Identity and Access Management



Introduction

IAM stands for Identity and Access Management.  IAM is a framework of policies, processes, and technologies that ensure the right individuals have access to the right resources at the right times and for the right reasons. IAM plays critical role in AWS, it determines which user has to access to which AWS resources (e.g S3, EC2, RDS, etc..).  Here user represent actual user/service account which is using your application.  As part of this blog we can look at below topics.

·      What is Identity and Access Management?

·      IAM User and Groups

·      IAM Roles

·      IAM Policies

·      IAM Best Practices

What is Identity and Access Management?

Identity refers to the digital identity of a person or entity, which includes the information and attributes that identify them in online spaces. This can include usernames, passwords, and other identifying information.  Access Management refers to Access Control, the process of controlling access to resources and data.  To ensure only the authorized user/system access to specific resource to perform required action.  Permissions are defined based on roles/policies and associate these to specific user/security group.  

It helps prevent unauthorized access, data breaches, and other security threads.  Effective access management is critical for protecting sensitive data and ensuring compliance with regulations and standards, such as HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standard) and GDPR (General Data Protection Regulation).

Let’s look at key important concept of IAM, they represent different stages in the process of granting access to resources.

  • Identification – Identify User/Service Account attempting to access resource or service.  It verifies the unique user name/email address/Active Directory for identity.
  • Authentication – The process of verifying the identity of a user/entity. User/Service account has to provide the password/token to verify the identity.  
  • Authorization – Based on the information provided in Authentication to verify and provide granting/denying the access for user/entity.



To summarize, identification is about establishing a user's identity, authentication is about verifying that identity, and authorization is about granting access based on that identity and associated attributes. All three are important for effective access control and security in an IAM system.


What AWS IAM has?  Customers can create and manage AWS users and group, assign permission, and apply policies that control access to AWS resources.  This includes setting up user accounts, granting or denying permissions to specific AWS services and resources, and applying multi-factor authentication to enhance security.  It also allows creation of roles, which can be used to delegate permission to user application and services.  

AWS IAM is an essential part of any security strategy for AWS customers, as it provides a centralized and secure way to manage access to AWS resources. By using IAM, customers can ensure that only authorized individuals or systems have access to their resources, and that access is granted according to the principle of least privilege, which means granting only the minimum level of access necessary to perform a specific task.  

IAM also provides audit trails and other monitoring features to help customers track and analyze user activity and detect potential security issues.

 

IAM User and Groups

       In AWS IAM, a user is an identity that represents an individual or application that interacts with AWS resources. Users are typically created with a unique name and a set of credentials (such as a password or access key) that are used to authenticate their identity and access AWS resources.  By default IAM user won’t have any permission,  it has to set required permission after user created.  IAM User can be actual user/service account.

A group is a collection of users who share common access requirements. Groups can be used to simplify access management by granting permissions to a group of users rather than to individual users. By assigning permissions to groups, administrators can easily manage and update permissions for a large number of users at once.


IAM Roles

An IAM role in AWS is a way to grant permissions to AWS services and resources without having to manage long-term credentials, such as access keys. Roles can be assumed by trusted entities, such as AWS services, IAM users, or external identities (such as users from an external directory).

       Roles are defined with a set of permissions (in the form of policies) that determine what actions can be performed on specific AWS resources. When a role is assumed by a trusted entity, the permissions defined in the role are granted to the entity. This makes it possible to grant temporary access to AWS resources, without having to share permanent access keys or manage long-term credentials.

IAM roles are useful in a variety of scenarios, including:

  • Granting permissions to AWS services - Roles can be used to grant permissions to AWS services that need to interact with other AWS services or resources. For example, an Amazon EC2 instance can assume an IAM role to access an S3 bucket or a DynamoDB tables.
  • Cross-account access -  Roles can be used to grant permissions to entities in different AWS accounts, without having to share long-term credentials.
  • Federated access -  Roles can be used to grant permissions to external identities, such as users from an external directory, using federated authentication.
  • Least privilege access -  Roles can be used to enforce the principle of least privilege, by granting only the minimum level of access necessary to perform a specific task.

Overall, IAM roles are an important tool for managing access to AWS resources, and they provide a flexible and secure way to grant temporary access to AWS services and resources.


IAM Policies

A policy is a set of rules that defines the permissions granted to a user or group. Policies are created using the AWS policy language, which defines the actions that are allowed or denied on specific AWS resources. Policies can be attached to users, groups, or roles, and can be used to grant or deny access to specific AWS services and resources.

