DEV Community

Cover image for AWS Identity and Access management-Practical Guide πŸš€πŸš€(Cheat sheet)
Tanmay Shukla
Tanmay Shukla

Posted on • Updated on

AWS Identity and Access management-Practical Guide πŸš€πŸš€(Cheat sheet)

This is the Practical guide to understand and revise AWS IAM service. This can also be looked as quick review cheat sheet.

IAM aws

IAM: Users & Groups

  • IAM = Identity and Access Management, Global service
  • Root account created by default, shouldn’t be used or shared
  • Users are people within your organization, and can be grouped
  • Groups only contain users, not other groups
  • Users don’t have to belong to a group, and user can belong to multiple groups

IAM: Permissions

  • Users or Groups can be assigned JSON documents called policies.
  • These policies define the permissions of the users.
  • In AWS you apply the least privilege principle: don’t give more permissions than a user needs.

IAM Policies Structure

IAM policy
1. IAM Policies Consists of

  • Version: policy language version, always include β€œ2012-10-17”
  • Id: an identifier for the policy (optional)
  • Statement: one or more individual statements (required).

2. Statements consists of

  • Sid: an identifier for the statement (optional)
  • Effect: whether the statement allows or denies access (Allow, Deny)
  • Principal: account/user/role to which this policy applied to
  • Action: list of actions this policy allows or denies
  • Resource:list of resources to which the actions applied to
  • Condition: conditions for when this policy is in effect (optional). Example:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "FirstStatement",
      "Effect": "Allow",
      "Action": ["iam:ChangePassword"],
      "Resource": "*"
    },
    {
      "Sid": "SecondStatement",
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    },
    {
      "Sid": "ThirdStatement",
      "Effect": "Allow",
      "Action": [
        "s3:List*",
        "s3:Get*"
      ],
      "Resource": [
        "arn:aws:s3:::confidential-data",
        "arn:aws:s3:::confidential-data/*"
      ],
      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

IAM – Password Policy

  • Strong passwords = higher security for your account
  • In AWS, you can setup a password policy:
    • Set a minimum password length
    • Require specific character types:
    • including uppercase letters
    • lowercase letters
    • numbers
    • non-alphanumeric characters
    • Allow all IAM users to change their own passwords
    • Require users to change their password after some time (password expiration)
    • Prevent password re-use.

Multi Factor Authentication - MFA

  • Users have access to your account and can possibly change configurations or delete resources in your AWS account
  • You want to protect your Root Accounts and IAM users
  • MFA = password you know + security device you own MFA

MFA devices options in AWS

  • Virtual MFA device: Google authenticator, Authy.
  • Universal 2nd Factor (U2F) Security Key: YubiKey by Yubico (3rd party)

How can users access AWS ?

  • To access AWS, you have three options:
    1. AWS Management Console (protected by password + MFA)
    2. AWS Command Line Interface (CLI): protected by access keys
    3. AWS Software Developer Kit (SDK) - for code: protected by access keys
  • Access Keys are generated through the AWS Console
  • Users manage their own access keys
  • Access Keys are secret, just like a password. Don’t share them
  • Access Key ID ~= username
  • Secret Access Key ~= password

IAM Roles for Services

  • Some AWS service will need to perform actions on your behalf
  • To do so, we will assign permissions to AWS services with IAM Roles
  • Common roles:
    • EC2 Instance Roles
    • Lambda Function Roles
    • Roles for CloudFormation iAM ROLES

IAM Guidelines & Best Practices

β€’ Don’t use the root account except for AWS account setup
β€’ One physical user = One AWS user
β€’ Assign users to groups and assign permissions to groups
β€’ Create a strong password policy
β€’ Use and enforce the use of Multi Factor Authentication (MFA)
β€’ Create and use Roles for giving permissions to AWS services
β€’ Use Access Keys for Programmatic Access (CLI / SDK)
β€’ Audit permissions of your account with the IAM Credentials Report
β€’ Never share IAM users & Access Keys


IAM – Summary

β€’ Users: mapped to a physical user, has a password for AWS Console
β€’ Groups: contains users only
β€’ Policies: JSON document that outlines permissions for users or groups
β€’ Roles: for EC2 instances or AWS services
β€’ Security: MFA + Password Policy
β€’ Access Keys: access AWS using the CLI or SDK
β€’ Audit: IAM Credential Reports & IAM Access Advisor

Connect with me

Top comments (0)