[AWS] Identity and Access Management IAM

“The real tragedy of the poor is the poverty of their aspirations.” –Adam Smith.

AWS Identity and Access Management (IAM)

Is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM allows you to manage users and their level of access to the aws console.

IAM Key terminology

• Users End user such as people, employees of an organization, etc.
• Groups A collection of users. Each user in the group will inherit the permissions of the group.
• Policies Policies are made of documents, called policy documents. These documents are in JSON format and they give permissions as to what a user/group is able to do.
• Roles You create roles a then assign them to AWS resources.

IAM Tips

• IAM is universal. It does not apply to regions at this time.
• The root account is simply the account created when first setup your AWS account. It has complete admin access.
• New users has NO permissions when first created.
• New users are assigned and Access Key and an Secret Key when first created.
• You cannot use the access key and the secret key to login into the console.
• You can view the access key and the secret key once, if you lose it you have to regenerate them.
• Always set up Multifactor Authentication especially for the root account.
• You can create and customise your own password rotation policies.

IAM Best practices

• Lock Away Your AWS Account Root User Access Keys You use an access key (an access key ID and secret access key) to make programmatic requests to AWS. However, do not use your AWS account root user access key. The access key for your AWS account root user gives full access to all your resources for all AWS services, including your billing information. You cannot reduce the permissions associated with your AWS account root user access key.

• Create Individual IAM Users Don’t use your AWS account root user credentials to access AWS, and don’t give your credentials to anyone else. Instead, create individual users for anyone who needs access to your AWS account. Create an IAM user for yourself as well, give that user administrative permissions, and use that IAM user for all your work. For information about how to do this, see Creating Your First IAM Admin User and Group.

• Use Groups to Assign Permissions to IAM Users Instead of defining permissions for individual IAM users, it’s usually more convenient to create groups that relate to job functions (administrators, developers, accounting, etc.). Next, define the relevant permissions for each group. Finally, assign IAM users to those groups.

• Grant Least Privilege When you create IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users (and roles) need to do and then craft policies that allow them to perform only those tasks.

• Get Started Using Permissions with AWS Managed Policies To get started quickly, you can use AWS managed policies to give your employees the permissions they need to get started. These policies are already available in your account and are maintained and updated by AWS. For more information about AWS managed policies, see AWS Managed Policies.

• Use Customer Managed Policies Instead of Inline Policies For custom policies, we recommend that you use managed policies instead of inline policies. A key advantage of using these policies is that you can view all of your managed policies in one place in the console. You can also view this information with a single AWS CLI or AWS API operation. Inline policies are policies that exist only on an IAM identity (user, group, or role). Managed policies are separate IAM resources that you can attach to multiple identities. For more information, see Managed Policies and Inline Policies.

• Use Access Levels to Review IAM Permissions When you review a policy, you can view the policy summary that includes a summary of the access level for each service within that policy. AWS categorizes each service action into one of five access levels based on what each action does: List, Read, Write, Permissions management, or Tagging. You can use these access levels to determine which actions to include in your policies.

• Configure a Strong Password Policy for Your Users If you allow users to change their own passwords, require that they create strong passwords and that they rotate their passwords periodically. On the Account Settings page of the IAM console, you can create a password policy for your account. You can use the password policy to define password requirements, such as minimum length, whether it requires non-alphabetic characters, how frequently it must be rotated, and so on. For more information, see Setting an Account Password Policy for IAM Users.

• Enable MFA For extra security, we recommend that you require multi-factor authentication (MFA) for all users in your account.

• Use Roles for Applications That Run on Amazon EC2 Instances Applications that run on an Amazon EC2 instance need credentials in order to access other AWS services. To provide credentials to the application in a secure way, use IAM roles. A role is an entity that has its own set of permissions, but that isn’t a user or group.

• Use Roles to Delegate Permissions Don’t share security credentials between accounts to allow users from another AWS account to access resources in your AWS account. Instead, use IAM roles. You can define a role that specifies what permissions the IAM users in the other account are allowed. You can also designate which AWS accounts have the IAM users that are allowed to assume the role.

• Do Not Share Access Keys Access keys provide programmatic access to AWS. Do not embed access keys within unencrypted code or share these security credentials between users in your AWS account. For applications that need access to AWS, configure the program to retrieve temporary security credentials using an IAM role. To allow your users individual programmatic access, create an IAM user with personal access keys.

• Rotate Credentials Regularly Change your own passwords and access keys regularly, and make sure that all IAM users in your account do as well.

• Remove Unnecessary Credentials Remove IAM user credentials (passwords and access keys) that are not needed.

• Use Policy Conditions for Extra Security To the extent that it’s practical, define the conditions under which your IAM policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also specify that a request is allowed only within a specified date range or time range. You can also set conditions that require the use of SSL or MFA (multi-factor authentication). For example, you can require that a user has authenticated with an MFA device in order to be allowed to terminate an Amazon EC2 instance. For more information, see IAM JSON Policy Elements: Condition in the IAM Policy Elements Reference.

• Monitor Activity in Your AWS Account You can use logging features in AWS to determine the actions users have taken in your account and the resources that were used. The log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.

• Video Presentation About IAM Best Practices

References

• AWS Identity And Access Management