Identity and Access Management (IAM)
- IAM is a
Core
AWS service that helps you control access to Resource - The
Resources
are the entities you create in AWS. Ex: S3 Bucket or Object, DynamoDB, Lambda, EC2, etc. - The Users & Roles attempt to perform
Actions on resources
, Ex:S3::CreateBucket
,S3::ListBucket
, etc. - The User and Role authorization to perform an
Action depends on a Policy
Example:
Suppose Jon
is a new IAM user
with no permission and he wants to create an S3 bucket
. If he tries to createBucket
by using an API or from the console. He will get Access Denied
. By default, everything is Deny
. You need to attach a policy to Jon
to allow this action.
This is an example of a Policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStatement1",
"Effect": "Allow",
"Action": [
"s3:createBucket"
],
"Resource": [
"arn:aws:s3:::example-bucket"
]
},
{
"Sid": "AllowStatement2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::example-bucket/*"
]
}
]
}
Go to the IAM console. Then from Policies
click create Policy
button:
Version: Version of the policy document.
-
Statement: Statement is an array. We can add multiple different statement on a single policy document. Every permission has been writen inside this Statement block.
- Sid: Just a name of your policy statement.
-
Effect: Could be
Allow/Deny
. If we want toallow something
then we need toAllow
. If we want toexplicit Deny something
we need toDeny
. By default everyting isDeny
. - Action: This is the place where we need to put our permissions. We can add multiple permissions and also we can add regular expression. Here we give S3 create bucket permission.
-
Resource: Resource is for reduce scope of the action.
*
means everyting. Here we give him access to create a specific bucket. The bucket name should beexample-bucket
. Otherwise he will getaccess denied
.
Effects of AllowStatement1: AllowStatement1
will allow the user to create the bucket. Bucket name should be 'example-bucket'.
Effects of AllowStatement2: AllowStatement2
will allow the user all action to that specific bucket. That means Jon
can do whatever he wants into that bucket.
How IAM policy Works
By default decision starts with
Deny
.Then it evaluate all applicable policies. (Only policies that match the action and conditions are evaluated.)
Then it is looking for an explicit Deny. If there is an
explicit Deny
for this action then the final decision isDeny
.If there is
no explicit Deny
then it will looking for anexplicit allow
. If it findany explicit allow
then the final decision isAllow
.If there is
no explicit allow
for the action then the final decision isDeny
.
Example of grant a user to a specific folder in the bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStatement1",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowStatement2",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::example-bucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"example-folder"
]
}
}
},
{
"Sid": "AllowStatement3",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::example-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"example-folder/*"
]
}
}
},
{
"Sid": "AllowStatement4",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::example-bucket/example-folder/*"
]
},
{
"Sid": "AllowStatement5",
"Effect": "Deny",
"Action": [
"s3:Delete*"
],
"Resource": [
"arn:aws:s3:::example-bucket/example-folder/*"
]
}
]
}
AllowStatement1 allows the user to list the buckets that belong to their AWS account. The user needs this permission to be able to navigate to the bucket using the console.
AllowStatement2 allows the user to list the folders within
example-bucket
, which the user needs to be able to navigate to the folder using the console. The statement also allows the user to search on the prefixexample-folder/
using the console.AllowStatement3 allows the user to list the contents within
example-bucket/example-folder
.AllowStatement4 allows the user to download objects (s3:GetObject) from the folder
Dexample-bucket/example-folder
.AllowStatement5 deny user to all action which is start with
Devele
from the folderDexample-bucket/example-folder
. That means he can't delete anything indite that folder.
Other Important Concepts
Groups: Allow the admin or Owner to grouping thier policy or permissions for the users. one Group can be attached with multiple users and also One User can be in multiple groups. User will get the access which is define inside this attached group(s).
To create Group go to the IAM console. From the User groups
tab click 'Create group`
You can select as many policies as you need for this group, You can add users to the group from here or you can add them from the Users
tab later. Search the policy to filter
Users: A person who will use this AWS account.
To create user go to the IAM console. From the Users
tab click 'Add users`
You can give only Programmatic access
or AWS console access
or both: select as per your requirements:
You can add user to group
or Copy permissions from existing user
or Attach existing policies directly
:
Roles: Roles are similar to the user which has a certain policy document attached. Roles are used for limited access privilege or temporary access for the user or services.
- Role could be used by a user by AssumeRole
& 'Trust relationships'.
- Role can be used by a Resource.
To create role go to the IAM console. From the Roles
tab click 'Create role`. It will asking for a policy select as many policies as you want for this role and create the role.
Trust Relationships: This can happen within Two AWS accounts, within two roles, within role and user.
Example of within two separate AWS accounts:
Suppose we have 2 AWS accounts:
Account_1
Account_2
Both accounts need to allow a Trust Relationship between them:
- Account_1 should have a role in the
trust relationship
with Account_2's user or role.
- Account_2 should give that user or role to
sts:AssumeRole
in theAccount_1 role
.
Note: trust relationship
could have been one user or role or a group or all users & roles.
Summary
In this post, I showed βWhat is IAM and how does it works. IAM core features.β. Try to understand the IAM very clearly. It will give you a better experience with cloud computing.
To learn more, read the AWS IAM documentation.
Thanks for reading! Happy Cloud Computing!
Connect with me: Linkedin
Top comments (0)