IAM (Identity and Access Management)

IAM is a Global service, allowing the creation and grouping of users in an organisation by roles and responsibilities
Groups only contain users, not other groups
Users don't have to belong to a group, and users can also belong to multiple groups
Users or Groups can be assigned permissions through policies specified in a JSON document
- Wildcards such as * can be used to group multiple policies

Apply the least privilege principle: Don't give more permissions than a user needs

{    
    "Version": "2012-10-17",    
    "Statement": [        
        {            
            "Effect": "Allow",            
            "Action": "ec2:Describe*",            
            "Resource": "*"        
        },        
        {            
            "Effect": "Allow",            
            "Action": "elasticloadbalancing:Describe*",            
            "Resource": "*"        
        },        
        {            
            "Effect": "Allow",            
            "Action": [                
                "cloudwatch:ListMetrics",                
                "cloudwatch:GetMetricStatistics",                
                "cloudwatch:Describe*"            
            ],            
            "Resource": "*"        
        }    
    ]
}

IAM Policies Structure

"Version": Policy language version. Always set to "2012-10-17"
"Id": An identifier for the policy (optional)
"Statement": One or more individual statements (required)
- "Sid": An identifier for the statement (optional)
- "Effect": Whether the statement allows or denies access (Allow, Deny)
- "Principal": Account/user/role to which this policy is applied to
- "Action": List of actions this policy allows or denies
- "Resource": List of resources to which the actions applied to
- "Condition": Conditions for when this policy is in effect (optional)

IAM Password Policy

Set a minimum password length
Require specific character types:
- Uppercase letters
- Lowercase letters
- Numbers
- Non-alphanumeric characters
Allow all IAM users to change their own passwords
Require users to change their password after some time (password expiration)
Prevent password re-use

Multi Factor Authentication (MFA)

Protect your Root accounts and IAM users
Users have access to your account, possibly changing configurations or deleting resources in your AWS account
MFA = Your password + Security device you own
Main benefit: If a password is stolen or hacked, the account is not compromised
- The hacker will need possession of your physical device, which is highly unlikely
MFA device options in AWS:
- Virtual MFA devices: Support for multiple tokens on a single device
  - Google Authenticator (phone)
  - Authy (multi-device)
- Universal 2nd Factor (U2F) Security Key: Support for multiple Root and IAM users using a single security key
  - YubiKey by Yubico (3rd party)
- Hardware Key Fob MFA device:
  - Provided by Gemalto (3rd party)
- Hardware Key Fob MFA device for AWS GovCloud (US):
  - Provided by SurePassID (3rd party)

Accessing AWS

Three options for users accessing AWS:
- AWS Management Console (protected by password + MFA)
- AWS Command Line Interface (CLI) (protected by access keys)
- AWS Software Developer Kit (SDK) for code (protected by access keys)
Access Keys are generated through the AWS Console
- Users manage their own access keys
- Treat them like passwords, don't share them
- Access Key ID is similar to a username
- Secret Access Key is similar to a password

AWS CLI is a tool that enables you to interact with AWS services using commands in your command-line shell

Command format: aws [options] <command> <subcommand> [parameters]

Configure profile:

aws configure

AWS Access Key ID [None]: {Access Key ID}
AWS Secret Access Key [None]: {Secret Access Key}
Default region name [None]: {Region}
Default output format [None]: {Leave blank / json}

AWS SDK enables you to access and manage AWS services programmatically
- Language-specific APIs, different set of libraries
- Embedded within your application
- Supports:
  - SDKs: JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++
  - Mobile SDKs: Android, iOS
  - IoT Device SDKs: Embedded C, Arduino
AWS CloudShell is an alternative to using AWS CLI (check region availability)
- Provides a Linux environment in the browser
- Access through terminal icon located in the top navigation bar
- Don't need to configure profile, API calls are made using the credentials of the current active account

IAM Roles for Services

Assign permissions to AWS services with IAM roles
- Enables some AWS services to perform actions on your behalf
Common roles:
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation

IAM Security Tools

IAM Credentials Report (account-level)
- A report that lists all your account's users and the status of their various credentials
IAM Access Advisor (user-level)
- Access advisor shows the service permissions granted to a user and when those services were last accessed
- Useful for revising policies

IAM Guidelines & Best Practices

Don't use the Root account except for AWS account setup
One physical user = One AWS user
Assign users to groups and assign permissions to groups
Create a strong password policy
Use and enforce the use of MFA
Create and use Roles for giving permissions to AWS services
Use Access Keys for Programmatic Access (CLI/SDK)
Audit permissions of your account using IAM Credentials Report & IAM Access Advisor
Never share IAM users & Acess Keys

Shared Responsibility Model for IAM

AWS responsibilities:
- Infrastructure (global network security)
- Configuration and vulnerability analysis
- Compliance validation
User responsibilities:
- Users, Groups, Roles, Policies management and monitoring
- Enable MFA on all accounts
- Rotate all your keys often
- Use IAM tools to apply appropriate permissions
- Analyse access patterns and review permissions