the next part, we will be discussing IAM Policies.