Identity and Access Management (IAM)
● The key features of IAM:
- Shared Access to your Account
- Granular Permissions
- Secure Access to AWS Resources
- Identity Federation
- Identity Information for Assurance
- Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
- Password Policy
- Multi Factor Authentication (MFA)
● Shared access to your AWS account
- Grant permission to users to access and use resources in your AWS account without sharing your password.
● Granular Permissions
Granular permissions allow different permissions to various users to manage their access to AWS, such as:
• User access to specific services
• Specific permissions for actions
• Specific access to resources
Secure Access
Securely allocate credentials that applications on EC2 instances require to access other AWS resources.
Identity Federation
● Allows users with external accounts to get temporary access to AWS resources
Identity Information
● Log, monitor, and track what users are doing with your AWS resources.
PCI DSS Compliance
● Payment Card Industry (PCI) and Data Security Standard (DSS) compliant
Multi-Factor Authentication
● Two-Factor Authorization for users and resources to ensure absolute security using MFA devices
Password Policy
● IAM allows you to define password strength and rotation policies.
IAM Policies
● A document that defines one or more permissions
● Attached to users, groups, and roles
● Written in JavaScript Object Notation (JSON)
● Selected from a pre-defined AWS list of policies, or you can create your own policy
## AWS Policies
● AWS has many predefined policies which allow you to define granular access to AWS resources.
● There are around 200 predefined policies available for you to choose from.
AdministratorAccess Policy
● AdministratorAccess policy provides full access to AWS services and resources.
AmazonEC2FullAccess Policy
● AmazonEC2FullAccess policy provides AWS Directory Service user or groups full access to the Amazon EC2 services and resources
AmazonS3ReadOnlyAccess Policy
● AmazonS3ReadOnlyAccess policy provides read-only access to all buckets using the AWS Management Console
JSON
● AWS policies are written using JavaScript Object Notation (JSON).
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:listbucket",
"Resource": "arn:aws:s3:::example_s3_bucket"
}
}
Policy-wide information:
Version–Date this policy was created
One or more individual statements:
Effect–Allow permission
Action– 3 list bucket
Resource–Name of the S3 bucket
## IAM Users
Users are defined as the people or systems that use your AWS resources.
## Security Credentials
AWS provides numerous ways to provide secure user access to your AWS resources:
Key pairs:
• They consist of a public and private key
• A private key is used to create a digital signature
• AWS uses the corresponding public key to validate the signature
Email address and password
• They are created when you sign up to use AWS
• They are used to sign in to AWS web pages
IAM user name and password
• They allow multiple individuals or applications access to your AWS account
• Individuals use their user names and passwords to sign in
Multi-Factor Authentication (MFA)
• With AWS MFA enabled, users are prompted for a user name and password and for an authentication code from an MFA device
Access keys
• They consist of an access key and a secret access key
• They use access keys to sign programmatic requests
## IAM Groups
● AWS defines a group as a collection of users that inherit the same set of permissions.
## IAM Roles
IAM Roles are:
• Very similar to users
• Not password protected and do not require access keys
• AWS identities with permission policies that determine the access available to the identities
• Assumed by anyone who requires them
Create Individual IAM Users
• The benefits of creating individual IAM users:
• Control permissions at an individual level
• No shared accounts
• Unique credentials for everyone
• Easier to rotate credentials
• Easier to identify security breaches
Grant Least Privilege
When creating IAM policies, granting ”least privilege,” means that:
• You only grant required permissions
• It's more secure to start with minimum permissions
• It’s easier to grant permissions than revoke them
• You protect your assets
## Manage Permissions with Groups
Use permissions with groups to minimize the workload
Easy to assign new permissions
• It is easier to assign a new permission to a group than to assign it to many individual users.
Simple to reassign permissions
• It is simpler to reassign permissions if a user has a change in responsibilities.
Restrict Access with Further Conditions
• Use additional conditions such as MFA and Security Groups to ensure only the intended users get access.
## Monitor Activity in your AWS Account
AWS has several features to log user actions.
• Logs
• AWS Cloudtrail
Create a Strong Password Policy
• Ensure that all your users have strong passwords and they rotate their passwords regularly.
Use Roles for Applications that run on EC2
• IAM Roles remove the need for your developers to store or pass credentials to AWS EC2.
## Reduce or Remove Unnecessary Credentials
• To reduce the potential for misuse, run a credential report to identify users that are no longer in use and can be removed.
AWS Security Token Service (STS)
• It is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management users that you authenticate.
STS: Things To Remember
• Develop an Identity Broker to communicate with LDAP and AWS STS
• Identity Broker always authenticates with LDAP first and then AWS STS
• Application gets temporary access to AWS resources
Top comments (0)