DEV Community

Nandan K
Nandan K

Posted on

Deep dive into the IAM concepts and understand it with practicle hands-on.

#docker #aws #terraform #kubernetes

🎯 In my recent interviews, I encountered lot of IAM related questions including scenario based questions in AWS.

For example "an IAM user has FullAdmin, access to AWS account, yet he/she not able to access the S3 buckets, what must be the reason?"

So I deep dive into the IAM concepts and understand it with practicle hands-on.

πŸ“Œ IAM User:

  1. Represents a person, service or app needing access.
  2. To access any services in AWS >> grant user permissions >> to provide that permission, first assign "IAM Policies" to specific user or groups.

πŸ“Œ IAM Groups:

  1. Collection of users with common permissions and roles

πŸ“Œ IAM Roles:

  1. Temporary access given to users, apps, or services.
  2. Increases the security
  3. Permissions for IAM roles comes from IAM policy (attach it roles, AWS service, Users, Groups)

βœ… Implement the "Principle of Least Privilege":

  1. If your user needs access to do their jobs, give them access, but take away the access that they don't need.

πŸ“Œ IAM Policies and Permissions:

  1. Permissions are provide fine-grained control over the actions performed on AWS resources or service.

  1. Policies manage actions and permissions in AWS >> rules that define what resources an entity can access and what actions they can perform.

βœ… AWS Identity Based Policy:

  1. It is policy attach to roles, groups or users

βœ… AWS Resource Based Policy:

  1. Policy is directly attach to AWS resources like S3, RDS etc >> this policy is going to define which user or service have the permission to access the resource.

Here, the group called "accounting" is denied from deleting the S3 bucket and objects within the bucket.

πŸ“Œ IAM Permission Boundaries:

  1. If new interns are hired >> they doesn't have proper experience >> these permissions are too wide to them >> so how can we limit the access to the new interns, while adding them into the proper group?

Solution: IAM Permission Boundaries
If Developer have full access to the logs group, then I can assign list access to the new interns (Max level of Permission).

  1. Even though new intern has the Full control permission, but "Permission Boundary" limits the access to only access the resource.

πŸ“Œ IAM Session Policy:

  1. It allows temporary access to users on AWS resources.

πŸ“Œ Inline Policy:

  1. Attach the policy directly to user, group, roles
  2. Cannot be used by any other user, group, roles Eg: Provide temporary S3 access to DevOps Engineer (only valid for certain time period)

πŸ“Œ Managed Policy:

  1. Created and managed by AWS
  2. It can be reused with other entities in different accounts.

Policy with Conditions:

To be continued...

AWS #Kubernetes #Terraform #Docker

Top comments (0)