Computer scienceSystem administration and DevOpsAmazon Web ServicesAccess Management

AWS IAM overview

Provided by: JetBrains Academy
11 minutes read

As you start your migration to the AWS cloud, it's essential to ensure the security and integrity of your AWS environment. Neglecting this could lead to security risks like data breaches. These threats can come from the outside or even from inside the company, where users might accidentally or intentionally misuse their access. It's important for the safety of your cloud workloads and for meeting any regulatory requirements.

Security relies heavily on two key aspects: authentication and authorization. Firstly, you need to confirm that a user is who they claim to be. And secondly, manage the access level of each user. AWS uses a service called AWS Identity and Access Management to handle these cases.

Let's dive in and see how this service works.

What is AWS IAM?

AWS Identity and Access Management (IAM) handles authentication and authorization in your AWS account. It's a global AWS service provided at no cost. It helps you manage who gets to use your cloud resources and what actions they're allowed to perform after they've been granted access. With AWS IAM, you can control access to AWS resources like S3 buckets, RDS databases, and others. Hence, AWS IAM works as a gatekeeper for your AWS environment.

After providing access, it's crucial that you manage permissions. Different users hold different positions in an organization. Users may be part of various departments such as IT, sales, marketing, and more. With IAM, you can utilize role-based access control where each user is given the permissions necessary for their respective job role, following the principle of least privilege.

You'll mainly use the AWS IAM console for performing IAM-related tasks. Using the AWS CLI is possible, but the console is more efficient for these kinds of tasks. The screenshot below is the AWS IAM console dashboard:

AWS IAM console dashboard.

On the dashboard, you can find some security suggestions for your account as well as your IAM resources. There are also links to documentation and other useful information. On the left panel, there are tools to manage users, groups, roles, policies, and identity providers. You can also manage account-wide settings like password policy from the Account settings panel. Additionally, you can use the Access analyzer to monitor permissions.

Feel free to explore the functions of these various tools.

In the next sections, we'll talk about some essential components of AWS IAM.

Policies

Let's begin with IAM policies. A policy is a set of rules that decide the permissions given to an entity. These policies are attached to an IAM user, group, or role. When an IAM user or role initiates a request, AWS assesses the policies attached to it. The permissions in these policies will determine whether the request is approved or not.

Consider this example:

Schematic diagram for AWS services granted different permissions for accessing AWS services.

Here, the AWS Lambda service could be used to generate thumbnails for images and save them in Amazon S3. All that's required is the permission to write to S3. On the other hand, an Amazon EC2 instance hosting a web server is only given the permissions necessary to read the stored thumbnails in the bucket. With IAM policies, it's possible to establish precise access control measures for AWS resources. We'll go over how to create policies and then attach them to users, groups, and roles later.

Additionally, policies can specify the actions allowed in an AWS account or even all accounts in an organization. For example, you can restrict users from starting a certain type of service, set a password policy, or limit access from specific regions. For these purposes, service control policies are used. This improves security and ensures alignment with organization standards and other requirements.

Users, groups, and roles

Now, let's talk about users, groups, and roles. An IAM user might be a human or a programmatic workload in your AWS account. A user has a name and credentials. Typically, the name matches a person's name for human users or a service identifier for programmatic workloads.

Users can access the AWS Management Console using passwords. Another option is for them to use access keys for programmatic requests to AWS via the AWS CLI, SDKs, or APIs. Access keys consist of an access key ID and a secret access key. They are associated with an IAM user. The primary benefit of access keys is that they can be easily generated or revoked as needed.

Explore other ways to authenticate users via Single Sign-On using the AWS IAM Identity Center service.

Schematic diagram showing authentication via AWS IAM.

Now, let's discuss groups as they help us easily manage multiple users. A group is just a collection of users based on their roles, departments, or access requirements. Using groups, we can apply a common set of permissions and policies to all members of a group thus streamlining the process of access control.

logo demonstrating IAM Users, Groups and Policy inheritance

Next up, roles. An IAM role is similar to an IAM user but it doesn't have traditional credentials like passwords or access keys. Roles can be assumed by anyone or anything. Use roles when granting temporary access to AWS resources, especially for AWS services such as EC2 instances or Lambda functions.

Check out a simple schematic diagram showing users and AWS services using different roles to access AWS resources:

Schematic diagram showing users and services with various permissions attached.

We have a role called Account-access. If the admin user assumes it, they get full access to the AWS account. There's also a role named S3-Read that if an EC2 instance assumes it, it is granted permission to retrieve objects stored in an S3 bucket. Later, we'll create roles and assign them to resources.

Applications of IAM

Various entities may need access to cloud services. Let's look at some use cases:

  • Users accessing the AWS account and services;

  • AWS services accessing other services;

  • Software applications using AWS services;

Schematic diagram showing the various places that access might be required.

Here, users can use their user accounts to access the AWS account and services. The AWS Lambda functions need to read and write data to S3 storage. To do this, only read and write permissions are needed. You should not allow the service to create or delete objects. In such a scenario, the function could assume an AWS role that has read and write permissions. Lastly, we have an external web server that reads and writes data to an Amazon RDS database. The application on this server would use access keys or session tokens to access the database.

Therefore, AWS IAM is useful for:

  • User and group management;

  • Access control to AWS services following the principle of least privilege;

  • Fine-grained permissions management for different users, groups, or roles;

  • Managing policies to define what actions are permitted or denied within an organization;

With AWS IAM, you can effectively manage users and permissions. Therefore, duties are performed without unnecessary rights which prevents unauthorized actions.

Best practices

When using AWS IAM, there are several best practices suggested to enhance security and maintain compliance. You can find some of these recommendations on the AWS IAM console dashboard:

AWS IAM console dashboard showing some security recommendations

Let's go over a few of them:

  • Enforce multi-factor authentication for an extra level of security by requiring users to provide at least two aspects for authentication;

  • Adopt the principle of least privilege, making sure that both users and processes only have the permissions necessary for their assigned roles or functions;

  • Avoid using the root user for everyday tasks;

  • Group users with similar access needs for simpler management;

  • Don't assign the root user to a single person in an organization;

  • Remove any access keys for the root user;

  • Use several keys for different needs;

  • Delete inactive and unused access keys;

  • Utilize roles for services;

There are numerous other security recommendations on AWS. You can find all of them in the documentation.

Conclusion

In this topic, you learned about the core concepts of AWS IAM and its essential role in authentication and authorization on AWS. You came across the key components of IAM, which include policies, users, groups, and roles. We looked at how this service offers the necessary tools and flexibility for managing access in various scenarios. This access can be given to human users, AWS services, or other software-based tasks through the CLI and SDKs.

To carry out authentication, you can create users and then organize them logically based on their job roles for simpler management. If you need to give temporary access to AWS services, you can use roles, thus negating the need to manage any credentials. For authorization, you create permissions or policies and attach them to users and roles. This way, you can specify what a user or role can or cannot do. You can create fine-grained permissions based on user role, department, and more. You can also enforce certain standards across your company by using service control policies.

Lastly, you explored some best practices to follow. These involve requiring multi-factor authentication, upholding the principle of least privilege, and managing access keys. Moreover, you should create IAM users for performing routine tasks and keep the root user for sensitive cases. This way, you can significantly strengthen your AWS environment.

Now, let's look at some exercises.

6 learners liked this piece of theory. 0 didn't like it. What about you?
Report a typo