Identity and Access Management (IAM)

Published by Abdul on

Identity and Access Management (IAM)

  • The purpose of this is to:
    • It is to manage access in AWS
      • Doesn’t manage OS, services or applications
    • It is all about what people can do in the AWS
      • can they launch an instance?
      • can they put/delete stuff in S3 buckets?
    • Supports users, groups, and roles
    • It is Free to use
    • AWS services implemented by the users incur charges
      • If you give someone admin permission and the user launches an instance, your account gets charged depending on the instance.
    • It is very important to train the users before giving them any permission
  • IAM Concepts
    • Resources – are the things on which actions can be taken
      • For example, EC2 are instances and someone has the power to start/stop instances. They are acting on the resource.
    • Principals – are the thing that can take actions
      • Users
      • Groups
      • Roles
    • Policies – all of your rights/permissions come through policies
  • IAM principals
    • They are also called identities
    • An entity that can perform an action which are:
      • Users
        • User credentials
          • Consists of a name and password and up to two access keys
        • Users can be members of groups
        • And assign policies on groups
      • Groups
        • A collection of IAM users
        • It’s like placing multiple in a group and assigning policies on the group
        • Permissions should be managed at the group level
        • Users can be added and removed
        • Groups are not used to log in
      • Roles
        • An identity granted permissions
        • Roles are not presently assigned
          • Created for abilities to do something
        • Compatible with federated users
          • It means existing users in one identity system and permitting them to do something in another identity system and mapped to the role
          • The simple term for this is Single-sign-on (SSO)
    • IAM users are entities created in AWS
    • Persons or services with permissions through:
      • AWS Management Console
      • AWS API/CLI

Users vs Roles

UsersRoles
One person working with the accountApplications need access
Multiple people need permanent accessMobile phone apps request AWS
One or more users required CLI accessExisting company users need federated access

Pro Tip: By default, all requests are denied in policy processing. Explicit allow overrides the default and permission boundaries can override explicit allow (for example, you are allowed to access all S3 buckets but not a particular one). Explicit deny override explicit allows.

  • Root user
    • Primary account when you create the AWS account
    • It has unlimited capabilities
    • Not recommended for day-to-day work
    • Root Access tasks are:
      • Modify the root user
      • Changing the AWS support plan (regular admin cannot do that)
      • Closing an AWS account
      • Creating a CloudFront key pair
      • Enabling MFA on an S3 bucket
      • Restore permissions for other IAM users
  • Key Rotation in AWS
    • It discourages the reuse of encryption key
    • Best practices suggest rotation keys
      • Access key ID
      • Secret access key
    • Key rotation only applies to user accounts
    • Key rotation process
      • Create a second access key in addition to the one in use
      • Update all your applications to use the new access key and validate that the applications are working
      • Change the state of the previous access key to inactive
      • Validate that your applications are still working as expected
      • Delete the inactive key
  • AWS Security Hub
    • It runs automatic checks to scan for compliance with regulations and laws
    • It is a paid subscription (gets 30 days trial)
  • Shared Responsibility Model in AWS
    • AWS provides security of the cloud
      • Physical – they are responsible for physical data centers, server rooms, and servers
      • Network – real physical switches, routers, and gateways not EIPs that admin/users create
      • Hypervisor – it runs on a physical server and allows launching instances (virtual machines)
      • Managed services – DynamoDB, Redshift, Aurora, etc
    • You provide security in the cloud
      • Guest OS –  operating systems that run on a hypervisor
      • Application – applications that run on guest OS
      • User Data – Data in the application
  • IAM Best Practices
    • User account
      • User account create through IAM
      • Users need their login link to login into their AWS account
      • You can create/generate Access key ID and Secret access key after creating a user account
    • Default Password Policy
      • Min 8 characters
      • Max 128 characters
      • Follow at least 3 of these 4 character types:
        • Uppercase
        • Lowercase
        • Numbers
        • Special characters
      • Password can’t be the same as the account name or email
    • IAM Roles
      • They are created in the IAM console
      • They are a secure way to grant permissions to entities that you trust
  • CloudTrail
    • It is a logging service
      • Governance – make sure what we should do
      • Compliance – proving what we should do
      • Auditing – evaluating whether or not we are doing what we should do
    • It gives event histories
    • It is easier to make an S3 bucket first and then create CloudTrail to permanently store logs
Categories: AWS
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

AWS

Shared Responsibility Model in AWS (image only)

This image shows cloud sharing responsibility in AWS

database
AWS

AWS Database Design

There are many types of database design in AWS

app development
AWS

Application Deployment

There are many ways to develop in the AWS