DEV Community

Nina Hwang
Nina Hwang

Posted on

[AWS] 1. IAM

Once you create your AWS account, the first thing you should do is to set up IAM. IAM(Identity and Access Management) helps you to control access to AWS services and resources for users. You can manage who is able to access to certain resource and who isn’t. This is important to ensure security. IAM is one of AWS global services, so you don’t need to specify region when you set up IAM.

1. IAM Identities

(1) Users

User is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials. Usually, a user is a physical person. There are some rules to follow. First, not to share same credential, it is important to create one IAM user per one physical person. Second, never share IAM credentials and never write IAM credentials in code, or there will be huge security issues. And finally, it is best to give users the minimal permissions.

MFA

To ensure higher level of security, you can use MFA(Multi-factor Authentication), which adds extra layer of protection. With MFA enabled, users should give an authentication code from their AWS MFA device as well as their user name and password when they sign in.

(2) Groups

An IAM groups is a collection of IAM users. A group can be defined by functions(ex. admins, DevOps), or teams(ex. engineering, design). Users in same group share same access permission. Therefore it is much easier to manage permission by groups, rather than by users.

(3) Roles

An IAM role is an IAM identity that you can create in your account that has specific permissions. IAM roles are a secure way to grant permissions to entities(ex. resources, users) you trust. There should be one IAM role per application.

2. IAM Policies

Policies, which are JSON documents define permission and are attached to each IAM identities or AWS resources. For example, only users with a policy which contains ‘Billing’ can access to billing dashboard and manage billing & cost.

3. IAM Hands-on

(1) Creating A User

Alt Text
You can create an user by clicking the blue 'Add user' button.
Alt Text
Give the user a name and select AWS access type.
Alt Text
Alt Text
You can either put the user in a group or create a user who is not belong to a group.
Alt Text
A tag is a key-value pair which helps you to identify and organize your AWS resources.
Alt Text
Done!

(2) Creating A Group

Alt Text
Click the blue 'Create New Group' button and create a group
Alt Text
Set the group name
Alt Text
Attach appropriate policies to the group. Now I am giving admin permission to the group.
Alt Text
Done!

Discussion (0)