IAM - Identity and Access Management
Table of Contents
1. What is IAM?
IAM stands for Identity and Access Management, it is a global service, in this service we are going to create our users and assign them to group, it is like groups in linux.
- root account is created by default.
Groups Groups only contains users, not other groups.
users or groups can be assigned JSON documments called policies, these polisies define the permissions of the users.
1.1. Least privilege principle
in AWS you apply the least privilege principle, don’t give more permissions than a user needs.
2. IAM Policies structure
The policies consist of:
- Version
- id
- Statement
2.1. Statements
Statements consist of:
- Sid:
statement id - Effect:
whether the statement allows or denies access, it is like a flag, (allow, deny) - Principal:
account or user or role to which this policy applied to. - Action:
List of actions this policy allows or denies. - Condition:
conditions for when this policy is in effect (optional)
3. IAM Defense mechanism
3.1. IAM Password policy
It is a set of rules that define complexity requirements and mandatory rotation periods for your IAM users’ passwords.
- strong passwords
- set a minimun password lenght
- require specific character types
- another tipical passwords mechanisms (password expiration, prevent password re-use etc…)
3.2. MFA- Multi Factor Authentication
- MFA = password you know + security device you own
If the password is stolen or hacked, the account is not compromised
3.2.1. MFA Devices Options
4. How can users access AWS?
To access AWS, there are three options:
- AWS Management Console (protected by password + MFA)
- AWS Command line Interface (CLI) Protected by access keys
- AWS Software Developer Kits (SDK) For code: it is protected by access keys
5. AWS CloudShell
It is only available in some regions, we can download, to issue commands, upload files and many interesting things through cloudShell.
6. IAM Roles
Some AWS service will need to perfom actions on your behalf, to do so, we will asssign permission to AWS services with IAM ROLES
6.1. Common roles
- EC2 Instance Roles
- Lambda function roles
- Roles for cloudformation
7. IAM Security Tools
- IAM Credentials report (account-level)
A report that lists all your account’s users and the status of their various credentials - IAM Access Advisor (user-level)
Access advisor shows the service permissions granted to a user and when those services were last accessed.
You can use this information to revise your policies
8. IAM Guidelines & Best Practices
| Best practices |
|---|
| Don’t use the root account except for AWS account setup |
| One physical user == One AWS user |
| Assign users to groups and assign permissions to groups |
| Create a strong password policy |
| Use and enforce the use of multi Factor Authentication (MFA) |
| Create and use Roles for giving permissions to AWS services |
| Use Access Keys for Programmatic Access (CLI/SDK) |
| Audit permissions of your account using IAM Credentials Report & IAM Access Advisor |
9. Share Responisbility Model
| AWS | You |
|---|---|
| Infrastructure (global network security) | Users, Groups, Roles, Policies management and monitoring |
| Configuration and vulnerability analysis | Enable MFA on all accounts |
| Compliance validation | Rotate all your keys often |
| Use IAM tools to apply appropiate permissions | |
| Analyze access patterns & review permissions |
10. IAM Summary
| Users | Mapped to a physical user, has a password for AWS console |
| Groups | Contain users only |
| Policies | JSON Document that outlines permissions for users or groups |
| Roles | For EC2 Instances or AWS services |
| Security | MFA + Password policy |
| AWS CLI | Manage your AWS services using the command-line |
| AWS SDK | Manage your AWS services using a programming language |
| Access Keys | Access AWS using the CLI or SDK |
| Audit | IAM Credential Reports & IAM Access Advisor |