Identity and Access Management, also known as IAM, is a term you will often encounter across AWS. It is important to understand how it works. IAM, as the name suggests, is a permission framework that restricts access to AWS services. It helps to define who has access in an AWS account. IAM users allow you to give specific or broad permissions to groups of users, or individuals. Broad permissions include access to entire AWS services, such as DynamoDB. Specific permissions include read and write access for a specific S3 bucket. AWS Cloud Trail allows IAM to monitor and edit access to unique resources. AWS IAM integrates with existing identity management systems in large corporations.
How does AWS Identity and Access Management function?
To understand how AWS IAM works, it is important to be familiar with these four concepts.
Users: Users can be identified individuals. With IAM, each user can be given a login and password to access the AWS console. You can restrict the permissions they have. When setting up clients, users have secret keys and access keys.
Groups: These groups are basically a group of users who share a common interest. Different groups have different permissions. Each group has its own policies and permissions.
Roles: These roles are similar to AWS user accounts. Roles can be attached policies just like users. AWS IAM gives roles access permissions instead of users. We will make an instance a role if it wants to access an AWS account. This will allow it to access the account without needing a login ID and password. An AWS service can also use roles to access another VM.
Policies: Finally, policies are an AWS object that determines permissions for identity or resource when it’s connected to it. These policies are evaluated by AWS when an IAM principal (user, role) requests them. They can be either allow or denied. The policy permissions determine whether the request will be granted or denied.
AWS IAM Best Practices
These are the best practices to follow when using IAM for Cloud Infrastructure Security:
Use the Least Privilege Model: The user must be granted the minimum permissions necessary to complete their assignment. You should not give them too many permissions as this could lead to security flaws and people accidentally deleting production database tables. It is wise to use the least privilege model.
Multi-factor authentication (MFA), for privileged users: Strong passwords are essential to protect enterprise data and networks. However, they are not sufficient. Most attacks are caused by a breach in authentication. Security experts recommend multi-factor authentication. AWS recommends multi-factor authentication for all privileged IAM users. This category includes users who have access to APIs and other sensitive tools. AWS users have several options to enable the second level authentication, including SMS authentication and security token-based authentication.
Be cautious when changing policies. It is easy to make changes to a policy without really thinking about it. Then, you find out that one of your applications was using it and suddenly loses access to a resource. Be cautious when changing the IAM configuration during development.
Policy conditions provide additional protection. They are a series JSON strings that can be used to create policies.