IAM

Identity and Access Management
Author

Benedict Thekkel

Users

  • Specifc Individuals, can receive personal logins

Groups

  • Collection of Users

Roles

  • Collection polices (DB Read, DB Write)

Policy

  • Specific Polices

Comprehensive Guide to AWS IAM (Identity and Access Management)

1. Key Features of AWS IAM

  1. Users and Groups:
    • Define individual user accounts and group them for easier management.
  2. Policies:
    • Attach JSON-based permissions to users, groups, and roles.
  3. Roles:
    • Allow services, applications, or users to assume temporary access permissions.
  4. Multi-Factor Authentication (MFA):
    • Add an additional layer of security.
  5. IAM Access Analyzer:
    • Analyze and validate policies for potential risks.
  6. Fine-Grained Permissions:
    • Grant access to specific AWS services or resources.

2. IAM Components

Users

  • Represents a person or service needing access to AWS resources.
  • Example: Developers, admins, or applications.

Groups

  • A collection of IAM users sharing the same permissions.
  • Example: “Developers” group with AmazonEC2FullAccess.

Policies

  • JSON documents that define permissions.
  • Types:
    • Managed Policies: AWS-defined policies (e.g., AdministratorAccess).
    • Inline Policies: Attached to a single entity for specific use cases.

Roles

  • Temporary access for users or services to assume specific permissions.
  • Commonly used for applications or AWS services like Lambda or EC2.

Access Keys

  • Programmatic access for users via SDKs or CLI.

3. IAM Basics

Create an IAM User

  1. Open the IAM Console > Users > Add Users.
  2. Specify:
    • User name.
    • Access type (programmatic or management console).
  3. Attach permissions directly or via groups.

Example via AWS CLI:

aws iam create-user --user-name JohnDoe
aws iam attach-user-policy --user-name JohnDoe --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

4. Creating and Attaching Policies

Basic Policy Structure

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::example-bucket"
    }
  ]
}

Attach a Custom Policy

  1. Create a policy via IAM Console or CLI:

    aws iam create-policy --policy-name MyS3Policy --policy-document file://policy.json

  2. Attach it to a user or group:

    aws iam attach-user-policy --user-name JohnDoe --policy-arn arn:aws:iam::aws:policy/MyS3Policy

5. IAM Roles

Creating a Role for an EC2 Instance

  1. Open IAM Console > Roles > Create Role.
  2. Choose the service (e.g., EC2).
  3. Attach a policy (e.g., AmazonS3ReadOnlyAccess).

Example via CLI:

aws iam create-role --role-name EC2S3AccessRole --assume-role-policy-document file://trust-policy.json

Trust Policy Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

6. Multi-Factor Authentication (MFA)

Enable MFA for a User

  1. Go to IAM Console > Users > Security Credentials.
  2. Assign MFA device.

Example via CLI:

aws iam create-virtual-mfa-device --virtual-mfa-device-name MyMFA
aws iam enable-mfa-device --user-name JohnDoe --serial-number arn:aws:iam::123456789012:mfa/MyMFA --authentication-code1 <code1> --authentication-code2 <code2>

7. Access Control Best Practices

  1. Principle of Least Privilege:
    • Grant only the permissions required for the task.
  2. Use Groups:
    • Assign policies to groups instead of individual users.
  3. Use IAM Roles:
    • Avoid long-term credentials; use roles for temporary access.
  4. Enable MFA:
    • Protect all privileged accounts with MFA.
  5. Rotate Access Keys:
    • Regularly update programmatic access keys.
  6. Monitor and Audit:
    • Use CloudTrail and Access Analyzer for auditing.

8. Programmatic Access Examples

Assume a Role

import boto3

# Assume the role
sts_client = boto3.client('sts')
assumed_role = sts_client.assume_role(
    RoleArn="arn:aws:iam::123456789012:role/ExampleRole",
    RoleSessionName="ExampleSession"
)

# Temporary credentials
credentials = assumed_role['Credentials']
access_key = credentials['AccessKeyId']
secret_key = credentials['SecretAccessKey']
session_token = credentials['SessionToken']

# Use the assumed credentials
s3_client = boto3.client(
    's3',
    aws_access_key_id=access_key,
    aws_secret_access_key=secret_key,
    aws_session_token=session_token
)

# List S3 buckets
buckets = s3_client.list_buckets()
print(buckets)

9. Monitoring and Logging

  • CloudTrail: Log all API calls.
  • IAM Access Analyzer: Detect overly permissive policies.
  • Service Quotas: Monitor IAM resource limits.

10. Common Scenarios

Restrict Access to a Specific Bucket

Policy Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::example-bucket",
        "arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

Deny Access Explicitly

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": "us-east-1"
        }
      }
    }
  ]
}

11. Pricing

IAM is free, but costs may arise from the services accessed via IAM policies (e.g., S3, EC2).

12. Tools for IAM Management

  1. AWS CLI: Command-line tool for managing IAM.
  2. AWS SDKs: Programmatic access to IAM.
  3. AWS Console: Web-based interface for managing IAM.
  4. CloudFormation: Automate IAM setup using templates.
Back to top