DevOps Alchemy
Chapter 2: Identity and Access Management (IAM)

Chapter 2: Identity and Access Management (IAM)

TK sahu's photo
TK sahu
·

8 min read

Table of contents

  • Understanding IAM and its role in security

  • Creating and managing IAM users, groups, and roles

  • Applying permissions and security best practices

    Infographic showing the different components of an IAM solution.

IAM

  • AWS IAM (Identity and Access Management) is a service provided by Amazon Web Services (AWS) that helps you manage access to your AWS resources. It's like a security system for your AWS account.

  • IAM allows you to create and manage users, groups, and roles. Users represent individual people or entities who need access to your AWS resources. Groups are collections of users with similar access requirements, making it easier to manage permissions. Roles are used to grant temporary access to external entities or services.

  • With IAM, you can control and define permissions through policies. Policies are written in JSON format and specify what actions are allowed or denied on specific AWS resources. These policies can be attached to IAM entities (users, groups, or roles) to grant or restrict access to AWS services and resources.

  • IAM follows the principle of least privilege, meaning users and entities are given only the necessary permissions required for their tasks, minimizing potential security risks. IAM also provides features like multi-factor authentication (MFA) for added security and an audit trail to track user activity and changes to permissions.

  • By using AWS IAM, you can effectively manage and secure access to your AWS resources, ensuring that only authorized individuals have appropriate permissions and actions are logged for accountability and compliance purposes.

  • Overall, IAM is an essential component of AWS security, providing granular control over access to your AWS account and resources, reducing the risk of unauthorized access and helping maintain a secure environment.

Components of IAM

  • Users: IAM users represent individual people or entities (such as applications or services) that interact with your AWS resources. Each user has a unique name and security credentials (password or access keys) used for authentication and access control.

  • Groups: IAM groups are collections of users with similar access requirements. Instead of managing permissions for each user individually, you can assign permissions to groups, making it easier to manage access control. Users can be added or removed from groups as needed.

  • Roles: IAM roles are used to grant temporary access to AWS resources. Roles are typically used by applications or services that need to access AWS resources on behalf of users or other services. Roles have associated policies that define the permissions and actions allowed for the role.

  • Policies: IAM policies are JSON documents that define permissions. Policies specify the actions that can be performed on AWS resources and the resources to which the actions apply. Policies can be attached to users, groups, or roles to control access. IAM provides both AWS managed policies (predefined policies maintained by AWS) and customer managed policies (policies created and managed by you).

AWS IAM Users

Overview

IAM users represent individuals or services that need access to AWS resources. Each user has unique credentials.

Key Points

  • Credentials: Users have passwords and access keys.

  • Permissions: Permissions are usually managed via groups.

Practical Examples

AWS CLI

Create a User:

aws iam create-user --user-name Alice

Assign a Policy to a User:

aws iam attach-user-policy --user-name Alice --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

AWS Management Console

Create a User:

i. AWS Management Console.

ii.Open the IAM console at IAM Dashboard.

iii. In the navigation pane, click Users.

iv.Click Add user.

v.Enter a User name, select Access type (e.g., Programmatic access and/or AWS Management Console access).

vi.Click Next: Permissions.

vii.Set permissions as needed and click Next: Tags.

viii.(Optional) Add tags and click Next: Review.

ix.Click Create user.

Assign a Policy to a User:

i.In the IAM console, go to Users.

ii.Select the user you want to modify.

iii.Click the Permissions tab.

iv.Click Add permissions.

v. Choose Attach policies directly.

vi. Search for and select the policy (e.g., AmazonS3ReadOnlyAccess).

vii.Click Next: Review, then Add permissions.

how to create policy ..so before create policy this is the json format

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",          --------------------------------------------in this part you “ deny ya allow “
            "Action": [
                "s3:*",               ------------------------------------------------------“*”star indicate that full access of s3
                "s3-object-lambda:*"
            ],
            "Resource": "*"   ------(here you can give permission to one s3  bucket ya all s3 bucket                        
        }
    ]
}

now check it the user can access or not

now you eligible to create the bucket ..
AWS IAM Groups

Overview

IAM groups allow you to manage permissions for multiple users collectively.

Key Points

  • Permissions: Users in a group inherit the group’s policies.

  • Organization: Group users by roles (e.g., Developers, Admins).

Practical Examples

AWS CLI

Create a Group:

aws iam create-group --group-name Developers

Add User to Group:

aws iam add-user-to-group --user-name Alice --group-name Developers

AWS Management Console

Create a Group:

i. Sign in to the AWS Management Console.

ii. Open the IAM console at IAM Dashboard.

iii.In the navigation pane, click Groups.

iv. Click Create New Group.

v.Enter a Group name and click Next Step.

vi.Attach policies to the group as needed and click Next Step.

vii.Review and click Create Group.

Add User to Group:

i.In the IAM console, go to Groups.

ii.Select the group you want to modify.

iii.Click the Users tab.

iv.Click Add users to group.

v.Select the users to add and click Add users.

