AWS - Identity Access Management


In this article, I would like to articulate Identity Access Management and its usage. 

Identity access management (IAM)

IAM is one of the services in the AWS platform which helps us access inline services in a more secure option through centralised approach, such as which user has what access and how to prevent and grant access.

In IAM, we can avail the option of two types of users

  • User
    • In IAM, we can create users and assign permission to them, however, it’s not the best practice.
    • Users can be available in multiple groups, so the same user can have multiple access based on the group to which he belongs to.
  • Groups (It contains multiple users)
    • A group is one which has a set of users, not by any group. It's good that we can give permission at the group level, so that we can map the user in the respective group and what kind of access the organization wants to avail them.

A few things which we need to note here while creating a user please use an IAM account instead of a root account due to security perspective. We have a Tag option in IAM, which is used to organize the control access. One physical user means one AWS user, so please don’t share your account with anyone. Instead of that you can create a new user and assign it to the respective permission group. This is mainly for security purposes. 

IAM Policies

The IAM policies are used to set what kind of policy we are going to define for the user or group. Again, here only two options play on here such as

Group of users applies single policies. To apply the policy to the user instead of the group, we named it as an Inline policy. A user can have multiple policies, since he may be in different groups. Policy structure notes follow as below

Sample IAM Policy Structure

Identity Access Management - AWS

IAM Policy

IAM policy is one used to protect users and groups using passwords and other external security devices.

  • We can protect passwords using conventional ways, such as changing passwords after some days or month
  • Since the password is getting stolen easily so we have a new method called MFA. The MFA is called multi-factor authentication which has a password + security code like OTP to give more in line with security.
  • In MFA we have few options in AWS
    • Virtual MFA device availability such as Google Authenticator (phone only) and Authy (muti-device)
    • Physical device (Universal 2nd factor security key) which suppose to be inserted in the computer
    • A hardware device such as Gemalto and SurePassID. Please note SurePassID is used for AWS GovCloud (US)

The user can be able to access AWS with different options, please follow the different options

  • Management console using password + MFA
  • Command Line Interface (CLI) using access key (AccessKey ID and Secret Access key)
  • Software Development Kit (SDK) for code using an access key.

Please note access key is generated through the AWS console. Each user has their own access key. Its as like as password, so please don’t share them. Also don’t use root user while creating access key, please use your IAM user.

Few CLI Commands Hands On example

aws configure (this command is used to setup accesskeyid, key, and region)

aws iam list-users (this command gets the list of available users in your IAM account)

AWS Cloud Shell

The AWS cloud shell is again another console that is available only for a specific region as of now. We can use this option instead of using CLI. It has few more facilities comparatively than CLI, however, both do the same. Happy to use whichever you like to use.

IAM Roles for Services

The Role is used to assign or enable permission to the user or group to access the AWS service(s). For e.g., the admin role can access more than the supervisor role.

IAM Security Tools

The security tool is used to keep eye on the access, which user or group has what access, also how they are accessing it, this is used to understand the current access and gives an idea to revise policy later accordingly.

  • Credential Report (account level)
    This feature is available at the account level and used to list all your accounts users and the status of their various credentials
  • Access Adviser
    This option is available at the user level which gives a view of granted service permissions and when those are accessed. Maybe this is used to understand and revise the policy later point in time.

Thanks, I hope this helps you, will meet on ec2 fundamental in the next session. 

Similar Articles