Identity and Access Management (IAM)
This is the second article in a series of article which help prepares for the AWS Solution Architecture certification. In this article we are going to cover the AWS IAM part of AWS Solution Architecture Certification
You can watch the full video on YouTube
Learning Objectives
- What is IAM
- What is a root account
- What is a policy
- What is a policy document
- IAM building blocks
- The Least privilege principle
- Identity Provider
What is IAM
IAM is identity access management, it allows us to manage users and permissions on AWS
- Free service and included in every AWS account
- Manage users account
- Manage users access level
- Create permissions
- Create groups and roles
- Grand access to AWS resources
IAM as of now doesn’t belong to any specific region, its a global feature
What is a root account
It is the email address that we used to create our AWS account
- It has full admin access
- Needs to be secured
To secure the root the account we need to enable MFA
- Enable MFA ⇒ With virtual authenticator (smart phone)
- Create group with admin permissions
What is a policy
It is a the rules we assign to give permission to AWS resources. There is 2 types of Policies
- Default AWS Policies (has an icon next to it)
- Custom Policies
Policies can be created by a visual editor or text editor (JSON)
Amazon pre-populated policies are based on job title which make life much more easier.
Inline policies are given to 1 user or 1 group at a time. Provides more granular access.
What is a policy document
It is a JSON file which we can utilise to control user actions, with policy documents we can assign permissions and remove permissions
// This sample code give full admin to the IAM user
{
"Version": "2012-01-01",
"Statement": [ // We are assigning an array or permissions
{
"Effect": "Allow", // what is the permission
"Action": "*", // What can the user do
"Resource": "*" // which resource the user can access
}
]
}
It is really important to learn how to read policy documents
The best way to utilise a policy document on a group instead of a user as it will make it easier to manage.
What are the building blocks of IAM
User
- it belong to a person, every person must have their own account
- account sharing is not allowed
- always enable password rotation
- when creating a user, by default they don’t have any permission
- When creating a user we get 2 options
- Console: access the AWS web portal
- Programatic: access AWS through CLI, it also generates Access Id, Access Key and Password
Group
- it is based on the job function, we group users together based on their jobs (QA, Devs, HR).
- A group will have a list of users.
Roles
They allows to grant access to a user or service
- Internal within AWS
- extra layer of security
- Grant permission for both users and services
- it provides a way for certain AWS functionalities to access different AWS functionalities
The least privilege principle
We assign the minimum privileges to groups, users to access and do their jobs.
Identity Provider
Allows SSO (Single Sign On) so when a user login to their machine, they would be automatically logged in to AWS. We will need to setup trust between AWS and the identity provider for this to work
Usually the identity provider is Microsoft Active Directory utilising SAML
AWS CLI commands
Login to AWS with CLI
aws configure
Create User with AWS CLI
aws iam create-user --user-name mohamad_test
Create policy
aws iam create-policy --policy-name custom-policy --policy-document file://policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::mohamad-bucket/shared/*"
]
}
]
}
Top comments (0)