Introduction

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely.

Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

Identity and Access Management Terms

IAM Resources

The user, group, role, policy, and identity provider objects that are stored in IAM. As with other AWS services, you can add, edit, and remove resources from IAM.

IAM Identities

The IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.

IAM Entities

The IAM resource objects that AWS uses for authentication. These include users and roles. Roles can be assumed by IAM users and roles in your or another account. They can also be assumed by users federated through a web identity or SAML.

IAM Principals

A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.

Request

When a principal tries to use the AWS Management Console, the AWS API, or the AWS CLI, that principal sends a request to AWS. The request includes the following information:

  • Actions or operations – The actions or operations that the principal wants to perform. This can be an action in the AWS Management Console, or an operation in the AWS CLI or AWS API.
  • Resources – The AWS resource object upon which the actions or operations are performed.
  • Principal – The person or application that used an entity (user or role) to send the request. Information about the principal includes the policies that are associated with the entity that the principal used to sign in.
  • Environment data – Information about the IP address, user agent, SSL enabled status, or the time of day.
  • Resource data – Data related to the resource that is being requested. This can include information such as a DynamoDB table name or a tag on an Amazon EC2 instance.

AWS gathers the request information into a request context, which is used to authenticate and authorize the request.

Authentication & Authorization

On AWS, authentication and authorization are primarily handled by Identity and Access Management (IAM).

A principal must be authenticated (signed in to AWS) using their credentials to send a request to AWS.

During authorization, AWS uses values from the request context to check for policies that apply to the request. It then uses the policies to determine whether to allow or deny the request.

Actions & AWS Resources

After your request has been authenticated and authorized, AWS approves the actions in your request.

After AWS approves the actions in your request, they can be performed on the related resources within your account.

Summary

It's a best practice to lock down the IAM root user that is enabled on a new AWS account by default. One should not use the default user for day-to-day account operations.

Instead, individual users should be given the precise permissions needed to perform their jobs. Using strong passwords, multi-factor authentication, encryption certificates and access keys for resource is strongly recommended for protecting user accounts.

Once a user has been authenticated, authorization to access a defined set of AWS resources can be provided using IAM policies.

When users have overlapping access needs, the best practice is to group them by creating IAM groups which makes managing and updating their permissions a lot easier.

Temporary IAM roles can also be assigned to users to give them the access they need, when they need it.

Audit of access keys should be regularly performed to ensure that unused keys are deleted and active keys are rotated at set intervals.

Identities (including users, groups, and roles) can be authenticated using a number of AWS services, including Cognito, Managed Microsoft AD, and single sign-on.

Authentication secrets are managed by services such as AWS Key Management Service (KMS), AWS Secrets Manager, and AWS CloudHSM.

For more details, you can always refer the AWS documentation.

Hope, this post introduced you to the basics of securing your AWS resources using AWS IAM.

In, later posts, we will cover some more topics related to AWS security.

Subscribe here to stay informed!