I have undertaken the journey to achieve the AWS Solutions Architect certification as the first step to learning about Cloud Computing. The ability to automate the rollout of production systems and have those systems scale up or out based on nothing more than utilization is a powerful attraction; as long as you can control the costs.
In the first part of the journey, after learning about Elastic Computing and Storage; we started down the path of learning about Identity and Account Management. IAM Users are used when you need to have long-term AWS access for humans, applications or services. There is a limit of users (5,000) and each user can only be a member of 10 groups which limits using them for large organizations (though there are other ways such as using IAM Roles or Identity Federation), they still have their use.
IAM users are Principals (which can be Human, applications, etc.) which authenticate via username and password or via a public/private Access Key pair. Humans can use either method depending upon whether they are accessing via the Web Console or the Command Line Interface. The principal become authenticated once it proves its identity.
AWS Identities can have IAM Policies applied to them. These policies are a set of security statements that allow or deny access to AWS Resources. Policies consist of a JSON Document consisting of:
- SID (Statement ID, which is optional)
- Effect (allow or Deny)
- Resource (can be multiple and can use the wildcard character *)
- Principal (IAM User/Role)
- Action (the format is Service:Action, wildcards are allowed. Can also use the ARN--Amazon Resource Name format)
- Condition (option conditions for when the policy is in effect)
IAM Policy documents are written in a JSON Document and provides the ability to automate the application of policies to multiple users/groups. Armed with templates for various levels of permissions, a Cloud Administrator could easily apply polices to IAM Users rapidly and consistently.
Human IAM Users should have MFA applied to them as a Best Practice; especially those IAM users who have administrative roles. The type of MFA you use is up to your own policy, either a physical device an app on a mobile device or even biometric information.
This is just scratching the surface of IAM users and policies, the versatility is far-reaching.
Top comments (0)