fir3net

Sponsored by

PPS Logo Red 200mm

A Beginners Guide to AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization)[1].

Key features

The key IAM features are,

  • Provides centralized control
  • IAM is universal, i.e across all regions
  • Allows you to provide granular permissions to your services
  • Offers Multi-factor Authentication (MFA)
  • Can provide temporary access to your services
  • You can create and customize your own password policies
  • PCI DSS Compliant
  • New users have no permissions.

Components

IAM is comprised of users, groups, roles and policies,

Users

A user is used to provide authentication into the AWS Management Console and also when using the AWS API or CLI. A user comprises of a name, a password for AWS management console login, and access keys for use with the CLI or API.

Groups

Simply put, an IAM group is a collection of IAM users.

Roles

Roles, like users provide an identity that is associated with a set of permissions (policies) to your AWS services. However, unlike users roles do not comprise of either a password or access key. The key benefits with roles is that it provides greater security over using and storing your access/secret keys on the instance (in the case of EC2).  

Policies

A policy is a document that explicitly lists permissions[2]. Within a policy what can be performed and to which resources is defined within the Action, Resources and Effect statements.
Below is an example,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::fir3net20",
                "arn:aws:s3:::fir3net20/*"
            ]
        }
    ]
}

Resources

[1] http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html 

[2] http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html 

 

Tags: AWS, Cloud, IAM, PCI

About the Author

RDonato

R Donato

Ricky Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Ricky on Twitter @f3lix001