DEV Community

Cover image for 🔐 Mastering IAM for the AWS Solutions Architect – Associate (SAA-C03) Exam
Nishath J P
Nishath J P

Posted on

🔐 Mastering IAM for the AWS Solutions Architect – Associate (SAA-C03) Exam

#aws #awschallenge #devops #cloud

If you’re preparing for the AWS Solutions Architect – Associate (SAA-C03) exam, then Identity and Access Management (IAM) is one topic you can’t afford to skip.

Every single AWS service relies on IAM for authentication and authorization, making it a core part of almost every exam question.

In this post, I’ll break down IAM concepts, best practices, and common exam scenarios so you can confidently answer any IAM-related question that appears on your SAA-C03 exam. This blog only cover theory part but you also need to practice.🚀

IAM: Users & Groups

  • IAM = Identity and Access Management, It's a Global service
  • Root account is created by default, Which shouldn’t be used or shared
  • Users are people within your organization, and can be grouped
  • Note : Groups only contain users, not other groups
  • Users don’t have to belong to a single group, and user can belong to multiple groups

IAM: Permissions

  • The permissions of the users are defined as Policies
  • Policies is JSON document
  • Users or Groups can be assigned to a policies
  • In AWS you apply the least privilege principle: don’t give more permissions than a user needs
  • Policy can be inherited from the group which user belongs
  • We can also set a password policy on how the password must be for the user

example policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*"
,
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
}
IAM Policies Structure
Consists of

  • Version: policy language version, always include “2012-10-17”
  • Id: an identifier for the policy (optional) • Statement: one or more individual statements (required)
  • Statements consists of • Sid: an identifier for the statement (optional) - Effect: whether the statement allows or denies access (Allow, Deny)
  • Principal: account/user/role to which this policy applied to
  • Action: list of actions this policy allows or denies • Resource: list of resources to which the actions applied to
  • Condition: conditions for when this policy is in effect (optional)

Multi Factor Authentication - MFA

  • Users have access to your account and can possibly change configurations or delete resources in your AWS account
  • You want to protect your Root Accounts and IAM users
  • MFA = password you know + security device you own
  • Main benefit of MFA: if a password is stolen or hacked, the account is not compromised

MFA devices options in AWS

  1. Virtual MFA device
  2. Universal 2nd Factor (U2F) Security Key
  3. Hardware Key Fob MFA Device
  4. Hardware Key Fob MFA Device for AWS GovCloud (US)

How can users access AWS ?

  • To access AWS, you have three options:
  • AWS Management Console (protected by password + MFA)
  • AWS Command Line Interface (CLI): protected by access keys
  • AWS Software Developer Kit (SDK) - for code: protected by access keys
  • Access Keys are generated through the AWS Console
  • Users manage their own access keys
  • Access Keys are secret, just like a password. Don’t share them
  • Access Key ID ~= username
  • Secret Access Key ~= password

What’s the AWS CLI?

  • A tool that enables you to interact with AWS services using commands in your command-line shell
  • Direct access to the public APIs of AWS services
  • You can develop scripts to manage your resources
  • It’s open-source https://github.com/aws/aws-cli
  • Alternative to using AWS Management Console

What’s the AWS SDK?

  • AWS Software Development Kit (AWS SDK)
  • Language-specific APIs (set of libraries)
  • Enables you to access and manage AWS services programmatically
  • Embedded within your application
  • Supports
  • SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++)
  • Mobile SDKs (Android, iOS, …)
  • IoT Device SDKs (Embedded C, Arduino, …)
  • Example: AWS CLI is built on AWS SDK for Python

IAM Roles for Services

  • Some AWS service will need to perform actions on your behalf
  • To do so, we will assign permissions to AWS services with IAM Roles Common roles:
  • EC2 Instance Roles
  • Lambda Function Roles
  • Roles for CloudFormation

IAM Security Tools

IAM Credentials Report (account-level)

  • A report that lists all your account's users and the status of their various credentials IAM Access Advisor (user-level)
  • Access advisor shows the service permissions granted to a user and when those services were last accessed.
  • You can use this information to revise your policies

IAM Guidelines & Best Practices

  • Don’t use the root account except for AWS account setup
  • One physical user = One AWS user
  • Assign users to groups and assign permissions to groups
  • Create a strong password policy
  • Use and enforce the use of Multi Factor Authentication (MFA)
  • Create and use Roles for giving permissions to AWS services
  • Use Access Keys for Programmatic Access (CLI / SDK)
  • Audit permissions of your account using IAM Credentials Report & IAM Access Advisor
  • Never share IAM users & Access Keys

Would you like me to make a Part 2 version — something like “Advanced IAM Concepts for SAA-C03 (Permission Boundaries, SCPs & Federation)” — to continue this as a blog series?

Top comments (0)