Open in app

Sign in

Write

Sign in

AWS Identity and Access Management (IAM)

Mesut Oezdil
6 min readJun 12, 2023

--

How can we manage and secure AWS resources more effectively with AWS IAM’s secure access control and resource management capabilities?

This article will answer these and many other questions this Monday.

Then let’s get started!

AWS IAM and Its Authentication and Authorization Process

i) IAM is the Access Management Service for AWS Resources: IAM (Identity and Access Management) is AWS’s tool for securely managing who can access AWS resources. It helps you control who can do what (authentication) and which resources they can access (authorization) within your AWS account.

ii) Authentication and Authorization Are Key: Authentication verifies who a user is, like using a username and password. Authorization is about giving or denying permission to access certain resources based on the user’s identity. In IAM, authentication checks the user’s identity, while authorization uses policies to decide what resources they can access.

iii) Different Ways to Access AWS Resources: AWS offers several ways to access and manage resources:

  • AWS Management Console: A web-based interface to interact with resources using a graphical interface.
  • AWS CLI (Command Line Interface): A command-line tool that allows you to control AWS services using text commands.
  • AWS API: Developers can manage AWS resources by making requests to AWS API endpoints programmatically.

iv) Policies Define Who Can Do What: In IAM, policies are written as JSON documents that define the permissions for AWS resources. Policies can be attached to users, groups, or roles, specifying what actions they can take on which resources.

v) Users, Roles, and Groups:

  • Users: Represent individuals or entities (like applications) interacting with AWS resources. Each user has a unique set of security credentials.
  • Roles: Similar to users but aren’t linked to a specific person. They’re for granting temporary permissions to AWS services or applications.
  • Groups: Collections of users with similar permissions, making it easier to manage their access in one place.

vi) Trust Policies When Assuming a Role: When a user or AWS service takes on a role, trust policies decide if they are allowed to do so. These policies specify who can assume the role and under what conditions.

Creating a New User in the AWS Console and Assigning Permissions

i) Creating a User and Giving Access: In the AWS console, you can go to IAM, add a new user, and give them either console access (to sign in to AWS) or programmatic access (to use the CLI or APIs). After that, you assign permissions by adding them to a group or attaching policies directly to the user.

ii) Adding Read-Only Access to an S3 Bucket: To give read-only access to an S3 bucket, create a policy specifying the needed permissions, like s3:GetObject. Attach this policy to the user, allowing them to read files from the bucket without being able to modify or delete them.

Managing Permissions with User Groups and Inline Policies

i) User Groups for Easy Permission Management: Instead of assigning permissions to each user individually, you can create user groups with defined permissions. Adding users to a group automatically gives them the permissions assigned to that group, making management easier.

ii) Inline Policies for Specific Permissions: Inline policies are policies directly attached to a user or group. They provide specific permissions tailored to particular needs, allowing fine control over resource access. Inline policies can be used alongside managed policies for more flexibility.

Accessing AWS Services via CLI Using Access Keys

i) Configure Access Key and Secret Key: To use AWS CLI, you need to set up your access key and secret key using the aws configure command. This lets you authenticate and authorize CLI commands with AWS securely.

ii) Create Profiles for Easy Access Management: You can create multiple CLI profiles with aws configure --profile [profile-name] to manage different sets of credentials. You can then switch between profiles easily, adding flexibility for working with different AWS accounts or IAM users.

Creating and Assigning Roles in AWS

i) Assigning Roles to AWS Resources: Roles in AWS are used to give permissions to services like EC2 or Lambda securely. By assigning roles instead of using permanent access keys, you enhance security and simplify permissions management.

ii) Service Control Policies (SCPs): SCPs are used in AWS Organizations to control access across multiple AWS accounts. They define what actions and services are allowed or denied and are used for centralized control over resources in an organization.

Permission Boundaries for Creating Users in AWS

i) Create Permission Boundary Policy: When creating a permission boundary, its name must match the policy name in the JSON file. Permission boundaries restrict the permissions a user or role can have, preventing over-privileged access.

ii) Boundaries Cannot Be Deleted or Edited: Once attached, permission boundaries cannot be deleted or changed. They are an important tool for limiting permissions and ensuring security, so create them carefully.

How Permission Boundaries Limit User Access

i) Preventing Privilege Escalation: Permission boundaries define the maximum permissions a user or role can have. This prevents anyone from gaining more access than intended, reducing security risks.

ii) Cross-Account Access: Cross-account access allows a user in one AWS account to access resources in another. You can do this by giving temporary access keys or using roles for secure resource sharing across accounts.

Cross-Account Access and Attribute-Based Access Control (ABAC)

i) Access Resources in Another Account: Cross-account access involves creating a role in one account that has permission to access resources in another account. This makes it easy to share resources securely between accounts.

ii) Attribute-Based Access Control (ABAC): ABAC creates policies based on specific attributes, like user role, location, or time zone. This allows you to set more flexible and granular access control rules for resources.

Using ABAC to Limit S3 Bucket Access Based on Tags

i) Create a Policy with a Group Tag: You can create a policy in IAM with a tag, like “admin,” to define permissions for a group of users. For example, you could allow users with an “admin” tag full access to an S3 bucket.

ii) Assign Users to the Group: Assign users with the “admin” tag to the group, which will give them full access to S3. This approach makes it easier to manage access for users who need full access to specific services.

Conclusion

AWS IAM is essential for managing access to AWS resources. It controls who can do what using authentication and authorization and offers different access methods, like the Console, CLI, and API. Policies define permissions for users, roles, and groups, while tools like permission boundaries, cross-account access, and ABAC provide more control over security. By understanding IAM, you can securely manage AWS resource access.

AWS
Cloud
Security
DevOps

--

--

Mesut Oezdil
Mesut Oezdil

Written by Mesut Oezdil

540 Followers
76 Following

I'm on the Substack now, not on Medium. AR-KUBE: Where AI meets DevSecOps! Exploring and sharing trends in AI-driven, security-focused DevOps.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams