IAM

Introduction

• Identity and Access Management (IAM) enableing control access to AWS services and resources

• Can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources

• A global (Not Regional) service

Feature

• Providing

  • Centralized control

  • Shared access to AWS account

  • Granular permissions

  • Identity Federation (ex. to a SAML IdP)

    • Create a SAML provider in IAM and create IAM role that establishes a trust relationship between IAM and the IdP that identifies the IdP as a principal (trust entity) for purposes of federation.

  • Multifactor Authorization (MFA)

  • Providing temporary access for users, devices, services

  • Can set up custom password policy (ex: password rotation)

  • Support PCI DSS compliance

• Composition

  • Users

    • Simply people

    • Access type:

      • Programmatically accessing AWS APIs and command line

        • Access Key ID

        • Secret Access Key (only visible when creating, can be downloaded in the crendential.csv)

      • AWS console

        • Password (only visible when creating, can be downloaded in the crendential.csv)

  • Groups

    • A collection of people applying the same permissions

  • Roles

    • Can create a role then attach it to AWS resources or users

    • If a user switches the role, original access to the user is canceled. He can only use the access of the role.

    • Service Role (ex. attaching the role (or service role) to EC2 within instance metadata)

    • Service-linked Role

  • Policies

    • A JSON document defining permissions

    • Scenarios

      • Configure an IAM Policy that restricts access only to the user-specific folders in the Amazon S3 Bucket.

      • Force tagging to AWS resources (The best way is to use AWS Catalog)

        • Can be defined either with IAM policies for a role, user or with AWS Organizations SCP for an OU / entire organization.

        •       "Condition": {
                  "StringEquals": {
                    "aws:RequestTag/key1": "value1",
                    "aws:RequestTag/key2": "value2"
                  },
                  "ForAllValues:StringEquals": {
                    "aws:TagKeys": [
                      "key1",
                      "key2"
                    ]
                  }
                }

  • Trust Policy

    • A JSON document defining who can assume the role

• Evaluaiton logics

  • Authenticates the principal.

  • Determines which policy to apply to the request.

  • Evaluates the policy types and arranges an order of evaluation.

  • Processes the policies against the request context to determine if it is allowed.

Determining whether a request is allowed or denied within an account

Related Service

• Access Advisor - See permissions granted and last access time

• Access Analyzer - Analyze resources that are shared with external entity