Security in the cloud remains one of the main barriers to cloud adoption. For security operations and development teams to follow security best practices ensuring a smooth transition. AWS IAM (Identity and Access Management) is one of the most widely used security platforms for data protection. It follows an incredibly granular approach in providing permissions and access control within your environments.
In this article, let’s take a closer look at AWS IAM, its features, and learn how it works.
Let’s begin by understanding what AWS IAM is.
What is AWS IAM?
AWS Identity and Access Management (IAM) is a web service that helps you access AWS services and resources securely. IAM is the heart of AWS security because it enables you to control access by creating AWS users and groups, assigning special permissions and policies to particular users, setting up multi-factor authentication for additional security, and much more.
IAM’s primary functionality in AWS is access and permissions. It provides two essential functions to establish basic security for enterprise resources – authentication and authorization.
Why IAM?
The primary purpose of IAM is to assist IT, administrators in handing AWS user identities and their different levels of access to the resources. For instance, we can create AWS users, assign individual security credentials, and grant permissions to access AWS at any time. By doing so, Organizations obtain control on who has the authorization to access their AWS resources, which resources are accessible, and the authorized users can perform the actions within the provided resources.
AWS IAM – Key Features
Let’s look at some of the critical features of IAM that make IAM so powerful and versatile:
- Shared access to your AWS account – You can grant other people permission to administer and use resources in your AWS account without sharing access keys or passwords.
- Granular permissions – Using IAM, you can grant different permissions to different people for additional resources.
- Multi-factor Authentication – For extra security, you can add two-factor authentication to your account and individual users. Through multi-factor authentication, you or your users must provide passwords or access keys to work with your account and a code from a specially configured device.
- Identity federation – You can allow users who already have passwords elsewhere. For example, suppose the user is already authenticated, such as through a Google account or Facebook account. In that case, IAM can trust that authentication method and then allow access based on it.
- PCI DSS Compliance – IAM complies with Payment Card Industry (PCI) Data Security Standard (DSS).
- Eventually Consistent – Like many other AWS services, IAM is eventually consistent.
- Free to use – There is no additional charge for IAM security.
- Secure access to AWS resources for applications that run on Amazon EC2 – IAM features are used for providing credentials securely for applications that run on Amazon EC2 Instances
- Password Policy – The IAM password policy allows you to reset or rotate passwords remotely.
How does IAM work?
IAM provides the infrastructure necessary to control authentications and authorization. The IAM infrastructure includes principal, request, authentication, authorization, actions or operations, and resources.
Let’s explore one by one.
- A principal is an entity that performs actions on AWS resources.
- Authentication: It confirms the identity of the principal trying to access the AWS product. The principal must provide the required credentials for authentication.
- Request: A principal sends a request to AWS specifying the action and which resource should perform it.
- Authorization: All resources are denied by default. IAM authorizes a request only if a matching policy follows all parts of the request. After requesting authentication and authorization, AWS approves the action.
- Actions: After the request has been authenticated and authorized, the actions or operations in the request are approved by AWS. Actions are used to create, view, or delete a resource.
- Resources: After the actions in your request are approved by AWS, they are performed on the resource related to your AWS account.
The below figure depicts the working of IAM.
The standard IAM process breaks down into four distinct phases:
1. Make a request
The IAM process starts with an application or a person called Principal. Every principal has AWS account credentials and must be signed in to make the requests. A principal then makes a request involving a resource.
2. Sending details to AWS
Every request includes details such as actions, involved resources, principal policies, data about resources, and more. These details are used to evaluate and authorize the request.
3. Authorizing the request
AWS checks the principal’s authentication and compares associate policies against the related request. In this phase, IAM assesses whether the application or user can perform the requested resource’s requested action. If the principal has the authorization, the request is processed. If not, the request is denied.
4. Processing the request
This involves performing a wanted action on an intended resource, like getting data from a storage instance.
How to access IAM?
You can access AWS Identity and Access Management (IAM) in any of the following ways:
- AWS Command Line Tools: To issue commands at your system’s command line and perform AWS and IAM tasks, you can use AWS Command-line tools.
- AWS Management Console: The console is a browser-based interface to manage AWS and IAM resources. Sign in to the AWS Management Console as an IAM User or root user to know more information about accessing IAM through the console.
- AWS SDKs: AWS provides SDKs consisting of libraries and sample codes for various programming languages and platforms. SDKs provide a convenient way to programmatic access to IAM and AWS.
- IAM HTTPS API: You can access AWS and IAM programmatically using the IAM HTTPS API, which allows you to issue HTTPS requests instantly to the service.
Creating IAM Roles:
1. Creating IAM roles for the service
Open the navigation window of the window, press “Roles,” and after that, press “Creator Role”. When we click “Creator Role”, the following screen appears:
- Select the service that we want to utilize with the role.
- Choose the policy which connects permissions to service.
- Type the role name in the role name box, and after that press “Create role”.
2. Creating IAM roles for the service through Command Line Interface(CLI)
For creating the role for the AWS service through Command Line Interface, we use the below commands:
aws iam create-role aws iam put-role-policy
If we are utilizing a role with an instance like the Amazon EC2 instance, we must create an instance profile for storing a role. An instance profile is a role container, but an instance role can have one role. If we create a role through the AWS management console, an instance profile is already available.
For creating the instance profile through Command Line Interface, use the below commands:
aws iam create-instance-profile aws iam add-role-to-instance-profile
IAM Best Practices you should know
Before we wrap up, let’s review some of the best practices you’ll find helpful to secure AWS resources.
- Avoid AWS account root user access keys: Never use your AWS account root user access key for programmatic requests. It provides complete access to all the resources for all AWS services, and you cannot reduce permissions associated with it.
- Manage user groups to assign permissions to IAM users: Instead of defining permissions to individual IAM users, it’s better to create user groups related to job functions by defining relevant permissions to each user group.
- Build individual IAM users: Build individual users for anyone who needs access to your AWS account.
- Grant least privilege: Many AWS resources can have their access policy attached directly. Optimally use both sides of the least privilege principle to achieve favorable outcomes.
- Create permissions with AWS managed policies: Use AWS-managed policies to provide your employees with the permissions needed to get started quickly.
- Validate your policies: It’s the best practice to validate the policies that you create. You can perform policy validation for when you start and edit JSON policies.
- Enable MFA: Use multi-factor authentication that adds an extra layer of security to interact with the AWS API.
- Apply strong passwords: Configure the account password policy to apply strong passwords.
Wrapping Up:
As a market-leading cloud provider, AWS introduced numerous measures to improve security, and IAM is the most critical of all of them. With all of its unique potential and capabilities, the learning coverage around IAM needs the gravitas it deserves. Our article aims to help users like yourself get the most out of topics like this powered content.