Hands on parts

lets create a a group and assign a user

AWS IAM Roles

Overview

IAM roles are used to delegate access with temporary credentials to AWS resources.

Key Points

  • Assume Role: Roles can be assumed by users, services, or accounts.

  • Temporary Credentials: Roles issue temporary security credentials.

Practical Examples

AWS CLI

Create a Role:

aws iam create-role --role-name LambdaExecutionRole --assume-role-policy-document file://trust-policy.json

Attach Policy to Role:

aws iam attach-role-policy --role-name LambdaExecutionRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

AWS Management Console

Create a Role:

i. Sign in to the AWS Management Console.

ii.Open the IAM console at IAM Dashboard.

iii.In the navigation pane, click Roles.

iv.Click Create role.

v.Choose the type of trusted entity (e.g., AWS service) and click Next: Permissions.

vi.Select the policies to attach and click Next: Tags.

vii.(Optional) Add tags and click Next: Review.

viii.Enter a Role name and click Create role.

Attach Policy to Role:

i.In the IAM console, go to Roles.

ii. Select the role you want to modify.

iii.Click the Permissions tab.

iv.Click Add permissions.

v.Choose Attach policies directly.

vi.Search for and select the policy (e.g., AWSLambdaBasicExecutionRole).

vii.Click Next: Review, then Add permissions.

AWS IAM Policies

Overview

IAM policies are JSON documents that specify permissions. They determine what actions are allowed or denied for specific resources.

Key Points

  • Managed Policies: AWS or customer-created policies that can be attached to multiple entities.

  • Inline Policies: Policies directly attached to a single user, group, or role.

Practical Examples

AWS CLI

    Create an Inline Policy:
{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "s3:ListBucket",
          "Resource": "arn:aws:s3:::example_bucket"
        }
      ]
}
aws iam put-user-policy --user-name Alice --policy-name ListS3Policy --policy-document file://policy.json

Attach a Managed Policy:aws iam attach-user-policy --user-name Alice --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

AWS Management Console

Create an Inline Policy:

i.Sign in to the AWS Management Console.

ii. Open the IAM console at IAM Dashboard.

iii. In the navigation pane, click Users, then select the user.

iv.Click the Permissions tab and then Add inline policy.

v.Enter the policy JSON or use the visual editor, then click Review policy.

vi. Enter a Policy name and click Create policy.

Attach a Managed Policy:

i.In the IAM console, go to Users, then select the user.

ii.Click the Permissions tab and then Add permissions.

iii. Choose Attach policies directly.

iv.Search for and select the policy (e.g., AmazonS3ReadOnlyAccess).

v. Click Next: Review, then Add permissions.

AWS IAM Best Practices

Overview

Following best practices ensures that your IAM setup is secure, manageable, and scalable.

Key Practices

  1. Use Least Privilege: Grant only the permissions necessary for users to perform their tasks.

  2. Use Groups: Manage permissions via groups rather than assigning policies directly to users.

3.Enable MFA: Use Multi-Factor Authentication (MFA) for an additional layer of security.

4.Regularly Review Permissions: Periodically review and adjust permissions to ensure they align with current needs.

5.Rotate Credentials: Regularly rotate access keys and passwords.

6.Use Roles for AWS Services: Assign roles to AWS services rather than using access keys for better security.

Practical Examples

  • Implementing Least Privilege: Create a policy that grants only the required actions (e.g., read-only access).

  • Configuring MFA:

i.Sign in to the AWS Management Console.

ii.Open the IAM console at IAM Dashboard.

iii.In the navigation pane, click Users, then select the user.

iv. Click the Security credentials tab.

v.In the Multi-Factor Authentication (MFA) section, click Manage.

vi. Follow the instructions to configure MFA.

AWS IAM Troubleshooting

Common Issues and Solutions

Issue 1: Access Denied Errors

  • Problem: Users receive "Access Denied" errors.

  • Solution:

i. Check the user's permissions and ensure they have the correct policies attached.

ii. Review the IAM policy and ensure it grants the required actions.
Issue 2: Policies Not Taking Effect

  • Problem: Policies seem to not apply correctly.

  • Solution:

i. Verify that the policy is correctly attached to the user, group, or role.

ii. Use IAM Policy Simulator to test the policy and identify issues.

Issue 3: Role Assumption Failures

  • Problem: Roles cannot be assumed.

  • Solution:

i.Check the trust policy of the role to ensure it allows the intended entities to assume the role.

ii.Verify the role's permissions and make sure they are correctly configured.

Practical Examples

  • Using IAM Policy Simulator:

i. Sign in to the AWS Management Console.

ii. Open the IAM console at IAM Dashboard.

iii.In the navigation pane, click Policy Simulator.

iv.Enter the policy details and simulate actions to test permissions.

IAM,MFA,Access key ID,Secret access keyIAMAWS IAMAWSaws devops