AWS - IAM Service

Introduction 

 
As you all know, AWS is a cloud used for many purposes. We are not going to talk in detail about the cloud. Today, we are talking about security in the cloud. As the cloud is vastly used in IT projects for infrastructure, AWS is a pioneer in this area.
 
The way use of cloud getting increased many questions and challenges also getting arises. One of the most important questions is that of security. Almost every client meeting discusses the decision of choosing infrastructure, and the biggest discussion is security. Obviously, a decade ago everyone had their own infrastructure and everything was in their control. However, everyone agrees that this option is very costly as compared to today’s cloud infrastructure and services offered by the cloud providers.
 
So let’s see what AWS provides in terms of security. There are many types of AWS security services, but IAM is the most widely used service.
 

IAM 

 
Identity and Access Management.
 
We are going to find answers to few questions in this article:
  • What is IAM?
  • Why IAM?
  • How does IAM works?
Let’s address these one by one:
 
What is IAM?
 
Identity and Access Management (IAM) is a web service provided by AWS for securely controlling access to resources. IAM enables to create and control services for authenticating a user or limit access to a certain set of users who use resources. So if the admin wants to give access to a particular resource to a particular user, he can provide or restrict using IAM service.
 
Why IAM? 
 
When we use traditional or noncloud infrastructure only way to handle authentication and authorization is through
 
How does IAM works?
 
The IAM workflow basically consists of six elements as below,
  • Principal – Principal can be a User or Role or an application. A principal is an entity that will perform an action on Resource (AWS resource)
  • Request – Principal sends a request to AWS, which tells AWS clearly the action and which resource should perform that action
  • Authentication – basically authentication is the process to identify the user which is trying to access the actions of resources. Here, authentication is also the process of confirming the identity of the principal (it can be user, role or application) trying to access the AWS service or product. For successful authentication, principal must provide credentials or key sets that get used for authentication
  • Authorization – In AWS access to all resources is denied by default. IAM gives authorization to a request only if the request matches all the matching policies. After proper authentication and authorization of the request, AWS approve the action to execute and access the resources through that action to the principal.
  • Actions are used to create, edit, view, or delete resources.
  • Resources – resources are the services or products or set of activities that can be performed related to the AWS account.
Features of IAM
  • Free to Use – There is no separate charge for IAM security, which means you can create as many users, groups, policies as you want for free
  • Password Policy – This is a standard feature as any other application like user can reset the password, set the rule for attempt password before gets denied, etc
  • Shared Access – With this feature ONE resource can get accessed by any number of authorized users
  • Granular Permission – With this feature restriction can be applied to the request done by the user. User can have read access but cannot have update/delete access
  • Identity Federation – With this feature user can get authenticated by any trusted third party application like Google/Facebook, to maintain the one password
  • MFA (Multifactor Authentication) – IAM supports MFA, with this feature AWS creates one more layer of security to authenticate. In addition to Username and Password, AWS can ask for OTP which is a randomly generated number.
  • PCI DSS Compliance – PCI DSS stands for Payment Card Industry Data Security Standard. It is an information security standard that handles all details of Credit Cards. IAM complies with PCI DSS standards.

Components of IAM

 
There are other basic components of IAM. We are going to see them one-by-one, as shown below.
 
Users 
 
User is an AWS IAM user created by a Root user. It can also be an application that has permissions to access certain resources. This user is having credentials and required keys. Each user is associated with only one AWS account; it cannot have access to multiple accounts or even cannot have shared accounts and accesses. This facility or restriction has the advantage of one-to-one user specification due to which you can individually assign permission to each user.
 
Groups 
 
Groups are a collection of users. Generally, groups are created to apply specific rules or permissions, or conditions on multiple users in one go. In this case, it is the IAM group that has IAM users. Managing groups is an easier task than managing individual users. You can give the permissions to the group and those permissions get automatically applied to the users belonging to that group. Even new user also gets the same permission of the group as soon you add in the group.
 
Policies 
 
IAM policy sets the permission and controls AWS resource access. Policies are stored in JSON format. Permission states that who has access to which resources, for example, one IAM user can have One bucket of S3 but another user can not have it. Policies contain the below access information:
  • Which user can access the resource
  • What type of access user have for the particular resource (i.e. Read, Write, Delete)
There are 2 types of policies:
  • Inline Policy – This policy can be embedded directly in the entity
  • Managed Policy – This policy is default policy and can be attached to multiple entities
JSON format looks like:
 
 
This is the basic information about the AWS IAM feature very helpful to work with AWS Cloud. Without using or properly setting IAM, your resources can be at risk.