AWS IAM - My Short Notes

This is my short notes on AWS Identity Acess Management.

What is IAM

Key service for security and manage access to AWS resources.
"You can use AWS IAM to securely control individual and group access to your AWS resources. You can create and manage user identities ("IAM users") and grant permissions for those IAM users to access your resources. You can also grant permissions for users outside of AWS " - AWS

The common use of IAM is to manage

  • Users
  • Groups
  • Roles
  • IAM Acess policies
  • API keys
  • Multifactor Authentication
- By default, any new IAM user you create an AWS account you created with NO access to any AWS services. This is an implicit deny rule set on all new IAM user.
- For all users (except the root user) permissions must be given that grant access to AWS services which is done through IAM policy.

Best practices for IAM

  • Delete your root access keys.
  • Activate MFA on your root account.
  • Create and use an IAM user with admin privileges instead of the root account.
  • Create individual IAM users.
  • Use groups to assign permissions.
  • Follow the principle of least privileges.
  • Apply an IAM password policy.

 IAM Policies

- Grant and deny access to AWS users, groups & roles.
- A policy is a document written in JSON format.
- Permissions in the policies determine whether the request is allowed or denied.
- An explicit deny always overrides an explicit allow.

Policy Templates

  • Administrator access: Full access to all AWS  
  • Power user access: admin access except it does not allow user/group management.
  • Read-only access: Only view AWS resources.

IAM User

- By default, an IAM user has implicitly "deny" for all AWS services and don't have access to use them until a policy granting allow access has been applied to the user or the group user belong to.
- IAM users receive unique access credentials so you don't have to share with others
- Users can have groups and regular user policies apply to them - meaning a user can have multiple IAM policies applied to them at any given time. 

IAM groups

- Allow assigning IAM permission policies to more than one user at a time.

IAM Roles

- Role work with temporary credentials.
- Roles must be used because policies cannit be directly attached to AWS services.
- A role has permission policy and a trust policy.
Eg: When you create an EC2 instance you assume that this role is going to use the instance and grant permission accordingly.
- You can attach only one IAM role to an EC2 instance.

IAM API keys

- Programmatic Access to AWS, for CLI, Windows PowerShell, AWS sdk's, direct http calls using the API's for individual AWS services.
- Thes keys are permanent.

STS - Security Token Service

- API endpoint to receive temporary security credentials.
- Short term, with configurable session duration between 15 minutes and 12/36 hours
- Once expired, they can no longer use to access your AWS resources.
  STS API call return
  • Session Token 
  • An Access key ID
  • A secret Access key
  • Expiration timestamp

Advantages of STS 

- Avoid distribution or embedded long-term AWS security credentials.
- Grant access to AWS resources without having to create an IAM user.
- You don't need to explicitly revoke them.

Identity Federation

- Authenticating users or applications outside of AWS AMI users & groups.
- Custom identity providers using STS
- LDAP / Active directory (SAML)
- Web identify (Social logins, google/facebook)

Better to refer: