What is AWS IAM?

Learn via video courses
Topics Covered

Overview

AWS is one of the world's leading cloud service providers. Anybody can easily create an AWS account. The email address and password used to create the AWS account will be used as root account credentials (the account owner). After creating an AWS account, we can log in using the root user or IAM user credentials. However, AWS strongly advises against using the root account credentials for daily tasks. The person/user must be successfully authenticated and authorised by the AWS Identity and Access Management service to use any AWS service.

What is AWS IAM?

IAM stands for Identity and Access Management.

The AWS IAM service is used for creating users or roles that will be used to work around the AWS service.

AWS IAM is the first level of authentication that occurs when a user attempts to log in to their AWS account or access AWS services through the AWS management console or CLI.

If the credentials are incorrect or the user does not have the required permission, it will show an Unauthorized error. 

In layman's terms, AWS IAM is responsible for who (IAM user) can access (policies) the what(AWS services).

IAM is a free service. There are no charges incurred for using the IAM service.

Components of AWS IAM

There are many attributes associated with AWS IAM for managing the AWS account. Some of the important attributes are

User

  • To gain access to our AWS account, we can create an individual IAM user.
  • Each user will have their own access and credentials to the account.
  • While creating the IAM user, we can grant any of the following levels of access.
    1. Log in to the AWS Management Console (via a browser ).
    2. Amazon Web Services Programmatic Access (via CLI).
    3. Amazon Web Services Administration Console and Programmatic Access
  • The maximum number of users per account is 5000.

User groups

  • We can create a group and add the users to it.
  • The maximum number of users that can be added per group will equal the current user quota for the account.
  • Policies attached to the group will be inherited by the users by default.
  • We can attach a maximum of 20 policies to the group.
  • One user can be added to multiple groups, with a maximum of 10 groups.

Roles

  • Roles are similar to IAM users, but they can be assumed by anyone (AWS service, IAM user, or external entity) who requires them within the same or another account.
  • Roles can be assigned to specific AWS services to grant that service access to another service.

Example: 1.Using an EC2 server to upload or download files from S3. 2.Lambda writes files to the S3 bucket.

In both cases, we should create a role with the appropriate permissions and assign it to the Ec2 instance and Lambda function.

Policy

  • Policies are JSON documents that contain a list of actions organized into five categories: list, read, write, tag, and permission management.
  • In AWS IAM, there are two types of policies. They have
    • AWS Managed Policy
      • AWS generates this policy by default.
    • Custom Managed Policy
      • Using either the JSON editor or the AWS policy generator, we can create a custom policy by customizing the list, read, tagging, write, and permission management action parameters.
  • Policies can be associated with IAM users, groups, or roles.

Identity providers

  • If the customer already has an existing user management system in their corporate network, such as ADFS, we can establish a connection between AWS and IDP providers.
    • SAML
    • OpenIDConnect

Features of IAM

Fine-grained access control 

Using policies, we grant permission to IAM entities such as IAM users, IAM roles, or IAM groups. In the policy, we can specify a set of access to be allowed or denied.

Delegate access by using IAM roles 

AWS IAM can be assumed by identity providers or AWS services to access the AWS account. IAM roles  provided with temporary credentials to assume and access the AWS account.

IAM Roles Anywhere

Once we obtain our X.509 digital certificates from a trusted CA, we can use the role for workloads outside of AWS.

IAM Access Analyzer

Using this feature, we will be able to verify the existing access details of the IAM entity. In addition to that, we can set and refine the permissions for the IAM user/role by providing the least privilege access.

Permission guardrails

For all the accounts in the AWS organization, we can use SCP (service control policy) to provide permissions guardrails for IAM roles and users.

Attribute-based access control

ABAC restricts IAM users to accessing only permitted AWS resources, thereby minimising the number of IAM roles we need for our usecase in the AWS account.

Use Cases for AWS IAM

Restrict Access to AWS resources via Corporate Network.

Assume you have an AWS account with multiple ec2 and S3 resource. You want your employees to view the resources only via corporate network. How will you achieve this?

Answer: we can create one policy that states

IAM users who are accessed via the network (10.11.12.0/24) will access the resources in the AWS account. Others will face an error.

  • Similarly, we can create policies and delegate access to IAM users.
  • For more business use-cases, kindly refer to the below reference links 

AWS IAM business use cases

Accessing IAM

By default, all AWS IAM requests will be denied for the AWS account, with the exception of the root user, who will have full access to the AWS account. we should either attach an existing policy to the IAM entity or create a new policy that explicitly allows the actions to be executed. The AWS enforcement code will examine the request context (IAM policies and permissions) for each IAM entity (user or role) to determine if the request should be allowed or denied.

How Does IAM Work?

Before we create users or roles in IAM, we need to understand how IAM works. IAM offers the infrastructure required to govern AWS account authentication and authorization. The following table is part of the IAM infrastructure.

ElementsDescription
PrincipalAWS account root user or IAM entity
RequestActions ,Resources , Principal, Environment data ,Resource data
AuthenticationSign-in or log-in credentials to login to aws account via console or aws cli
Authorization-check the permission which will evaluate the JSON documents(IAM policy)
Actions or operationsOnce IAM user entity authenticated and authorized , we can perform the allowed actions mentioned in policy
ResourcesAWS service resources and IAM entities.

For more details , refer the below link

IAM Infrastructure essentials

What is AWS IAM CLI?

Using AWS CLI, we can perform the same actions that are available in the Management Console via commands.

Before we use commands in CLI, we must configure our AWS IAM credentials so that AWS can validate the permissions.

The link to the available commands to execute via AWS CLI is mentioned below 

AWS CLI IAM API reference

Conclusion

  • The AWS IAM service provides the IAM users and roles to manage secure access to our AWS account.

  • To protect our AWS account, we should delegate the IAM user permission.

  • If not properly configured, the AWS IAM service will become a security bottleneck for our AWS account.