DEV Community

Anja
Anja

Posted on • Edited on

AWS IAM / Identity Access Management - Basics

Let's learn about AWS IAM - Identity Access management basics.

With IAM you can define who or what can access services and resources in AWS. For each person you should create a separate user. Users can be grouped, but groups can't contain other groups.

You can create policies which define permissions for users or groups in a JSON document. Always keep in mind the principle of least privilege. The user should only get as many rights as needed. Inline policy is a policy that only applies to one user.

Here is an example of a policy from the AWS website:


{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "1",
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam::account-id:root"]},
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::mybucket",
      "arn:aws:s3:::mybucket/*"
    ]
  }]
}

Enter fullscreen mode Exit fullscreen mode

Version is the version of the policy language that you want to use. Sid is an optional identifier, the effect can be Allow or Deny. The principal is the user, role or account that the policy shall apply to. Action lists the actions that are allowed or denied. Resource lists the resources and there can also be conditions that specify when the policy is applied. In the example above we don`t have a condition.

MFA

There is the possibility to use Multi-Factor-Authentication which is strongly recommended. Apply it for the root account and all IAM users. You can use a virtual MFA device, like e.g. the app Authy or a physical MFA device. One possible physical MFA device is a universal 2nd factor(U2F) security key, e.g. the YubiKey.

Access AWS

There are three ways to access AWS:

  1. AWS Management Console
  2. AWS CLI/ Command Line Interface
  3. AWS Software Development Kit (SDk)

For the options 2 and 3 you need to generate an access key, which you can do in the AWS Console.

IAM role

An IAM role is a permission that you can assign to an AWS service to enable the service to perform an action. An example is the Lambda Function role.

Security tools

With the IAM credentials report you can list all the users of your account and check the status of their credentials.
To check the service permissions of your users and when the services were last accessed, use the IAM access advisor.

Learn more: AWS IAM documentation

Top comments (0)