Identity Access Management (IAM)

  1. IAM is an AWS service that allows humans and programs to securely access AWS services and infrastructure.
  2. IAM provides very granular control over the resources. You can specify under what conditions the resorce can be accessed. Five conditions are supported. You can remember these five conditions using the Acronym WWW-RA 
    1. Who can access (IAM Principal)
    2. From Where? a specific ip/CIDR
    3. When? At a specific time range.
    4. The Resource that can be accessed
    5. The Action that can be performed on that resource
  3. What is IAM not used for?
    1. IAM is not OS level user management tool. For OS level user management use LDAP or Active Directory Services.
    2. IAM is not application level user management tool. For application level user management such as the users that registered on your eCommerce website, use Application User Repositories such as ASP.NET Identity Framework on windows or in case of Mobile apps, use AWS Cognito.
  4. At the heart of IAM lies the entity called the principal. What is IAM principal? IAM principal is an IAM entity (human or application) that can access AWS resources. Three types of principals:
    1. Root user
      1. use email/password to access
      2. can use root user keys to access AWS services from applications but strongly NOT recommended
      3. Should enable MFA (Multi Factor Authentication) for better security
    2. IAM users
      1. Can be person or application
      2. Can have userid/password
      3. Can have Security Access Key ID/Secret Access Key combination (ID is 20 char and Secret Access Key is 40 char)
      4. Access Key Rotation for security purposes
        1. Every principal can have two sets of access keys.
        2. You start with one key set
        3. After some time you create a new key set
        4. Keep both old and new key sets active for some time while your programs update your keys.
        5. Later delete old key set.
      5. Can be associated with policies containing permissions to ALLOW/DENY access to specific AWS resources
    3. IAM roles/temporary security tokens
      1. Roles are used to provide specific privileges to specific IAM principals for a set duration (time window) of min 15 min to 36 hours
      2. Following use cases of Roles are important to remember
        1. EC2 roles can be assigned to give access to processes on the EC2 to access AWS resources.
          1. In fact it is a best practice to use the EC2 roles as opposed to using the Access Key (Access ID/Secret Access Key combo) inside the config files or hard coding in side the program code.
          2. Also with this practice, no need to worry about access key rotation which is highly recommended otherwise.
          3. Roles can be changed and policies can be modified without stopping the EC2 instances. New privileges will be effective immediately.
          4. An IAM role automatically deploys AWS credentials to resources that assume it. Select the EC2 instance profile that contains the required IAM role. If you created your IAM role using the console, the instance profile has the same name as your IAM role. Learn more about IAM roles for EC2
        2. Cross Account Access: Provide access to IAM principals from another account. This is better practice than distributing Access Keys.
        3. Federation:
          1. Users of trusted external systems such as Google/Facebook users can be granted access to AWS resources thru roles and temp security tokens. OpenId Connect (OIDC) protocol is used.
          2. Users of LDAP/Active Directory are federated thru Security Assertion Markup Language (SAML)

IAM Policy

Following list of points is all you need to know about IAM policies to pass the AWS certified solutions architect Associate exam.

  1. IAM Policy is a JSON document that defines one or more permissions.
  2. Policy is used by an IAM principal such as a human being or application or an EC2 instance to access an AWS service such as an S3 bucket.
  3. Two types of policies are available to choose and assign to IAM principals based on who manages these policies
    1. Customer managed (Created by you)
    2. AWS managed (predefined and managed by AWS)
  4. Two types of policies based who uses these policies
    1. User based policies are used to assign to an IAM principal such as yourself or an EC2 instance.
      1. They contain one or more permissions
    2. Resource based policies are assigned to AWS resources such as a queue or a S3 bucket.
      1. They contain permissions. These permissions contain all normal elements (ACERS) along with one extra element “Principal” which indicates  who is the permission granted to.
  5. A policy contains one or more permissions. A permission contains 5 components. You can remember these components of a Permission as acronym ACERS  – Action-Condition-Effect-Resource-Service (as in the acer laptop).
  6. The five components:  1)Action (Eg. Read/Write/List), 2) Condition (If ip is x.y.z or time is less than T etc.),  3) Effect (ALLOW/DENY), 4) Resource (/MyFiles/MyResume.doc), 5) Service (Eg. MyBucket on S3). Of these five only the Condition is optional.
  7. You can also remember a Permission as a Do loop with a while. A DO loop contains

IAM Policy is like a Do-While loop

Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .