Unlocking the Power of AWS IAM: Navigating the Access Management Menu - PART ONE
Welcome, fellow cloud enthusiasts, to our journey through the vast world of Amazon Web Services (AWS). Today, we embark on a quest to explore the hidden gems within the AWS Identity and Access Management (IAM) menu. Just like the key to a secret door, IAM holds the power to unleash the true potential of your AWS infrastructure. So, fasten your seatbelts, for we are about to dive into the realm of access management like never before!
For those like me who are always seeking the shortest path to growth, here is a general summary of all that will be discussed in this 3-part edition:
IAM (Identity and Access Management) is the entry body tasked with the responsibility to provide access to your AWS Resources. It comes with the following features:
[Users]: These are mapped to physical users in your account. They are given access to your account through a User Interface. There are two kinds, Root Users & IAM Users (I know, rhetorical right?). To access the management console a Password is recommended for both users and MFA (Multi-Factor Authentication) as well as recommended to protect your account
[User Group]: These are logical group that is used to manage and categorize Users to share permissions. It is best practice to create a group based on your business need and add users to the group to apply permission (aka Policies) to the group that will affect all users in the group
[Policies]: This is what makes it possible to provide what is known as the "Principle of Least Privilege". It is a JSON (JavaScript Object Notation) Document that outlines permissions for users or groups. It looks like this:
// IAM Policies example
// IAM is JSON (JavaScript Object Notation) Document
{
"Version": "2023-07-25", // Policy Version
"Id": "S3-Account-Permissions",
"Statement": [
{
"Sid": "1", //optional
"Effect": "Allow", //can be "Allow" or "Deny"
"Principal": { //which account user/role etc
"AWS": ["arn:aws:iam:123456789012:root"]
},
"Action":[ //list of api calls
"s3:GetObject",
"s3:PutObject"
],
"Resources": ["arn:aws:s3:::mybucket/*"]
}
]
}
[Roles]: See Roles as temporal permission you give to certain resources or identities to have access to your resources. E.g. Creating a role for EC2 Instances or an AWS Service etc.
[Security]: It is a standard practice recommended by AWS to utilize MFA, which adds another layer of security to your account and a strong Password Policy. These two tools are vital to tighten your AWS Environment.
[AWS Access Channels]: There are primarily 3 major ways users can access your AWS environment. They include AWS Management Console, which requires you to have your username/password available. AWS CLI (Command Line Interface), which requires your users to have access to your account through the terminal (Command Prompt for Windows, or Terminal/Bash for Linux/Mach). However, Access Keys are required to gain access through the AWS CLI. AWS SDK (Software Development Kit) supports multiple languages for developers to use in accessing AWS resources. Programming likes like .NET, Python, Ruby, Java etc are made available
[Audit]: There are major security tools that I recommend using to monitor your IAM account. One is the IAM Credential Reports (account-level), which generates a report of all your IAM account users and their status. The other is IAM Access Advisor (user-level, which shows you the service permissions granted to a user and when those services were last accessed.
Ok Let's keep it short and sweet. In the next part-2, we shall go a little more into each module/features. Till then, Stay in the Cloud and Be safe.