DEV Community

Cover image for What is AWS IAM?
Mohamad Lawand
Mohamad Lawand

Posted on

What is AWS IAM?

Identity and Access Management (IAM)

This is the second article in a series of article which help prepares for the AWS Solution Architecture certification. In this article we are going to cover the AWS IAM part of AWS Solution Architecture Certification

You can watch the full video on YouTube

Learning Objectives

  1. What is IAM
  2. What is a root account
  3. What is a policy
  4. What is a policy document
  5. IAM building blocks
  6. The Least privilege principle
  7. Identity Provider

What is IAM

IAM is identity access management, it allows us to manage users and permissions on AWS

  1. Free service and included in every AWS account
  2. Manage users account
  3. Manage users access level
  4. Create permissions
  5. Create groups and roles
  6. Grand access to AWS resources

IAM as of now doesn’t belong to any specific region, its a global feature

What is a root account

It is the email address that we used to create our AWS account

  • It has full admin access
  • Needs to be secured

To secure the root the account we need to enable MFA

  • Enable MFA ⇒ With virtual authenticator (smart phone)
  • Create group with admin permissions

What is a policy

It is a the rules we assign to give permission to AWS resources. There is 2 types of Policies

  • Default AWS Policies (has an icon next to it)
  • Custom Policies

Policies can be created by a visual editor or text editor (JSON)

Amazon pre-populated policies are based on job title which make life much more easier.

Inline policies are given to 1 user or 1 group at a time. Provides more granular access.

What is a policy document

It is a JSON file which we can utilise to control user actions, with policy documents we can assign permissions and remove permissions

// This sample code give full admin to the IAM user
{
    "Version": "2012-01-01",
    "Statement": [ // We are assigning an array or permissions
        {
            "Effect": "Allow", // what is the permission
            "Action": "*", // What can the user do
            "Resource": "*" // which resource the user can access
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

It is really important to learn how to read policy documents

Image description

The best way to utilise a policy document on a group instead of a user as it will make it easier to manage.

Image description

What are the building blocks of IAM

Image description

User

  • it belong to a person, every person must have their own account
  • account sharing is not allowed
  • always enable password rotation
  • when creating a user, by default they don’t have any permission
  • When creating a user we get 2 options
    • Console: access the AWS web portal
    • Programatic: access AWS through CLI, it also generates Access Id, Access Key and Password

Group

  • it is based on the job function, we group users together based on their jobs (QA, Devs, HR).
  • A group will have a list of users.

Roles

They allows to grant access to a user or service

  • Internal within AWS
  • extra layer of security
  • Grant permission for both users and services
  • it provides a way for certain AWS functionalities to access different AWS functionalities

Image description

The least privilege principle

We assign the minimum privileges to groups, users to access and do their jobs.

Identity Provider

Allows SSO (Single Sign On) so when a user login to their machine, they would be automatically logged in to AWS. We will need to setup trust between AWS and the identity provider for this to work

Usually the identity provider is Microsoft Active Directory utilising SAML

AWS CLI commands

Login to AWS with CLI

aws configure
Enter fullscreen mode Exit fullscreen mode

Create User with AWS CLI

aws iam create-user --user-name mohamad_test
Enter fullscreen mode Exit fullscreen mode

Create policy

aws iam create-policy --policy-name custom-policy --policy-document file://policy
Enter fullscreen mode Exit fullscreen mode
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::mohamad-bucket/shared/*"
            ]
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)