Introduction to the AWS IAM Service

In today's world, managing access to cloud resources securely is essential for any organisation. AWS Identity and Access Management (IAM) is a service provided by Amazon Web Services (AWS) to control who can access your resources and what actions they can perform. Whether you are an admin setting up users or an application trying to interact with AWS resources, IAM plays a critical role in managing security.

Let's break down the essential components of AWS IAM and its features in simple language.

What is IAM?

IAM (Identity and Access Management) is the service that allows you to manage access to AWS services and resources securely. It helps you authenticate users and authorize them to perform specific actions on AWS resources like EC2 instances, S3 buckets, and Lambda functions.

• Authentication ensures that a user is who they say they are.
• Authorization defines what actions a user or group of users can perform once authenticated.

Types of IAM Policies

AWS IAM policies define the rules and permissions for how users, groups, and services can interact with AWS resources. There are two main types of policies:

1. Identity-based policies:

• These policies are attached to an IAM identity like users, groups, or roles.
• They specify what actions these identities can perform on AWS resources.
• Example: If you have a developer group, you might attach a policy allowing them to launch EC2 instances or access certain S3 buckets.

2. Resource-based policies:

• These are directly attached to AWS resources, like an S3 bucket.
• They define which IAM identities (from the same or other accounts) can access the resource and what actions they can perform.
• Example: You could attach a policy to an S3 bucket that allows users from another AWS account to access it, even though they're not IAM users in your account.

Note: You can create up to 5,000 individual user accounts under IAM. It's important to note that new users have no permissions by default.

Key IAM Elements

Let's break down some key components of IAM:

1. Principals: These are entities that can make requests to AWS services. Examples include IAM users, IAM roles, and federated users (Federated users are external users who access AWS resources using credentials from identity providers like Google or Active Directory, without needing dedicated AWS IAM accounts. They are granted temporary permissions via AWS STS (Security Token Service)).
2. Requests: When a principal (like a user or role) tries to interact with AWS resources, they send requests. These requests can be made through the AWS Console, SDK, CLI, or APIs. For example, a request might involve trying to launch an EC2 instance or access an S3 bucket.
3. Authentication: To make requests, users must first be authenticated. If you're using the AWS Console, you need log in with a username and password. For CLI or APIs, authentication can be done using an access key and secret key.
4. Authorization: After authentication, AWS checks whether the request should be allowed or denied based on the attached policies. The policies specify the actions allowed for a particular principal on a resource.

Policy Evaluation Logic

IAM follows a specific order when evaluating policies:

1. By default, all requests are denied (implicit deny).
2. Explicit allows override the implicit deny.
3. Explicit denies override any allows.

Point to be noted, explicit deny will always take precedence.

Actions and Resources

• Actions: These are tasks that a user or service can perform on AWS resources, such as creating, editing, or deleting.For instance, if a user wants to upload a file to an S3 bucket, that would be considered an action.
• Resources: These are the AWS entities that users or services interact with. Examples include S3 buckets, EC2 instances. Every service in AWS defines a set of actions that can be performed on its resources.

Example Scenario

Let's say you want to allow a group of developers to launch EC2 instances, but you don't want them to delete any existing instances. Here’s how you might achieve that using IAM:

1. Create an IAM group for developers.
2. Attach a policy to that group that explicitly allows them to run EC2 instances.
3. Attach a separate policy that explicitly denies them permission to delete instances.

This combination of policies ensures that developers can start new instances but won’t accidentally (or deliberately) delete running instances.

Best Practices for AWS IAM

1. Enable MFA: Always enable Multi-Factor Authentication (MFA) for all users, particularly the root account, to enhance security by requiring more than just a password for access.
2. Limit Root Account Use: Avoid using the root account for day-to-day tasks, as it has unrestricted access. Instead, create individual IAM users with appropriate permissions for regular operations.
3. Rotate Access Keys Regularly: Periodically rotate access keys for IAM users to reduce the risk of compromised credentials, ensuring only valid and current keys are in use.
4. Monitor and Review Permissions: Regularly audit and review user permissions to ensure they align with their roles. AWS IAM’s Access Advisor helps you check when a service was last accessed and if permissions need adjustment.
5. Use IAM Roles for Applications: Grant applications and services temporary permissions by using IAM roles, rather than hardcoding access keys in your code, which can be risky.
6. Enforce Least Privilege: Start with minimal permissions and only grant additional access when necessary.

Summary

AWS IAM is a powerful service that controls access to AWS resources. Through a combination of identity-based and resource-based policies, you can precisely control what actions users, groups, and services can perform on specific resources. Understanding the authentication and authorization process is key to managing security in AWS.

By following best practices like the principle of least privilege and using IAM policies effectively, you can maintain a secure and efficient environment in your AWS infrastructure.