AWS Identity and Access Management
AWS Identity and Access Management (IAM) allows you to manage AWS users, groups, roles, and access to various application services. IAM provides access and access permissions to AWS resources, such as EC2, RDS, DynamoDB, S3, and so on. It is a global service to all the AWS regions. It means that creating a user in IAM, will apply to all the AWS regions. Here are some common uses of IAM:
- Users to access accounts or specific services
- IAM roles to allow other resources to assume some permissions
- Groups to tie users
- Policies for more fine grained access
- Creating API keys for programmable access to AWS resources
- Defining a password policy
- Managing MFA requirements per user basis
When you create a user in IAM, it has no permission on any AWS resource or service. This is called a non-explicit deny rule set for all new users. In order to allow them to access certain resources, you have to assign them permissions or add them as part of the IAM group. When you sign up on the AWS website for the first time using your email ID and credit card, you get an account. That account is a root account. Remember this: a root account is a very powerful account and does not need any permissions. You can do all the things with your AWS resources using a root account. For all other users, you have to assign permissions in order to grant them access on some specific AWS services or resources.
As a best practice, you should not be using the root account to perform day-to-day operations. Root accounts should be locked down, and you should use other IAM users to perform day-to-day work. This way, if an IAM user is compromised, you can delete the IAM user and the associated access keys. But, if your root account is compromised, nothing can be done. If your root account is compromised, the only option is to go on a long vacation. So be careful. It is also a best practice to follow the Principal of Least Privilege when you administer AWS accounts, users, groups, and roles. When an AWS root account is created, it is a best practice to complete the following tasks as mentioned:
- Delete your root access keys
- Activate MFA on your root account
- Create individual IAM users
- Create user groups to assign permissions
- Apply an IAM password policy
As soon you log in using your root credentials on https://aws.amazon.com/, navigate to the IAM service by clicking on All Services | Security, Identity & Compliance | IAM, and perform the tasks mentioned in the list.
In this chapter, we will learn about the AWS shared responsibility model, setting up AWS Tools in PowerShell to access the AWS Cloud, managing AWS credentials, credential search order, creating IAM users, creating IAM groups, creating roles, accessing the AWS console, and defining IAM policies. In addition, we will touch upon one use case relating to access key rotation.