IAM: Identity and Access Management

• IAM: Identity and Access Management
  • Users and Groups
  • Permissions
  • Policies
  • Security
  • How Can Users Access AWS?
  • Roles for Services
  • Security Tools
  • Best Practices
  • IAM Shared Responsibility Model

Users and Groups

• A root account which has control over users and groups which can be managed with this service.
• Users are people within the organization and can be grouped.
• Groups only contain users, not other groups.
• A user doesn't have to be in a group and can also be in multiple groups.
• Creating a user is simple:
  • Go to users in the IAM console.
  • Create user and press create IAM user.
  • We want to auto generate a password and change it on next sign in (if user isn't for us)
  • We want to give the user permissions (usually done by assigning them to a group)

Permissions

• Users or groups can be assigned JSON documents called policies.
• These policies define permissions for the users.
• Apply the least privilege principle! Don't give a user more than they need.

Policies

• Can assign a policy to a group, where every user in that group will inherit said policy.
• Or you can assign a policy inline to a specific user.
• IAM Policy Structure:
  • Consists of:
    • Version: policy language version, always include "2024-10-17".
    • Id: an identifier for the policy, optional.
    • Statement: one or more individual statements, required .
  • Statement consists of:
    • Sid: an identifier for the statement, optional.
    • Effect: whether the statement allows or denies access (Allow, Deny).
    • Principal: account/user/role to which this policy is applied to.
    • Action: list of actions this policy allows or denies.
    • Resource: list of resources to which the actions applied to.
    • Condition: conditions for when the statement should be applied or not, optional.

Security

• Found under Account Settings.
• You can setup a password policy in AWS:
  • Set a min password length.
  • Require specific character types.
  • Allow all IAM users to change their own passwords.
  • Require users to change their password after some time (password expiration).
  • Prevent password re-use.
• Multi Factor Authentication (MFA) service is essential for security.
  • Users that have access to your account and can possibly change configurations or delete resources in your AWS account.
  • MFA = password you know + security device you own.
  • MFA device options in AWS:
    • Virtual MFA device: Google authenticator (phone only), Authy (multi-device)
    • Universal 2nd Factor (2UF) Security Key: YubiKey (Support for multiple root users and IAM users using a single security key)
  • Hardware Key Fob MFA Device
  • Hardware Key Fob MFA Device fore AWS GovCloud

How Can Users Access AWS?

• Three Options:
  • AWS Management Console: protected by password + MFA.
  • AWS Command Line Interface (CLI): protected by access keys.
    • Interact with AWS services using commands in command-line shell.
    • Direct access to the public APIs of AWS services.
    • You can develop scripts to manage your resources.
    • It's open-source.
  • AWS Software Development Kit (SDK): for code and is protected by access keys.
    • Language-specific APIs.
    • Enables you to access and manage AWS services programmatically.
    • Embedded within your application.
    • Supports SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, GO, Node.js, C++), Mobile SDKs (Android and iOS), IoT Device SDKs (Embedded C, Arduino).
• Access Keys are generated through the AWS console.
• Users manage their own keys.
• Don't Share your access keys!!
  • Access Key ID ~= username
  • Secret Access Key ~= password

Roles for Services

• Some AWS services will need to perform actions on your behalf.
• To do so, we will assign permissions to AWS services with IAM Roles.
• Common Roles:
  • EC2 instance roles.
  • Lambda Function Roles.
  • Roles of Cloud Formation.
• Roles essentially allow certain services to have permissions in order to do a task.

Security Tools

• Credentials Report (account-level).
  • A report that lists all your account's users and the status of their various credentials.
• Access Advisor (user-level).
  • Shows the service permissions granted to a user and when those services were last accessed.
  • You can use this info to revise your policies.

Best Practices

• Don't use root account except for AWS account setup.
• Assign users to groups and assign permissions to groups.
• Create a strong password policy.
• Use and enforce the use of MFA.
• Create and use roles for giving permissions to AWS services.
• Use Access Keys for programmatic access (CLI/SDK)
• Audit permissions with IAM credentials report & IAM access advisor.

IAM Shared Responsibility Model

• AWS is Responsible for:
  • Infrastructure (global network security).
  • Configuration and vulnerability analysis.
  • Compliance validation.
• You are Responsible for:
  • Users, Groups, Roles, Policies management and monitoring.
  • Enabling MFA on all accounts.
  • Rotate all of your keys often.
  • Use IAM tools to apply appropriate permissions.
  • Analyze access patterns & review permissions.