DEV Community: Ayesha Arshad

All you need to know about writing Least Privilege IAM Policies

Ayesha Arshad — Fri, 22 Apr 2022 17:00:20 +0000

The system of AWS IAM Policies provides a granular structure of permission sets. The reason behind this system is Least Privilege Model. The least privileged principle allows IAM identities to have the least required access level to complete their tasks. And this is an important unit of Well Architectured best practices.

In AWS all operations are Implicitly denied until Explicitly Allowed using these policies. However, if an operation is Explicit Denied then this rule has the highest precedence.

Read about the Main principles of AWS Cloud Security and what role IAM plays in securing the AWS Resources.

Structure of IAM Policies

{
    "Version" : "2012-10-17",
    "Statement" : 
    [
        {
            "Sid" : "Human Readable Description",
            "Effect" : "Allow/Deny",
            "Action" : 
                [
                    "Service:api/call"
                ],
            "Resource" :
                ["arn"],
            "Condition" : 
            {
                "Stringequals" : 
                    {
                        "part of string" : "value to match"
                    }
            }
        }
    ]
}

Read Explanation here

Ways to create IAM Policies

You can use three main ways to create your desired IAM Policies:

JSON Editor: You can write the policy manually using the aforementioned structure.
Visual Editor: You can use the visual editor, which is found in IAM Console, to spin the policy.
Import: You can import an existing policy from your account to customize it as per your requirements. You can import both AWS and Customer managed Policies
AWS CLI: Use AWS CLI commands to generate IAM Policies.

All you need to know about AWS Identity and Access Management (IAM)

Ayesha Arshad — Fri, 22 Apr 2022 16:43:53 +0000

Identity and Access Management is one of the major components of the Triads of AWS Cloud Security. AWS is a vast collection of over 200 Web Services. And these Web Services are interacted with using API calls. Identity and Access Management provides the means to Authenticate, Secure and Authorize these API calls.

These API calls are either made by Users or other Digital Entities (other Applications or AWS Resources themselves). And Identity and Access Management help authenticate and authorize them all.

Morphology

Identity and Access Management (IAM) consists of two sections:

I(Identity)-Authentication: Authenticates the requester either a Human entity (User) or Digital Entity (other Applications or AWS Resources).
AM(Access Management)-Authorization: Helps you secure access to AWS Cloud Resources.

IAM Identities

IAM identities are a way to authenticate the API caller. These identities include:

Users
Groups
Roles

API calls are made via three main mediums:

AWS Console
AWS Command Line Interface (CLI)
AWS Language-based Tools and SDKs (like BOTO3, Terraform or Node-Red)

Types of IAM Policies

IAM Policies can be categorized into two types based on Actors:

Identity-based Policies: Describes what an identity (users, groups and roles) has access to.
Permission Boundary: Describes the maximum amount of access an Identity-based Policy can provide to an identity. Access of an entity to a resource is decided if allowed by both Identity-based Policy and Permission boundary.
Resource-based Policies: Describes who has access to a specific resource.

A further classification of Identity-based Policies include two types:

AWS Managed Policies: These policies are pre-designed by AWS and just need to be attached to users.
Customer Managed Policies: Customer Managed Policies are a customer-specific combination of permission sets and they can be attached to any entity(users, groups and roles).
Inline Policies: Inline Policies are also a kind of customer-managed policy but they are limited to the scope of a specific user or role.

Main Principles of Security in AWS Cloud

Ayesha Arshad — Fri, 22 Apr 2022 16:34:25 +0000

While discussing the Security of Amazon Web Services which is a collection of over 200 fully managed services. The first thing that needs to be established in this case is that it is a formidable task to secure all of the resources offered by AWS at the moment. Services that are totally different in nature from each other yet overlapping in terms of communication.

Yet it is crucial for AWS Cloud users to understand the fundamental structure of Cloud Security provided by AWS. Only then they can hope to secure their resources.

