IAM - Identity Access Management

Hello, everyone! I hope you're all doing well. Welcome to the first week of the #12weeksawschallenge. This week, we will delve into AWS's IAM service, which enables you to regulate access to resources, determine how access is granted, and specify the actions that can be performed. These are just a few of the capabilities of IAM. Let's explore what it can do and how it accomplishes these tasks.

Introduction

To all those who are new to my blog series, I extend a warm welcome. I am writing these blogs as part of the #12weeksawschallenge, which is designed to introduce AWS Cloud in a more practical manner. You can find additional information about #12weeksworkshops on their official website here.

In this challenge, I am currently in week 1, where the primary focus is on AWS IAM, which stands for Identity and Access Management. IAM plays a crucial role in managing who has access to AWS resources and how they can utilize them. It effectively controls access in the AWS cloud environment.

In this post, we will delve into several key topics related to Identity and Access Management (IAM) in AWS.

1. What is IAM?
2. Significance of IAM
3. What is Shared Responsibility Model?
4. How one can access AWS cloud services?
5. Various entities in IAM
6. Policy Evaluation

Let's explore these topics in detail to gain a better grasp of AWS Identity and Access Management.

IAM - Identiy and Access Management

"IAM is a web service that helps you securely manage access to AWS resources. IAM enables you to configure who can access AWS resources, what specific resources a user can access, and the actions they are permitted to perform."

Now let's see in detail of some capabilities of IAM

1. Share access to AWS account
           IAM allows us to share resources with other users, without actually sharing our credentials

2. Granular permissions
           IAM enables you to grant permissions with a high level of granularity. You can grant a user the ability to administer resources alongside you, or you can restrict a user to only accessing resource names and nothing more.

3. Secure Access to applications on EC2 instance
   Sometimes, our applications may require data from an Aurora DB. In such cases, we need to provide credentials. However, it's not considered a standard practice to pass credentials directly. Instead, IAM offers a mechanism to achieve this using an entity called Role, which we will explore later in this post.

When looking at the multitude of tasks that IAM (Identity and Access Management) can perform, one may wonder how it efficiently accomplishes these functions. As users who utilize IAM, it's important to comprehend its inner workings and tailor its configurations to our specific needs. IAM achieves its capabilities through the use of key components such as users, user groups, policies, and roles. To gain a comprehensive understanding of IAM, let's delve into these elements in detail.

IAM Users

An IAM user is an entity created in the AWS cloud, representing a human user who utilizes IAM to interact with AWS. The user possesses a name and credentials for authentication.

Types of Users

There are two types of users

1. Root User

   • Root user is also the Account owner, this account was created while the account was created.
   • This account has un-restricted access hence it was recommended not to use this account for everyday activities

2. AWS IAM User

   • These IAM users are created by administrator as per the business needs.
   • These users will be having restricted access to the resources

Identifying The User

1. Friendly Name
   

   • The name of the user that which was given during user creation.
   • This was visible in the Management Console

2. Amazon Resource Name(ARN)
   

   • A user can be uniquely identified using it's ARN, which helps us in during policy creations.
   • ARN looks similar to arn:aws:iam::accountId>:user/<userName>
   • Can be accessed from Management Console

3. Unique Identifier
   

   • This was an ID returned only when API tools were used to create the user
   • This can't be seen in the Management Console

Root User Best Practices

Best Practices are some standard set of procedures users can adopt in order to keep their accounts safe. Some of them are

• This root user was not recommended for everyday activities
• To have an Administrative access over all the resource create an IAM Admin user
• Enable a Virtual MFA Device for your AWS Account Root User
• Configure Account Security Challenge Questions

and there were more which you find it here

IAM User Groups

A User Group is a collection of users that allows us to specify permissions for multiple users, simplifying the management of permissions. These groups pertain to permissions rather than authentication.

An example of user groups based on roles

Some characteristics of User groups are

1. A user group can encompass multiple users but cannot include another user group within it.

2. A user can be a member of multiple groups, not limited to just one group.

IAM Roles

Roles is an similar entity to User, which has permission policies that can decide what identity can do or can't do.But this roles are not uniquely associated with one person.Roles when ever they are assumed they provide temporary security credentials for your session

In a scenario, a developer was initially denied access to production logs. However, they proceeded to assume a production role and were subsequently able to access the logs.

Roles are used to delegate access when users/applications/services that don't normally have access to a resource

IAM Policy

Permissions in AWS are represented using policies, and these policies are attached to IAM identities or AWS resources.AWS evaluates these policies when an principal(user or role) makes a request

Most Policies are stored as JSON documents and there are 6 different types of policies they are,

Types of IAM Policies

1. Identity Based Policies

   • These are JSON policy documents attached to identities
   • These permissions include what type of effect(allow/deny) should be taken on what actions under what circumstances(conditions)

2. Resource Based Policies

   • These are JSON policy documents attached to resources
   • These Specifies grant to the principals who can use them

3. Permission Based Policies

   • Advanced feature that allows you to set maximum permissions that an identity can grant to an entity

4. Organization SCP's

5. Access Control Lists

   • ACL is a service that which allows you to control which principals from another account can access a resource
   • Similar to resource based policy but this was not and JSON policy document

6. Session policies

   • Advanced Policies that allows you to pass a param when you pragmatically create temporary sessions

Structure of a simple policy

Time to build

Now we got to know about how permissions work. So let's work put our learning into practice by building a simple use case (scenario mentioned in immersion day)

You can also find this lab from aws workshops here

A simple usecase given by Amazon which helps us in getting practical touch of what we have seen till now

