Linn Linn Htun
Linn Linn Htun
AvatarLinn Linn Htun

AWS (IAM)

July 31, 2023

AWS (IAM)

AWS IAM (Identity and Access Management) is the service you use to securely control access to AWS resources. This post covers the core IAM concepts of users, groups, roles, and policies, how to implement the principle of least privilege, and best practices for securing your AWS account with IAM.

IAM

User & Groups

IAM means Identity and Access Management

  • Root account created by default, shouldn't be used or shared with anyone.
  • Users are people within your organization and can be grouped.
  • Groups only contain users, not other groups
  • Users don't have to belong to a group and users can belong to multiple groups

 

Permissions

  • Users or groups can be assigned JSON documents called policies
  • These policies define the permissions of the users
  • In AWS we can apply below JSON
{
"Version" : "2023-10-12",
"Statement" : [
{
"Effect" : "Allow",
"Action" : "ec2: Describe",
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : "elasticcloudbalancing: Describe",
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : ["cloudwatch: ListMetrics",
"cloudwatch : Getmetric"
],
"Resource" : "*"
}
]
}

 

How to create IAM user?

Find service IAM > Go Access management > Users > Click Add users(* Why we need Add users because we are using root account)
> create username as you like > check provide user access to the ..> choose I want to creat an IAM user > Choose custom password > create password > uncheck users must create a ... > click Next button > choose Add user to group > click create group button > put user group name > choose administrator access > click create user group button > click Next button > click create user button > click Email Sign in instructions and download csv file > click return to userlist > check user in user Group 

 

IAM policies structure

 Consist of

  • Version: policy language version, always include "2012-10-17"
  • Id: and identifier for the policy (optional)
  • Statement : one or more individual statements (required)

Statement Consists of

  • Sid : an identifier for the statement(optional)
  • Effect: whether the statement allows or denies access (Allow, deny)
  • Principal: account/user/role to which this policy applied to 
  • Action: list of actions this policy allows or denies
  • Condition: conditions for when this policy is in effect (optional)

Remove user from group

User groups > click group name > check username > click remove users button

Rollback user to group

Users > click username > choose attach policies directly > search IAM Readonly Access > choose and next

Add one user to multiple groups

create two groups > add user to that groups

How to check about policies

Side navbar > policies > choose one of the policies > click permissions with JSON format

IAM MFA(Multi-factor Authentication)

We should do MFA for root account and IAM user account because accidentally if can access our AWS account by a hacker we can prevent using our physical device.

Software: 

  1. Google Authenticator
  2. Authy
  3. Yubikey by Yubico(3rd party)
  4. Gemalto (3rd party)
  5. SurePassID (3rd party)

 

How to MFA with Authy?

Click username dropdown > click security credentials > choose Assign MFA device > Fill device > select authenticator APP > click Next button > click show QRcode

>sscan QRCode from Authy App > Fill MFA code1 and code2 > click save button.

Frequently Asked Questions

What is AWS IAM?

AWS IAM (Identity and Access Management) is a free AWS service that enables you to manage access to AWS services and resources securely by creating and controlling users, groups, roles, and permission policies.

What is the difference between an IAM user and an IAM role?

An IAM user is a permanent identity with long-term credentials (username/password or access keys) associated with a specific person or application, while an IAM role is a temporary identity that can be assumed by AWS services, applications, or users to gain specific permissions.