AWS IAM policies are a powerful tool for managing access to AWS resources, as they allow administrators to define fine-grained permissions for specific actions and resources. Policies can be created to grant broad access, such as granting full administrative access to an AWS account, or to provide highly restricted access, such as limiting a user's ability to read or write to a specific S3 bucket. 

By using policies, administrators can apply the principle of least privilege, which means granting only the minimum level of access necessary to perform a specific task, and can ensure that their AWS resources are protected against unauthorized access.

Policies are either managed by AWS / Customer.  If the policy added inline for the specific user and when the user deleted then inline policy also automatically deleted since it's added for specific user.

 

IAM Best Practices

            Below mentioned few best practices for managing AWS Identity and Access Management (IAM) that can help you secure your AWS environment.            

  • Use the principle of least privilege -  Provide only the minimum permissions necessary for users, groups, and roles to perform their intended actions. This helps to limit potential damage that can be caused by a compromised account or an inadvertent mistake.
  • Enforce Multi-Factor Authentication (MFA) -  Require users to authenticate with a second factor such as a token or smartphone app. This adds an extra layer of security to your IAM policies.
  • Use IAM roles for EC2 instances -  Rather than using access keys, attach an IAM role to an EC2 instance. This allows applications running on the instance to access AWS resources without requiring the use of access keys.
  • Regularly review IAM policies -  Regularly review your IAM policies to ensure that they still accurately reflect your security requirements. Remove any unnecessary permissions.
  • Use IAM access analyzer -  Use IAM Access Analyzer to identify resources that can be accessed publicly, and take necessary steps to secure them.
  • Use AWS Organizations -  Use AWS Organizations to centralize management of multiple AWS accounts. This can help to improve governance, security, and compliance.
  • Use AWS CloudTrail -  Use AWS CloudTrail to log all API calls made to your AWS account. This can help you monitor for potentially malicious activity and provide an audit trail of all actions taken.
  • Use IAM Policy Simulator -  Use IAM Policy Simulator to test the effectiveness of your policies. This can help you identify any errors or omissions in your policies before they can be exploited.




By following these best practices, you can help to ensure that your IAM policies are secure, well-managed, and effective in protecting your AWS resources.


Conclusion

AWS recommend least privilege part of IAM.  In this blog we have seen what’s mean by IAM User, Groups, Roles and Policies.  Also best practices of AWS IAM which would help more secure your application to run day to day business.


“P.S. If you read it till the end, Thank you!

Follow me for cloud and AWS content, I ll be back with another interesting topic about AWS

If you have question you can reach me in linked Gnanaprakasam Venkatesan | LinkedIn

This article is part of AWS Career Growth Program (AWS-CGP) by Pravin Mishra

For more AWS related content please visit the website.”

 

Comments

Post a Comment

Popular posts from this blog

AWS Regions, Availability Zones and Edge Locations

Image
  Introduction Amazon Web Services is early adopter of the cloud.   AWS started in 2006 to provide scalable and flexible computing services to business and individuals.   Business no need to spend upfront infrastructure and developers can build the application in economy of scale, reliable and securely with AWS Infrastructure.   AWS has many services few of them global, most of them hosted in regions/zones based on the consumer of the hosted application to reduce latency to retrieve.   As part of this blog, we will see below topics. ·         AWS Regions ·         AWS Availability Zones ·         AWS Edge Locations   AWS Regions What’s AWS Regions?   How it’s different from Availability Zones?   AWS Regions are physical location of AWS Infrastructure setup around the world.   The region consists of multiple availability zones.   As we speak there are 31 regions as of this blog created, this region counts are increasing rapidly since the cloud adaption for Business inc
Read more

Amazon S3 Access Points VS Amazon S3 Multi-Region Access Points

Image
  Introduction Amazon Web Services (AWS) that enables customers to manage access to shared data sets on Amazon S3. S3 Access Points creates a unique network endpoint that customers can use to manage data access at scale for shared data sets on Amazon S3.   Depends on your business you can create single region or multi-region access points.   We can look at below topics in this blog. What is Amazon S3 Access Points? What is Amazon S3 Multi-Region Access Points? What are the advantages of using Amazon S3 Access Points? When should you use Amazon S3 Multi-Region Access Points? Difference between Amazon S3 Access Points and Amazon S3 Multi-Region Access Points     What is Amazon S3 Access Points? Amazon S3 Access Points is a feature of Amazon Simple Storage Service (S3) that simplifies managing data access at scale for shared data sets. An S3 Access Point is a unique hostname that is used to access a shared data set in an S3 bucket. Access Points can be created fo
Read more