AWS Identity and Access management-Practical Guide 🚀🚀(Cheat sheet)

tanmaygi

Tanmay Shukla

Posted on July 14, 2022

AWS Identity and Access management-Practical Guide 🚀🚀(Cheat sheet)

This is the Practical guide to understand and revise AWS IAM service. This can also be looked as quick review cheat sheet.

IAM aws

IAM: Users & Groups

  • IAM = Identity and Access Management, Global service
  • Root account created by default, shouldn’t be used or shared
  • Users are people within your organization, and can be grouped
  • Groups only contain users, not other groups
  • Users don’t have to belong to a group, and user can belong to multiple groups

IAM: Permissions

  • Users or Groups can be assigned JSON documents called policies.
  • These policies define the permissions of the users.
  • In AWS you apply the least privilege principle: don’t give more permissions than a user needs.

IAM Policies Structure

IAM policy
1. IAM Policies Consists of

  • Version: policy language version, always include “2012-10-17”
  • Id: an identifier for the policy (optional)
  • Statement: one or more individual statements (required).

2. Statements consists of

  • Sid: an identifier for the statement (optional)
  • Effect: whether the statement allows or denies access (Allow, Deny)
  • Principal: account/user/role to which this policy applied to
  • Action: list of actions this policy allows or denies
  • Resource:list of resources to which the actions applied to
  • Condition: conditions for when this policy is in effect (optional). Example:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "FirstStatement",
      "Effect": "Allow",
      "Action": ["iam:ChangePassword"],
      "Resource": "*"
    },
    {
      "Sid": "SecondStatement",
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    },
    {
      "Sid": "ThirdStatement",
      "Effect": "Allow",
      "Action": [
        "s3:List*",
        "s3:Get*"
      ],
      "Resource": [
        "arn:aws:s3:::confidential-data",
        "arn:aws:s3:::confidential-data/*"
      ],
      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

IAM – Password Policy

  • Strong passwords = higher security for your account
  • In AWS, you can setup a password policy:
    • Set a minimum password length
    • Require specific character types:
    • including uppercase letters
    • lowercase letters
    • numbers
    • non-alphanumeric characters
    • Allow all IAM users to change their own passwords
    • Require users to change their password after some time (password expiration)
    • Prevent password re-use.

Multi Factor Authentication - MFA

  • Users have access to your account and can possibly change configurations or delete resources in your AWS account
  • You want to protect your Root Accounts and IAM users
  • MFA = password you know + security device you own MFA

MFA devices options in AWS

  • Virtual MFA device: Google authenticator, Authy.
  • Universal 2nd Factor (U2F) Security Key: YubiKey by Yubico (3rd party)

How can users access AWS ?

  • To access AWS, you have three options:
    1. AWS Management Console (protected by password + MFA)
    2. AWS Command Line Interface (CLI): protected by access keys
    3. AWS Software Developer Kit (SDK) - for code: protected by access keys
  • Access Keys are generated through the AWS Console
  • Users manage their own access keys
  • Access Keys are secret, just like a password. Don’t share them
  • Access Key ID ~= username
  • Secret Access Key ~= password

IAM Roles for Services

  • Some AWS service will need to perform actions on your behalf
  • To do so, we will assign permissions to AWS services with IAM Roles
  • Common roles:
    • EC2 Instance Roles
    • Lambda Function Roles
    • Roles for CloudFormation iAM ROLES

IAM Guidelines & Best Practices

• Don’t use the root account except for AWS account setup
• One physical user = One AWS user
• Assign users to groups and assign permissions to groups
• Create a strong password policy
• Use and enforce the use of Multi Factor Authentication (MFA)
• Create and use Roles for giving permissions to AWS services
• Use Access Keys for Programmatic Access (CLI / SDK)
• Audit permissions of your account with the IAM Credentials Report
• Never share IAM users & Access Keys


IAM – Summary

• Users: mapped to a physical user, has a password for AWS Console
• Groups: contains users only
• Policies: JSON document that outlines permissions for users or groups
• Roles: for EC2 instances or AWS services
• Security: MFA + Password Policy
• Access Keys: access AWS using the CLI or SDK
• Audit: IAM Credential Reports & IAM Access Advisor

Connect with me

đź’– đź’Ş đź™… đźš©
tanmaygi
Tanmay Shukla

Posted on July 14, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related