AWS Identity and Access Management (IAM) is a fully managed web service that enables you to control access to your AWS Resources in the form of authentication and authorization
AWS Identity and Access Management (IAM) Key Features
- Shared access to your AWS account to other users without the need to share your root credentials. You can also setup cross-account access between AWS accounts.
- Granular Permissions which enables you to grant users different levels of permissions for various resources at a granular level. This is based on the principle of least privileged access, meaning that you only need enough access to enable other administrators to complete their tasks
- Secure Access where you can grant applications that run on EC2 instances access other to AWS resources, like S3 buckets and RDS or DynamoDB databases
- Identity Federation where you can grant secure access to external users without having to create IAM user accounts for example by integrating with Active Directory or with Facebook and Twitter
- Multi-Factor Authentication (MFA) enables you to prompt users for an additional means of authentication above their standard username and password. You can use a hardware MFA device like an RSA Token device or a virtual MFS device
- Temporary Access where you request temporary access for performing specific tasks within your AWS account. For example, services like EC2 can be granted temporary access to SE3 buckets for performing specific tasks.
- Also Used with Roles and Identity Federation, these are generated by the AWS Security Token Service (STS) to provide trusted users with temporary access control to AWS resources. Once the credentials expire AWS no longer recognises them or allows any kind of access from API requests made with them. Also, before the credentials expire, the user can request new credentials, as long as they have permissions to do so.
- The default expiration for these temporary credentials is 12 hours; the minimum is 15 minutes, and the maximum is 36 hours.
- Amazon IAM is compliant with PCI DSS
AWS IAM Password Policies
Similar to a Windows Active Directory Password Policy, you can set up a password policy for your AWS account which allows you to specify complexity requirements, rotation periods and remember ‘n’ number of previous passwords to prevent you from using the same passwords multiple times.
Identities (Users, Groups, and Roles)
IAM Identifies enables you to provide authentication methods for your users and services. Identities comprise of IAM Users, IAM Groups and IAM Roles. You then create one or more Policies to determine what actions can be taken by a user, role or member of a specific group.
- Users are principal identities such as staff members
- Groups are a collection that has a common role
- IAM Roles essentially have policy permissions attached to them to grant or deny access to services and resources. For example, you can create a role in updating a specific S3 bucket and then grant that role to an EC2 instance so that it can copy files or retrieve files from the bucket without it requiring username and passwords to perform the operation.
- IAM roles removes the need to store AWS Credentials in configuration files and is, therefore, more secure
- API uses temporary token so you do not need to worry about rotating fixed access keys
- The temporary security token has a lifetime of 15 mins to 36 hours
Policies are basically permissions to enable you to perform a specific task on the AWS platform, either interactively or using API actions. Policies are created as JSON scripts and then attached to users, groups or roles to grant or deny them the required level of access. You can also attach policy documents to resources.
Policy documents contain one or more permissions and each permission defines:
- Effect – Allow or Deny
- Service – Identify the service to which you will assign the role – for example you can setup a role for EC2 Instances to access and S3 bucket
- Action – specify the exact action that the permission allows or denies. Note you can list out all the actions in a list or use wildcards
- Condition – Define one or more conditions that limit the action by the permissions. For example, you can grant the permission to write files to an S3 bucket, but limit this action so that it is restricted to a particular source IP Address
- Resource – specify the Amazon Resource Name (ARN) of particular AWS infrastructure for which this permission applies. Format of ARN is
usually:“arn:aws:service:region:account-id [resourcetype:]resource”. For e.g. arn:aws:S3:us-east-1:589658964521:my_cloud_bucket/”
- When you specify a resource-based policy and attach the policy to a resource like an S3 bucket, you have to include information about who is allowed to access the resource, known as the principal.
Key Exam Tips:
- You can use the IAM policy simulator is a tool to help you create, test, and validate the effects of your access control policies.
- IAM does not apply to specific regions or Availability Groups – Its effects are universal across your account
- When you create IAM Users, you need to give them the special URL called an IAM users sign-in link to use their login credentials. The sign-in link is a link specifically configured for your AWS account. You can customise the link to create a URL with a more memorable name. Note, IAM user names do not have email addresses as the login ID format.
- Root Account will have complete administrator access to the AWS Account
- New Users by default do not have any access and you have to specifically grant them access
- It is best practice to setup groups and adds users to groups to which you can then assign permissions.
- Always use the principal of least privileges when assigning permissions
- New Users will have an Access Key ID and Secret Access Key when you first create it. You must download and keep these in a safe place as they are only displayed once at the time of user creation. These key are required if you wish to programmatically access services and resources. You can only have up to two active access keys at any time
- You need to create a password if you want to login to the console interactively
- It is strongly recommended to create Multi-factor Authentication for your root account
- You can enforce strong passwords by requiring minimum length or at least one number and one symbol. You can also enforce automatic password expiration, prevent re-use of old passwords, and require a password reset upon the next AWS sign-in
- You can only associate one IAM role with an EC2 instance at a time
- You can assign a role to an EC2 instance that is already running
- You generally assign a role to an EC2 instance when you launch it, a role can also be assigned to an EC2 instance that is already running. Furthermore, you can change the permissions on the IAM role associated with a running instance, and the updated permissions take effect immediately.
740 Practice Exam Questions – Get Prepared for your Exam Day!
Our Exam Simulator with 180 practice exam questions comes with comprehensive explanations that will help you prepare for one of the most sought-after IT Certifications of the year. Register Today and start preparing for your AWS Certification.