AWS Identity & Access Management [IAM]

Identity & Access Management

AWS identity and access management is webservice that helps  to securely control the aws resource authentication and authorization

The common use of IAM is to manage:

  • Users
  • Groups
  • IAM access policies
  • Roles

IAM Initial setup and Configuration

When a new AWS root account is created its best practice to complete the task listed in IAM under “Security Status”
The task includes

s1

 

  • What is MFA its
    • Its Multi Factor authentication
  • Way to get  code

 

VIRTUAL MFA DEVICE

  • Using smartphone or tablet
  • Commonly used app like google authenticator

HARDWARE KEY FOB:

  • Small physical device like RSA
  • Can be ordered from amazon

Below is the screenshot depicting how MFA works

 

Good Practice using MFA:-

  • AWS best practice is to Never use root account for day-to-day use in case full admin access required by a user it should be granted AdminsitratorAccess policy to it.
  • It can more convenient and efficient to set up groups and assign permission to the group rather assigning permission to each user individually
  • When a new AWS root account is created it is best practice to complete below task under Security Status
    • Delete your root access keys
    • Activate MFA on your root account
    • Create individual IAM users
    • User groups to assign permissions
    • Apply an IAM password policy

USER & POLICIES

Take below reference case

  • We have three users Kunal,Matt,Dona currently out of this Matt having access to S3 bucket but not Kunal and Dona because S3Bucket policy has been only assigned to Matt
  • So to provide Kuanl and Donna the S3 bucket access which is currently not available to them we need to go to their user profile and add SEpolicy udner their profile post doing this S3 will be accessible by all the three users i.e. Kunal , Matt,Donna

GROUP AND POLICIES

TO REMOVE POLICY USE DETACH POLICY OPTION

Above is a scenario were we have Group Name: Dev Users assign to the group are:  Kunal,Matt,Donna currently no policies has been assigned to the group Dev so no one can access the S3 bucket once  we have assigned the S3 policy to the group Dev then all the users inside this group can have access to S3 bucket.

Post assigning S3 policy to the group now all will be having access to the s3 bucket as depicted in the below screenshot:

In-between we can always remove a user from the group and add him back as per the requirement so the group helps to manage user well by group multiple users under one group.

3

4

6

 

ROLES:

Suppose we have a EC2 user and a sofgtware running on ec2 instance which needs to access information which is present on S3 bucket but a service cann’t connect to other service to get the information.

So for this we can create a role and assign it to the ec2 service it will help that service(ec2) to act as a user and access s3 bucket and under role we can assign policies same way we assign to groups.

 

So we can think of role as group which are assigned to other aws services rather than to users to access other aws services.

Below is the screenshot depicting the scenario:

8

7

 

 

 

 

 

Leave a Reply