AWS — (IAM) in a nutshell
Been looking online about IAM? — Identity and Access Management and don’t want to read a lot of jargon and just want to know what it is, what are the features and key terminology to know? so you can get started experimenting quickly?
Well… then read on ;)
What is IAM
IAM stands for Identity Access Management and allows you to manage users and their access level.
It’s especially useful for having complete control on what the users or groups can and can’t do.
It’s global, so you don’t specify a region. So, when you create a user or group it’s available in all regions.
Key Features
Centralised control (Similar to the point above, iam allows you to centralise access levels, different operations (such as only allowing read access to the database) or services throughout aws)
Shared access (with iam, you can share your account with other users or accounts)
Granular permissions (i.e who can access which services, database etc)
Multi-factor authentication (can use google authenticator to secure the iam)
Provide temporary access (this has come in very useful when working with a contractor for a week or two, it allows you to provide temporary access for users, devices or even services)
Password policy (allows you to define your own password policy, i.e change password every 30, 60, 90 days or force password reset etc)
You can find this in your account settings:
Integration (allows you to integrate with a load of AWS services, easily)
Good terminology to know
Users: One user = one employee/individual.
Groups: a collection of users, once you put a user in a group they will inherit the permissions of that group. i.e your development group will have different permissions to the administrator group. To set permissions on a group, you need to attach a policy.
Roles: Can create roles then assign them to AWS resources. May create a role that specifically grants the ability to modify RDS (Relational Database Service) resources.
Policies: Formally called policy documents. formatted in JSON (JavaScript Object Notion) markup is used to provide permissions for users, groups and roles. Really useful and easy to rotate.
E.G you can attach a policy to a group and then every user in that group will get that policy. If you attach that policy to the user then that user will get that policy.
Similar to roles, you can attach a policy that will allow a user to do various operations on a RDS.
Best practices
- Only use your root account to create the AWS account. Don’t login with this account
2. MFA (multi-factor-authentication) set this up wherever possible.
3. Always add users to a group and apply policies to that group. This makes management easier, as you just need to update a policy for a group and that will be applied to all the users. You don’t want to get yourself in a situation when you’re having to ‘copy/paste’ permissions to individual users. If you can avoid it don’t attach policies directly to users.
4. Password policy, always set a strong password and set a rotation so that the password has to change every 60 days or so.
5. Always setup roles when wanting to access various services in aws.
6. When creating a iam set programatic access, this will provide a set of access keys so that the user/individual can do operations and it’s easy to revoke those access keys. Bonus info: they can also setup tools such as aws-vault to manage multiple aws accounts.
7. Use IAM Credential Report to do an audit on your current setup. Can be found in the IAM sidebar.