This is the Practical guide to understand and revise AWS IAM service. This can also be looked as quick review cheat sheet.
IAM: Users & Groups
- IAM = Identity and Access Management, Global service
- Root account created by default, shouldnβt be used or shared
- Users are people within your organization, and can be grouped
- Groups only contain users, not other groups
- Users donβt have to belong to a group, and user can belong to multiple groups
IAM: Permissions
- Users or Groups can be assigned JSON documents called policies.
- These policies define the permissions of the users.
- In AWS you apply the least privilege principle: donβt give more permissions than a user needs.
IAM Policies Structure
- Version: policy language version, always include β2012-10-17β
- Id: an identifier for the policy (optional)
- Statement: one or more individual statements (required).
2. Statements consists of
- Sid: an identifier for the statement (optional)
- Effect: whether the statement allows or denies access (Allow, Deny)
- Principal: account/user/role to which this policy applied to
- Action: list of actions this policy allows or denies
- Resource:list of resources to which the actions applied to
- Condition: conditions for when this policy is in effect (optional). Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FirstStatement",
"Effect": "Allow",
"Action": ["iam:ChangePassword"],
"Resource": "*"
},
{
"Sid": "SecondStatement",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "ThirdStatement",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::confidential-data",
"arn:aws:s3:::confidential-data/*"
],
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}
]
}
IAM β Password Policy
- Strong passwords = higher security for your account
- In AWS, you can setup a password policy:
- Set a minimum password length
- Require specific character types:
- including uppercase letters
- lowercase letters
- numbers
- non-alphanumeric characters
- Allow all IAM users to change their own passwords
- Require users to change their password after some time (password expiration)
- Prevent password re-use.
Multi Factor Authentication - MFA
- Users have access to your account and can possibly change configurations or delete resources in your AWS account
- You want to protect your Root Accounts and IAM users
- MFA = password you know + security device you own
MFA devices options in AWS
- Virtual MFA device: Google authenticator, Authy.
- Universal 2nd Factor (U2F) Security Key: YubiKey by Yubico (3rd party)
How can users access AWS ?
- To access AWS, you have three options:
- AWS Management Console (protected by password + MFA)
- AWS Command Line Interface (CLI): protected by access keys
- AWS Software Developer Kit (SDK) - for code: protected by access keys
- Access Keys are generated through the AWS Console
- Users manage their own access keys
- Access Keys are secret, just like a password. Donβt share them
- Access Key ID ~= username
- Secret Access Key ~= password
IAM Roles for Services
- Some AWS service will need to perform actions on your behalf
- To do so, we will assign permissions to AWS services with IAM Roles
- Common roles:
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation
IAM Guidelines & Best Practices
β’ Donβt use the root account except for AWS account setup
β’ One physical user = One AWS user
β’ Assign users to groups and assign permissions to groups
β’ Create a strong password policy
β’ Use and enforce the use of Multi Factor Authentication (MFA)
β’ Create and use Roles for giving permissions to AWS services
β’ Use Access Keys for Programmatic Access (CLI / SDK)
β’ Audit permissions of your account with the IAM Credentials Report
β’ Never share IAM users & Access Keys
IAM β Summary
β’ Users: mapped to a physical user, has a password for AWS Console
β’ Groups: contains users only
β’ Policies: JSON document that outlines permissions for users or groups
β’ Roles: for EC2 instances or AWS services
β’ Security: MFA + Password Policy
β’ Access Keys: access AWS using the CLI or SDK
β’ Audit: IAM Credential Reports & IAM Access Advisor
Top comments (0)