Nitty-Gritty of AWS IAM

Identity and Access Management (IAM)

● The key features of IAM:

• Shared Access to your Account
• Granular Permissions
• Secure Access to AWS Resources
• Identity Federation
• Identity Information for Assurance
• Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
• Password Policy
• Multi Factor Authentication (MFA)

● Shared access to your AWS account

• Grant permission to users to access and use resources in your AWS account without sharing your password.

● Granular Permissions

Granular permissions allow different permissions to various users to manage their access to AWS, such as:

• User access to specific services

• Specific permissions for actions

• Specific access to resources

Secure Access

Securely allocate credentials that applications on EC2 instances require to access other AWS resources.

Identity Federation

● Allows users with external accounts to get temporary access to AWS resources

Identity Information

● Log, monitor, and track what users are doing with your AWS resources.

PCI DSS Compliance

● Payment Card Industry (PCI) and Data Security Standard (DSS) compliant

Multi-Factor Authentication

● Two-Factor Authorization for users and resources to ensure absolute security using MFA devices

Password Policy

● IAM allows you to define password strength and rotation policies.

IAM Policies

● A document that defines one or more permissions

● Attached to users, groups, and roles

● Written in JavaScript Object Notation (JSON)

● Selected from a pre-defined AWS list of policies, or you can create your own policy

## AWS Policies
● AWS has many predefined policies which allow you to define granular access to AWS resources.

● There are around 200 predefined policies available for you to choose from.

AdministratorAccess Policy

● AdministratorAccess policy provides full access to AWS services and resources.

AmazonEC2FullAccess Policy

● AmazonEC2FullAccess policy provides AWS Directory Service user or groups full access to the Amazon EC2 services and resources

AmazonS3ReadOnlyAccess Policy

● AmazonS3ReadOnlyAccess policy provides read-only access to all buckets using the AWS Management Console

JSON

● AWS policies are written using JavaScript Object Notation (JSON).

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:listbucket",
    "Resource": "arn:aws:s3:::example_s3_bucket"
  }
}

Policy-wide information:

Version–Date this policy was created

One or more individual statements:

Effect–Allow permission

Action– 3 list bucket

Resource–Name of the S3 bucket

## IAM Users
Users are defined as the people or systems that use your AWS resources.

## Security Credentials
AWS provides numerous ways to provide secure user access to your AWS resources:

Key pairs:

• They consist of a public and private key

• A private key is used to create a digital signature

• AWS uses the corresponding public key to validate the signature

Email address and password

• They are created when you sign up to use AWS

• They are used to sign in to AWS web pages

IAM user name and password

• They allow multiple individuals or applications access to your AWS account

• Individuals use their user names and passwords to sign in

Multi-Factor Authentication (MFA)

• With AWS MFA enabled, users are prompted for a user name and password and for an authentication code from an MFA device

Access keys

• They consist of an access key and a secret access key

• They use access keys to sign programmatic requests

## IAM Groups
● AWS defines a group as a collection of users that inherit the same set of permissions.

## IAM Roles

IAM Roles are:

• Very similar to users

• Not password protected and do not require access keys

• AWS identities with permission policies that determine the access available to the identities

• Assumed by anyone who requires them

Create Individual IAM Users

• The benefits of creating individual IAM users:

• Control permissions at an individual level

• No shared accounts

• Unique credentials for everyone

• Easier to rotate credentials

• Easier to identify security breaches

Grant Least Privilege

When creating IAM policies, granting ”least privilege,” means that:

• You only grant required permissions

• It's more secure to start with minimum permissions

• It’s easier to grant permissions than revoke them

• You protect your assets

## Manage Permissions with Groups
Use permissions with groups to minimize the workload

Easy to assign new permissions

• It is easier to assign a new permission to a group than to assign it to many individual users.

Simple to reassign permissions

• It is simpler to reassign permissions if a user has a change in responsibilities.

Restrict Access with Further Conditions

• Use additional conditions such as MFA and Security Groups to ensure only the intended users get access.

## Monitor Activity in your AWS Account
AWS has several features to log user actions.

• Logs

• AWS Cloudtrail

Create a Strong Password Policy

• Ensure that all your users have strong passwords and they rotate their passwords regularly.

Use Roles for Applications that run on EC2

• IAM Roles remove the need for your developers to store or pass credentials to AWS EC2.

## Reduce or Remove Unnecessary Credentials
• To reduce the potential for misuse, run a credential report to identify users that are no longer in use and can be removed.

AWS Security Token Service (STS)

• It is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management users that you authenticate.

STS: Things To Remember

• Develop an Identity Broker to communicate with LDAP and AWS STS

• Identity Broker always authenticates with LDAP first and then AWS STS

• Application gets temporary access to AWS resources