In the realm of cloud computing, Amazon Web Services (AWS) stands tall as a titan, offering an extensive range of services to cater to different business needs. However, with great power comes great responsibility, especially when managing access to these services.
This is where AWS IAM (Identity and Access Management) comes into play, acting as the gatekeeper to your AWS resources. Understanding IAM is not just advantageous but it’s also essential.
What is IAM?
AWS Identity & Access Management is a global web service that helps you control access to AWS resources. IAM in essence is a solution for securely managing access to services and resources within your AWS account. You can use IAM to create users, groups, roles, and policies. With IAM you have control to see who is authenticated and authorized to use resources. IAM offers granular control over access privileges.
What IAM offers?
- Centralized Access Control: IAM allows you to centrally manage access to all your AWS services and resources. This means you can define access policies once and apply them across your entire AWS infrastructure.
- Granular Permissions: With IAM, you can define permissions for specific AWS resources. This granularity ensures that users have access only to the resources they need for their roles or tasks, reducing the risk of unauthorized actions.
- Multi-factor Authentication (MFA): AWS IAM supports MFA, adding an extra layer of security by requiring users to provide an additional piece of information apart from the password or access keys. There are different ways to set up MFA on AWS. You can read more about it here.
When you create a new AWS account, a root account is created by default. You shouldn’t share root account details with anyone. It is highly recommended that you restrict using the root account for everything. Instead, you should create an IAM user to use AWS services.
What is an IAM user?
An IAM user is an entity within an AWS account that represents a person or a service needing access to AWS resources. IAM users are different from regular AWS accounts as they are created within an AWS account and can be assigned specific permissions to access AWS services and resources.
IAM users can be organized into groups and they can be assigned different roles as well allowing for easier management of permissions at scale. They can have policies attached to them, defining what actions they are allowed or denied to perform on AWS.
Let’s create an IAM user,
- Navigate to the IAM dashboard and click on “Users” in the left navigation pane. On the users page, click on the “Create user” button.
- On the next page, specify user details such as username and click “Next”
- On the “Set permissions” page, we can assign permissions to the IAM user. There are different options such as adding a user to a group, copying permissions from existing groups, and attaching policies directly to the user. For now, select attach policies directly and search for “AmazonS3ReadOnlyAccess” policy. Select the permission policy and click “Next”.
- In the last step, you can review the user details and permission summary. If you want to make any additional changes then you can click on the “Previous” button to go back to the previous step. Click on “Next” to finish creating an IAM user.
- Once the user is created, you will be redirected to the “Users” page on the IAM dashboard and you can see the newly created IAM user details.
What is an IAM group?
An IAM group is a collection of IAM users. IAM groups make it easier to apply and manage permissions for multiple users by allowing you to assign policies to the group rather than to individual users. This simplifies access management in large organizations where multiple users require similar levels of access to the resources.
A user can be a part of one or more groups.
In the image below, we have three groups:
- Developer - A, B, C
- Admin - C, X
- Tester - X, Y
Users C and X are part of multiple groups. A user who is a part of multiple groups inherits the policies of those groups. Hence, user C has both “developer” and “admin” group permissions. Similarly, user X has both “admin” and “tester” group permissions.
Let’s add the IAM user that we created to an IAM group,
- Navigate to the IAM dashboard and click on “User groups” in the left navigation pane. On the user groups page, click on “Create group” button.
I already have an admin and developers group created, we will now create a group for testers.
- Create a new group named “testers”, select the IAM user that we created, and attach a permission policy to the group. Once it is done then click on the “Create group” button to complete the process.
- Once the group is successfully created, you will be redirected to the IAM dashboard and you can see the newly created group details.
What is an IAM role?
The IAM role is a set of permissions that define what actions a specific entity can perform on AWS resources. Unlike IAM users, roles are not associated with a specific user or identity. Instead, they are intended for trusted identities such as AWS services, applications, or external users from an identity provider. IAM roles provide temporary permissions to entities that assume them.
What is a policy?
An IAM policy is an object in AWS that defines permissions. There are different AWS-managed policies available but you can create your custom policy as well. Below is the basic structure of an IAM policy.
{
"Version" : "2012-10-17", // policy language version
"Id": "S3-Account-Permissions", // policy id
"Statement": [
{
"Sid": "1", // statement id, multiple statements are possible
"Effect": "Allow", // whether the statement allows or denies access
"Principal": {
"AWS" : ["account/user/role"] // to which the policy will be applied
},
"Action": [
"allowed-action-1", // what action a user can do
"allowed-action-2"
],
"Resource": [""] // resource to which the action is applied to
}
]
}
You can also set a password policy.
Conclusion
In conclusion, IAM plays a vital role in the AWS ecosystem. It empowers developers to implement the principle of least privilege, ensuring that the users and services have only the necessary permissions to do their tasks reducing the risk of unauthorized access.
Top comments (0)