Identity Access Management
Manages access of AWS users and resources.
Core Components
IAM allows management of access of users and resources.
IAM Identities
-
IAM Users
End users who log into the console or interact with AWS resource programmatically -
IAM Groups
Group up your Users so they all share permission levels of the group.
eg. Administrators, Developers, Auditors. -
IAM Roles
Associate permissions to a Role and then assign this to an Users or Groups -
IAM Policies
JSON documents which grant permissions for a specific user, group, or role to access services. Policies are attached to IAM Identities
A user can belong to a group.
Roles can be applied to group to quickly add and remove permissions en-masse to users
A user can have a role directly attached.
An policy can be directly attached to a user (called an Inline Policy)
Roles can have many policies attached.
Various AWS resources allow you attach roles directly to them.
Managed vs Customer vs Inline Policy
-
Managed Policies
A policy which is managed by AWS, which you cannot edit. Managed policies are labeled with an orange box. -
Customer Managed Policies
A policy created by the customer which is editable. Customer policies have no symbol beside them. -
Inline Policies
A policy which is directly attached to the user.
Policies Example
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Beny-Barclay-S3-Access",
"Effect": "Deny",
"Action": "s3:*",
"Principal": {
"AWS": ["arn:aws:iam::123456789012:barclay"]
},
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"rds.amazonaws.com",
"rds.application-autoscaling.amazonaws.com"
]
}
}
}]
}
-
Version
policy language version -
Statement
container for the policy element you are allowed to have multiples -
Sid
(optional) a way of labeling your statement. -
Effect
set whether the policy will allow or deny -
Principal
account, user, role, or federated user to which you would like to allow or deny access -
Action
list of actions that the policy allows or denies -
Resource
the resource to which the action(s) applies -
Condition
(optional) circumstances under which the policy grants permission
Password Policy
In IAM you can set a Password Policy.
To set the minimum requirements of a password and rotate passwords so users have to update their passwords after x days.
Access Keys
Access Keys allow users to interact with AWS service programmatically via the AWS CLI or AWS SDK.
MFA
Multi-factor authentication (MFA) can be turned on per user.
The user has to turn on MFA themselves. Administrator cannot directly enforce users to have MFA.
The Administrator account could create a policy requiring MFA to access certain resources.