---

Thank you all for following along, I sincerely hope this was not boring, but I feel this was bit lengthy and this was the perfect time that you take a break and continue further. Have a cup of water or move way for some from your desk and after a short break let's continue building the use case

---

Now let's resume back, If we see the architecture we require multiple instances of EC2, A user, User Group and Policy. So Now let's create all of them one by one and once all of them were ready let's align them according to the architecture

1. Creating EC2 instances

• Go to AWS management console and navigate through EC2 Dashboard

Step-1 Login to the management Console and navigate to EC2 Dashboard

• In the EC2 Dashboard select on Launch Instance

Step-2 Click on launch Instance

• Now create an EC2-instance with name dev-instance and add it a new tag as follows Env-dev

Step-3.1 Creating an instance within development environment

• Now create an EC2-instance with name prod-instance and add it a new tag as follows Env-prod

Step-3.2 Creating an instance within production environment

• you can also refer to the configurations of both instances here

Attribute	Value
Name	prod-instance
Env	prod
Application and OS Images	Amazon Linux
Instance type	t2.micro
Key pair	proceed without a key pair
Security Group	default

Attribute	Value
Name	dev-instance
Env	dev
Application and OS Images	Amazon Linux
Instance type	t2.micro
Key pair	proceed without a key pair
Security Group	default

• Now, click on launch after entering appropriate details

Note. : I've used default security group and no key pair in an intention not to create new resources but you can create new resources and apply them here

• once done you should have two instances running

Step-4 Verify your instances

2.Creating a Policy

• Go to IAM Dashboard and click on policies

Step-1 Go to IAM Dashboard

• Click on Create policy

Step-2 Click on create Policies

• Now we are in policy create Policy page let's use both Visual and JSON methods to add permissions

  • First, in the visual editor select the following configuration Step-3.1 Creating a permission to perform any action on EC2 instance of dev-env
  • Now, switch to the JSON editor and append this in the statement Object (Ive edited my json such that it allows all Describe actions instead of writing whole JSON code) Step-3.2 Creating a permission to perform any kind of Describe actions on any EC2 instance
  • Now, Switch back to visual editor and add this rule Step-3.3 Creating a permission which denes user
  • Now we have all the permissions required now click on next and enter the details Step-3.4 Creating policy

• Now click on Create Policy and your policy was created
  
  

  Step-4 Now Click on Create Policy

3.Creating a User Group

• Now quickly go to IAM Dashboard and select User Groups and click on Create Group
  

  Step-1 IAM Dashboard>User Groups > Create Group

• Now name your user group and leave the other configurations like Add Users and Attach Policies, as we'll deal with them later
  

  Step-2 Name your User Group

• Now click on Create Group button and your user group is ready to use

4.Create A User

• Now go to IAM Dashboard navigate to users and click on Create User
  

  Step-1 IAM Dashboard > Users > Create User

• Now enter the user name as desired and select the following options and click on Next
  

  Step-2 Configuring Username and Password

• Now skip all other steps as we'll add the user in fore coming steps and also the policies

• Now create the user, when it's better to download the csv file and store in a safe place

• Now copy the user signin link which will be helpful for us in further steps

With this we had all the required components.So, let us start connecting the components

5. Aligning the components according to architecture Diagram

1. Go to the User Group you had created and add user to the group
   User Group > Users > Add Users
   

   Step-1 Adding user to the user group

2. Now attach the policy you've created to the user group
   User Group > Permissions > Add Permissions
   

   Step-2 Attaching permission to the user group

3. Now verify whether you were able to see the instances in the EC2 Dashboard
   

   We were able to see all the instance which means Rule-2 was in action

4. Now try to terminate any instance , you will encounter an error which means the 3rd rule was also in action
   

   Picture shows the error message when tried to terminate the instance

Now this shows us how permissions in AWS are attached to the users, we saw from What is IAM what does it provides, and saw how we can actually implement those features using Policies and IAM entities.

Programmatic Access

It was important to how we can access our resources via command line tools or SDK provided by AWS. So, Now let's see how we can enable the user to access resources from Command line.

Consider a scenario Your mentor has requested you to verify if you have access to a specific bucket. To accomplish this, you need to list all the buckets and confirm whether the particular bucket is present in the list. Assume that you have the necessary permissions to create a user.

1. Go to Users Page from IAM dashboard and Click on Create User
2. On the current page, enter the username and click 'Next.' Since we only require command-line permissions, we are not granting access to the Management Console.
3. On the Permissions page, retain all default values and proceed to the next step to create the user.
4. You now have an IAM user with no attached policies. Next, we'll create access keys for the user.Which allows him to access CLI

5. From the user dashboard, select the user you have created and navigate to the 'Security Credentials' tab.
   

6. Select the "Command Line Interface" use case, check the checkbox, and proceed to the next step.
   

7. Now leave the tag value as empty and click on Create access Key

8. It's important to download the access key, which was created by AWS itself. To do so, click on the button to download the key in CSV format.

Now we had a user who has Command Line access. So, let's see what to do next

1. Download and Install Amazon CLI from here
2. Now check if your installation was successful or not
3. Now that we have the AWS CLI installed, we need to configure it by using the aws configure command and entering the access key details from the CSV file you downloaded earlier. 4.Now let's try to get the list of all buckets which we had using aws s3 ls
4. Oops! We encountered an error: Access denied
5. No problem, we know what to do now. Let's take it as a challenge and try to get it working.

---

Once again thank you so much for following upto here, I hope this article was useful to you. Meet you all soon in the next blog, Have a great time ahead.

I would really like to hear your valuable suggestions and in case of any queries , You can reach out to me at
LinkedIn : Vignesh bandla
Email : vignesh.bandla01@gmail.com