What is IAM?

• IAM stands for Identity and Access Management.
• It is one of the core foundations of AWS cloud services, and therefore important to have a good understanding of it in order to use AWS services effectively.
• IAM provides necessary tools to create users, and manage authentication and authorization necessary to access AWS resources. It is therefore important to understand the core concepts.

source: aws.amazon.com

Concepts and features

Identities of IAM

• Username: an identifiable user name
• Access ID: an identifier which is returned when working programmatically
• ARN: Amazon Resource Name

Principal

• Principles is an entity like Users, Roles, Federated users and Applications
• It can make requests to perform an action on AWS resources.

Request

• Principle performs requests on AWS resources.
• When a principal tries to use the AWS Management Console, the AWS API, or the AWS CLI, that principal sends a request to AWS.
• Requests includes the following information.
  — Actions or operations
  — The actions or operations that the principal wants to perform

Environment data

• Information about the IP address, user agent, SSL enabled status, or the time of day.

Resource data

• Data related to the resource that is being requested.

Authentication

• User needs to provide a unique username and a password to authenticate.
• API or AWS CLI authentication requires an access key and a secret key.
• Multi-factor Authentication (MFA) is optional to increase the security.

Authorization

• AWS uses values from the request context to check for policies that apply to the request. It then uses the policies to determine whether to “allow” or “deny” the request.
• We can categorize policies as “permissions policies” or “permissions boundaries”.
• Permissions policies define the permissions for the object to which they’re attached. These include identity-based policies, resource-based policies, and ACLs.
• Permissions boundary is an advanced feature that allows you to use policies to limit the maximum permissions that a principal can have.
• To provide your users with permissions to access the AWS resources in their own account, we need identity-based policies.
• Identity-based policies are attached to users or groups.
• Resource-based policies are for granting cross-account access.
• Evaluation logic rules for policies:
• By default, all requests are denied.
• An explicit allow in a permissions policy overrides this default.
• A permissions boundary overrides the allow. If there is a permissions boundary that applies, that boundary must allow the request. Otherwise, it is implicitly denied.
• An explicit deny in any policy overtakes any allow.

Actions or Operations

• Operations are defined by a service, and include things that you can do to a resource, such as viewing, creating, editing, and deleting that resource.

Resource

• An object that exists within a service. The service defines a set of actions that can be performed on each resource.

IAM Users

• Instead of sharing your root user credentials with others, you can create individual IAM users within your account that correspond to users in your organization. IAM users are not separate accounts; they are users within your account.
• Each user can have its own password for access to the AWS Management Console. You can also create an individual access key for each user so that the user can make programmatic requests to work with resources in your account.
• By default, a brand new IAM user has NO permissions to do anything.
• Users are global entities.

Federated Users

• If the users in your organization already have a way to be authenticated, you can federate those user identities into AWS.

IAM Groups

• An IAM group is a collection of IAM users.
• You can organize IAM users into IAM groups and attach access control policies to a group.
• A user can belong to multiple groups.
• Groups cannot belong to other groups.
• Groups do not have security credentials, and are unable to access web services directly.

IAM Role

• A role does not have any credentials associated with it.
• Role is one of the tricky subject in IAM
• An IAM user can assume a role to temporarily take on different permissions for a specific task. A role can be assigned to a federated user who signs in by using an external identity provider instead of IAM.
• AWS service role is a role that a service assumes to perform actions in your account on your behalf. This service role must include all the permissions required for the service to access the AWS resources that it needs.
• AWS service role for an EC2 instance is a special type of service role that a service assumes to launch an EC2 instance that runs your application. This role is assigned to the EC2 instance when it is launched.
• AWS service-linked role is a unique type of service role that is linked directly to an AWS service. Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
• An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
• Users or groups can have multiple policies attached to them that grant different permissions.

Policies

• Most permission policies are JSON policy documents.
• The IAM console includes policy summary tables that describe the access level, resources, and conditions that are allowed or denied for each service in a policy.
• The policy summary table includes a list of services. Choose a service there to see the service summary.
• This summary table includes a list of the actions and associated permissions for the chosen service. You can choose an action from that table to view the action summary.
• To assign permissions to federated users, you can create an entity referred to as a role and define permissions for the role.

Identity-Based Policies

• Permissions policies that you attach to a principal or identity.
• Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account.
• Inline policies are policies that you create and manage and that are embedded directly into a single user, group, or role.

Resource-based Policies

• Permissions policies that you attach to a resource such as an Amazon S3 bucket.
• Resource-based policies are only inline policies.
• Trust policies — resource-based policies that are attached to a role and define which principals can assume the role.

AWS Security Token Service (STS)

• Provides trusted users with temporary security credentials to control access to your AWS resources.
• Temporary security credentials are short-term and are not stored with the user but are generated dynamically and provided to the user when requested.
• By default, AWS STS is a global service with a single endpoint at https://sts.amazonaws.com.

Assume Role Options

• AssumeRole — Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access.
• You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an AWS MFA device.
• AssumeRoleWithSAML — Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This allows you to link your enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.
• AssumeRoleWithWebIdentity — Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.

STS Get Tokens

• GetFederationToken — Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network.
• GetSessionToken — Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. You must call the GetSessionToken operation using the long-term security credentials of an IAM user. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific AWS API operations.

IAM Access Analyzer

• Provides policy checks that help you proactively validate policies when creating them. These checks analyze your policy and report errors, warnings, and suggestions with actionable recommendations that help you set secure and functional permissions.
• IAM Access Analyzer continuously monitors for new or updated resource policies and permissions granted for S3 buckets, KMS keys, SQS queues, IAM roles, Lambda functions, and Secrets Manager secrets.

Best Practices

• Don’t use root account for production
• Enable multi factor authentication (MFA)
• Use IAM uses instead root
• Use groups and assign permissions
• To assign permissions to IAM users, use groups
• Use AWS defined policies to assign permissions whenever possible
• Use access levels to review IAM permissions
• Use roles for applications that run on amazon EC2 instances
• Use roles to delegate permissions
• Do not share your access keys
• Remove unnecessary credentials
• Use policy conditions for extra security
• Monitor activity in your AWS account
• Rotate credentials regularly