Overview: AWS Identity and Access Management (IAM) offers comprehensive management of permissions within your AWS account, allowing precise regulation of user access to specific services and resources. With IAM policies, you can tailor permissions for users or applications, ensuring they only have access to the resources necessary for their tasks, and defining conditions for how and when access is granted.
Key Components of IAM:
Users: Users are entities that represent individual people, applications, or services that interact with AWS. Each user has a unique name and credentials (username and password or access keys) for accessing AWS resources.
Groups: Groups are collections of users. Instead of attaching policies directly to individual users, you can create groups, assign policies to them, and then add users to those groups. This simplifies permission management, especially in larger organizations with multiple users.
Policies: Policies are JSON documents that define permissions. You can attach policies to users, groups, or roles to grant or restrict access to AWS resources. Policies specify what actions are allowed or denied on which resources. AWS provides managed policies with predefined permissions, or you can create custom policies tailored to your specific needs.
Roles: Roles are similar to users, but they are not associated with a specific person or identity. Instead, roles are meant to be assumed by entities such as AWS services, applications, or users from another AWS account. Roles define a set of permissions, and when an entity assumes a role, it temporarily takes on those permissions.
Core Concepts:
Authentication: The process of verifying the identity of a user, application, or service. IAM supports various authentication methods, including username/password authentication for users, and access keys for programmatic access by applications or scripts.
Authorization: Determining what actions a user, group, or role is allowed to perform on AWS resources. This is controlled through IAM policies, which define the permissions associated with each entity.
Least Privilege: Following the principle of least privilege means granting users, groups, and roles only the permissions they need to perform their intended tasks, and no more. This reduces the risk of unauthorized access and potential security breaches.
Project Objective
In this project, the following tasks will be accomplished.
- Create a user,
- โ Create a group and add the user to the group,
- โ Attach 3 policies to that group: the user must have the ability to create IAM user, vpc, and s3 policies,
- โ Create a customized customer-managed policy to deny a user access to creating an RDS instance snapshot and allow the user to create an EC2 instance,
- โ Create an organization: add two accounts to the organization 1: Developer account and 2: An operations account and switch roles between the accounts.
A step-by-step pictorial approach will be used for better guidance and understanding.
To start with, Open your web browser and go to the AWS Management Console at https://aws.amazon.com/console/.
Sign in using your AWS account credentials.
Once you're logged in, navigate to the IAM dashboard.
In the top-left corner, search for "IAM" in the services search bar, and select "IAM" from the results.
IAM allows you to manage access to AWS services and resources securely.
Task 1:
Click on users in the left-hand corner to create a user. Then click on create a user.
Input your desired user name, then click next.
Task 2:
Next, our task is to create a user group and add the user into the group.
To achieve this, click on create user group. Input the group user name and click on create user group.
We then need to add the user to the group we created. To get this done, click on the group name and then click on add users.
Then input the user name in the search bar and add user to the group.
We have successfully created a user and added the user to a group.
Task 3:
The next step is to attach policies to the user group we created.
To attach policies click on permissions by the right of users tab.
then click on the add permission arrow on the right-hand side, and click on attach policies.
On the permission policies screen, to add IAM policy, search for IAMfullacess.
check on IAMfullacess and click attach policies
IAMfullacess policy has been successfully attached to the group.
Repeat the above steps to attach vpc and s3 policies to the group.
All three policies have been attached to the group.
Task 4:
*Now, we have to customize a customer-managed policy to deny a user from creating an RDS instance snapshot, while allowing the user to create an EC2 instance. *
To create a customized policy, we will click on the permission policy arrow by the right hand, then click on create an inline policy.
On services, choose RDS
Select All RDS and all resources, then select deny, and click next.
Then create policy.
To allow the user to create an EC2 instance, go to inline policy, and click on services, then click on EC2.
All policies have been applied.
Task 5:
The last task of this project is to create two accounts and be able to switch between roles.
Creating accounts under the AWS organization to switch roles.
First, go to AWS organization and click on create an account, fill in the details, and create an account.
After creating an account, we will need to create roles for each account. To do this, navigate to role in IAM features, then create roles.
Under trusted entity type, select AWS account and under an AWS account choose this account, then next.
Attach administrator access to the role, click next.
Put in the role name and create role.
Do this for any more roles you want to create.
To switch roles, navigate to IAM dashboard and click on the top right corner arrow, then click on switch role.
Put in the account ID and the ARN characters from the account role then switch.
Thanks for reading through to this point. I'm assured you have gotten insightful steps to guide you on exploring the AWS IAM feature.
Feel free to comment and ask questions where necessary, I'll be glad to respond.
Cheers.
Top comments (0)