First let discuss about IAM(identity access management )
IAM add security to the your resources by allowing you to control who can access your aws services and what resources they can access.
IAM plays a crucial role in enhancing the security of your cloud resources.
You define who has
access.
You define what they can do.
Secondly let talk about identity and access
identities and access within AWS IAM, focusing on who can access your resources and what resources they can access, comparing the different types of entities involved:
Identities:
- Root User:
The root user is the initial account owner created when signing up for AWS services.
This user has full administrative access to all resources in the AWS account.
It is recommended to avoid using the root user for routine tasks to minimize security risks.
- Individual Users:
These are AWS accounts created under your AWS organization.
Each individual user has a unique set of credentials (username and password) or can authenticate via federated login (such as through Active Directory).
You can grant specific permissions to individual users based on their roles or responsibilities within your organization.
- Groups:
Groups are collections of individual users who have similar roles or permissions requirements.
Instead of assigning permissions to each user individually, you can assign permissions to groups.
This simplifies management by allowing you to add or remove users from groups to automatically adjust their permissions.
- Roles:
Roles are used to delegate access to AWS services or resources to entities within or outside your AWS account.
They are not associated with a specific user or group but are assumed by users, applications, or AWS services as needed.
Roles are often used for cross-account access, allowing different AWS accounts to interact with resources in a controlled manner.
Access:
- Who Can Access Your Resources:
IAM allows you to control access based on identities (root user, individual users, groups, or roles) and define specific permissions for each identity.
By assigning permissions to identities, you determine who can perform actions on AWS resources.
- What Resources They Can Access:
Permissions in IAM are defined using policies that specify actions (e.g., ec2:StartInstances) and resources (e.g., arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0) that can be accessed.
Policies can be attached directly to individual users, groups, or roles to grant or restrict access to specific resources or services.
Comparison:
Root User: Has full administrative access to all resources by default. Should be used only for initial setup and emergency situations.
Individual Users: Represent specific users within your AWS account, each with unique credentials and assigned permissions based on their roles or responsibilities.
Groups: Used to manage permissions collectively for a set of users who share similar access requirements. Permissions are assigned to groups, and users inherit these permissions by being members of the group.
Roles: Provide temporary access to AWS resources for users, applications, or services without the need to share long-term credentials. Roles are assumed by entities, allowing them to perform actions based on the assigned permissions.
thirdly, let talk about authentication and authorization.
Authentication:
Authentication is the process of verifying the identity of a user, application, or entity attempting to access a system or resource. In AWS IAM:
What it is: Authentication involves presenting your identity (e.g., username, AWS access key ID) and providing verification (e.g., password, AWS secret access key) to prove that you are who you claim to be.
Purpose: The goal of authentication is to ensure that the entity requesting access is a legitimate user or system with the proper credentials.
Authorization:
Authorization is the process of determining what actions and resources an authenticated identity is allowed to access within a system or service. In AWS IAM:
What it is: Authorization determines which AWS services and resources an authenticated identity (user, application, role) can interact with based on their assigned permissions.
Purpose: The purpose of authorization is to enforce security policies that control access to specific actions (e.g., read, write) on designated resources (e.g., S3 buckets, DynamoDB tables) within the AWS environment.
Key Points:
Authentication: Verifies the identity of users or systems trying to access AWS resources by presenting credentials (e.g., username/password, access keys).
Authorization: Controls what actions (e.g., read, write, delete) an authenticated identity can perform on specific AWS resources (e.g., S3 objects, DynamoDB tables) based on assigned permissions.
Example in AWS IAM:
In an IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"dynamodb:Scan"
],
"Resource": [
"arn:aws:s3:::example-bucket/*",
"arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"
]
}
]
}
Authentication: Before applying this policy, a user must authenticate (e.g., provide their IAM user credentials).
Authorization: If the authentication is successful, AWS then evaluates the policy to determine whether the authenticated user is authorized to perform s3:GetObject on objects within the example-bucket and dynamodb:Scan operations on the MyTable DynamoDB table.
please stay tune for the next lesson
thank you
Top comments (0)