Identity Access Management

Posted on Posted in AWS

IAM (Identity and Access Management)

Amazon service that enables you to do the following:

  • Create users
  • Manage users and their access
  • Create Federated User (Temporary Users)
  • Free of charge

IAM User Management

  • Create, Delete, List Users
  • Manage group memberships, credentials permissions
  • default 100 groups limit, 5000 users limit

Users

  • in this context, Users are individual people that have access to AWS
  • Users are global and not region specific

Groups

  • Collection of users
  • Users can belong to multiple groups (10 default limit)
  • Groups cannot be nested, i.e Groups cannot be assigned to other groups

Roles

  • “An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person”
  • 250 default roles limit
  • Roles can be assigned to other AWS accounts
    • Power User role – all access except group management
    • Administrator Access role – All account resources except AWS account info

IAM Owner– is the one who created the AWS account

Policies

  • JSON format rules that define access
  • Policies can be attached to roles/groups/users

Policy Simulator – enables you to test out your policies, AWS provided service free of charge. http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html

Multifactor Authentication  – additional layer of authentication other than just password, this can be any third party device, virtual authenticator, STS (Security Token Service), SMS authentication.

  • When user is trying to login, a code will be sent to his MFA device, he then needs to input the code after providing his password, this ensures another layer of security, and your access is not compromised easily should someone finds out about your password.
  • This can be enforced in API calls for developers when calling sensitive API calls to AWS.

Identity Federation – allows third party accounts to login to your AWS, i.e using LDAP, facebook, google, etc, no need to create AWS IAM user

NOTE: Active Directory authentication is possible in AWS through SAML, authentication is done first in AD before being passed to AWS

BEST PRACTICES: 

  •  Root/privileged users should have MFA
  • Grant only least access privileges
  • Each users should have individual IAMs (not sharing accounts)
  • Use Groups for managing users
  • enforce a strong password policy
  • assign IAM roles for your applications
  • Rotate credentials
  • Track what users are doing with cloudtrail (audit log service for AWS)

Leave a Reply