Rule of Thumb of Security in AWS

Security is not one person's responsibility it is a collective obligation for all. Hence AWS has introduced its Shared Responsibility Model for Security and Compliance. The model states that responsibility to secure AWS Resources must be shared between the following:

Customer Responsibility
AWS Responsibility

The Triad of AWS Cloud Security

There is no way AWS is going to stop growing its services. And in fact, AWS is also providing a great collection of Security tools as well. Which makes it feel like a great task to secure AWS resources.

Though the three hell hounds of Security for Amazon Web Services are strong enough to guard your AWS resources. These include:

Identity Access Management (IAM)
Virtual Private Cloud (VPC)
Key Management Service (KMS)

IAM

As the first step is to guard the castle itself. Identity and Management System (IAM) plays a vital role as a permission management tool in controlling access to the AWS Infrastructure.

You can devise a perfect authentication system for both Users and AWS Resources (acting as API calling entities). Every single resource in AWS is accessible via API. IAM provides you with the ability to secure and authorize these API calls. IAM provides the following features that provide a complete security infrastructure required to secure every API call that can be made to or from AWS Resources:

Users
Groups
Roles
Policies

For a further deep dive into Identity Access Management: Read this Article

VPC

Network is the most important part to secure your AWS Resources. The data transit needs to be made secure in order to make sure that your resources and your data is secure. Virtual Private Cloud is the Virtual Network that holds your AWS resources.

The network part of VPCs is a separate discussion hence in this article you will only find the security part of the VPC Networking.

For a further deep dive into VPC: Read this Article

KMS

AWS Key Management Service (KMS) helps you encrypt your data at rest. And it provides integration with all of the AWS resources that are going to hold your data.

KMS is capable if encrypting any data unless the service has its own encryption system like S3 which houses its own separate system of encryption specific to its own structure and functionality.

KMS has two main functions:

To Encrypt and Decrypt your data
To guard your Encryption Key

AWS for Beginners: A Quick Zero to Hero Guide

Ayesha Arshad — Sun, 10 Apr 2022 11:27:00 +0000

If your starting your journey with AWS then a clear sense of direction and destination is necessary in order for you to succeed in this venture. Amazon Web Services include a far-reaching set of services that translate into million possibilities. And this characteristic makes AWS a fun skill to learn.

This guide includes methodologies and strategies I have discovered during my journey from being a beginner to a person who has a better understanding of AWS. The key principle is to design a strategy specific to your learning style. And I’ll leave enough material for you to design your strategy.

I will be including a Resource Glossary for you to refer on my website (which I will be updating from time to time). Some video tutorials are also included in the complete version of this article on my website. Enjoy Learning AWS!

Getting Started

There is only one way to get started with AWS and that is:

Getting your hands dirty! Just create a free tier account and get started.

Choosing your Field of Expertise

Choosing your field of expertise is important in order to define your direction. If you will start arbitrarily without choosing a specific field you will be lost in the sea of services AWS provides. Choose the area you are interested in after briefly researching various options available. And then you should systematically build your concepts. Some of the options include:

SysOps Engineer
DevOps Engineer
Developer
Security Engineer
Solutions Architect
Data Engineer

What should be the Grey Structure of your Learning Strategy?

Start with familiarizing yourself with the basic services like IAM (Identity Access Management), EC2 (Elastic Compute Cloud), S3 (Simple Storage Service) and VPC (Virtual Private Cloud).
For each service, you learn to start using the service to get hands-on experience.
Use that service in a small-scale project so that you can understand the usage and also challenges associated with the service. You can also publish this project to build your portfolio.
By the end learn best practices and security precautions to complete your learning cycle.

How to research a Field of Expertise?

In order to research an area of expertise such as Data Engineer or Solutions Architect, you can study the syllabus of that specific certification. Because the certification guide provided by AWS, clearly defines the knowledge associated with that role.

For instance, if you want to be Solutions Architect read the syllabus for Solutions Architect Associate and Professional Certification.

Resource Glossary for Beginners