All about AWS IAM service
AWS Identity and Access Management(IAM) is one of the basic and very important service. IAM enables you to manage controlled access over AWS services and resources. If you want to start to learn AWS then, AWS IAM is the very first service, you should learn about. In this article, we will cover from most basic features of IAM to advanced features to get you ready for hands on.
On the very first note, IAM is a global service. We don’t have to be in any specific region to use IAM. Let’s get introduced to IAM through its primary entities i.e., users, groups and policies.
Users are the people who are using AWS services.
Group contains one or more users.
Policies defines the JSON documents containing permissions that can be attached with group or individual users as well.
When we start using AWS services, we have to create a root account which is used to create individual IAM users in order to use other AWS services with specific permissions granted to them. A key note to remember here is root account should never be used to access any AWS service, we will understand why its not recommended once we see how policies are created and used.
Once you are ready with an IAM user, you have to attach policies with it. You can choose already created policies or even create custom policy if the existing policies do not have set of appropriate permission for accessing AWS services.
This is how an IAMReadOnlyAccess policy looks like. It contains following things:
- Version: Every policy has unique version as an identifier.
- Effect: Effect can be either “Allow” or “Deny”. By default its “Deny”.
- Action: List of actions allowed on resources.
- Resource: Actions are allowed on which resources.
This policy can be assigned to a user or a group also.
Group can be created department wise in an organisation, so that it would be easy to manage all permissions for a department and we can even assign more inline policies to any user of group.
To every user, least number of permissions should be assigned to avoid any kind of security breach. A root account should never be used to access AWS services as it has unrestricted access to all the resources.
What are roles?
When AWS service needs to use other service, it also need some permissions to access. For these kind of uses, we create roles and assign policies to it the same way we do for users.
Advanced features of IAM
Till now, we have learnt about the features of IAM but, IAM provides us more ways to secure the user accounts from any kind of invalid access.
- Through IAM password policy, you can force user to setup strong passwords and force them to change password after some time period.
- Multi factor Authentication: MFA is used to highly secure the account. It involves the authentication with a security device along with the password. It prevents the account from getting misused if the account password is compromised because the user won’t be able to login without entering the security code which is only available on configured security device.
AWS Access Keys
AWS Access Keys are used to access AWS CLI. Access Keys are unique for each user account and these must not be shared with anyone just like passwords.
Access Keys can be generated using AWS management console. One Access key pair contains AccessKeyId and SecretAccessKey, one must download and save these keys in safe place because these keys can’t be retrieved again if they are lost. Fortunately, a new pair can be generated anytime and old one can be deactivated.
AWS Security Tools
AWS provides us following Security tools:
1. IAM Credentials Report: This security report is account level. It lists all account users and status of their credentials too.
2. IAM Access Advisor: This security report is user level. It shows all the permissions granted to user and when the services were last accessed by user.
This was all about the features of IAM and it should help you to get started on one of the powerful service of AWS, IAM.