Learn more about AWS IAM fundamentals. Just enough to get you started, not too much to overwhelm you with details. This article is intended for beginners, but it can also be a useful refresher for experienced users.
In my opinion, AWS IAM is a fundamental service for any cloud operator. It is one of the first, if not THE first AWS service to learn, along with the big ones like Amazon S3 or DynamoDB.
In this blog post, I'll walk you through the basics of AWS IAM. I'll go into enough detail to get you off to a good start on your AWS journey. But I won't burden you with the finer details.
We'll start by reviewing the main ideas of IAM:Resources, Actions and Policies.
From there, I describe the IAM authorization process using an example. We'll briefly review the various methods of interacting with AWS that IAM supports (via the console, the aws CLI, or programmatically).
After that, let's dive a little deeper into features, actions, and policies by looking at a policy document. Finally, I'll explain some other important concepts, includinggroups, roles,YTrust relationships.
Do you prefer a video format? Check out my YouTube video on this subject.Here.
a quick primer
Before getting into the details, I want to take a moment to explain some of the basics to outline what's to come.
First, let's demystify IAM. ANDidentityYaccess managementand is the service that controls access to AWS resources. Since accessing resources is one of the most basic things you can do on AWS, it's understandable why this topic is so important.
How does IAM do this? Well, it turns out there are 3 basic ideas at play.
Central Idea 1 – Resources
resourcesare the entities you create in AWS. This can include things like an S3 bucket, an S3 object, or a DynamoDB table. All resources on AWS are represented by something calledARNoAmanRResourcenorteand me. You've probably seen one of these identifiers before, they look a bit like this:
Throughout our time with AWS, we will continue to reference ARNs. They are how we as users uniquely identify the things we build on AWS.
Central Idea 2 – Actions
Behaviorare the operations that users attempt to perform on resources. For example, if I created a Lambda function, you might want to update its configuration. To do this I need to use an API called
lambda:UpdateFunctionSettings. To perform this action, I need permissions to call this API. But how do I get the permissions?
The answer is in thePolicy…
Central idea 3: policy/policy document
At the heart of AWS IAM is thePolicy. IAM policies refer to specific JSON documents that define user permissions to access a resource. In other words, permission to perform aActionis determined by whether or not the user has the appropriatepolicy documentwith associated permissions.
You might be a little confused about these concepts, but don't worry, we'll clear that up shortly. For now, remember that IAM is about securing access toresourcescontrolling who can performBehavioruser basedPolicy document.
Example: Manage Access to Create a Lambda Function
Let's take a closer look at these concepts with an example.
Suppose for a moment that we had afrom the user(tell me Daniel) trying to create a lambda function in the AWS console. How does AWS determine if I'm eligible?
The answer is inPolicycurrently associated with this user. In IAM, when a useryou do not have explicit permission to access a resource, you cannot. This means that AWS IAM takes a proactive approach; by default it denies everything unless you specify that something should be allowed.
Sidebar – There is also an option to explicitly deny access to a resource. Explicit denying involves writing an entry in your policy document that specifically calls an API or set of APIs that the user should NOT have access to. Explicit denies always take precedence over allow. Therefore, if there is a conflict, negation wins.
Returning to our main point: AWS determines whether we are allowed to perform an action on a resource if we have the provided policy document associated with that user.
if a usernoUpon gaining access (implicit or explicit), the user is greeted with the dreadedaccess deniedError. If you haven't seen this glitch yet on your cloud journeys, get ready because I guarantee you will.
For this user to accesslambda:CreateFunctionbased on user policy document. So what does a policy document look like? Let's look at one now.
Search for an IAM policy document
The image above is apolicy documentthis will give our user permission to create a lambda function, but not much else.
Let's look at some of the elements.
execution- This is a random mystery value and rarely changes. Literally, its value is always 2012-10-17. For all intensive purposes, it doesn't matter.
opinion– The statement contains the core of the policy document. As seen in the image, a single policy document can contain multiple directives that define access to different resources.
S.I.D.- RepresentaSdeclarationI WENT. Just a unique identifier for your claim.
It is made– two possible values,To allowoTo deny. Allow is used to grant access, Deny to explicitly restrict access.
Action– The AWS operation you are trying to perform, usually 1:1 with the API name. The service assigns namespaces to actions. For example, the S3 action to create a bucket is, you guessed it, s3:createBucket.
Resource– The resource is the element to which we protect access. We can specify a resource-specific ARN to define granular access controls. If we want to be more liberal, we can use wildcards separated by asterisks (*).
School principal- An optional value. Principals help us create policies that can be applied to specific users.
We hope this basic example is clear to you and helps you understand some of the basics of securing access to AWS through IAM. I want to take a quick break and describe some of the other methods you can use to identify yourself to AWS so that AWS can determineOMSYou are (also known as authentication). Because our IAM policies are based primarily on the user concept, it's important to understand some of the access vectors.
Access AWS through your IAM user
To interact with AWS, we basically have three options:
- Via console UI- Probably the same way you started using AWS, by digging through the AWS Management Console. When logging into the console you can do likeRoot-Benutzer(also known as logging in with your original account creation email) or as usualfrom the userthrough the account-level access portal. All accounts have a unique URL to log into the console with their user credentials. Users have policy documents stored, so their permissions in AWS are limited to the content of the document.
- Through the AWS CLI– Probably the second most popular way to access AWS. When using the AWS CLI, we must provide our own
aws-secret-key-accessas a configuration step. These are alphanumeric strings unique to each user and serve as credentials when accessing AWS programmatically. Using the CLI, we can issue commands to call AWS APIs. Again, our access is limited to what is contained in the user policy document.
- programmatic use an sdk- The last way is through an SDK to call AWS APIs. There are many SDKs provided by AWS in many popular programming languages. When we try to access an API programmatically and with an SDK, we need to create a client and usually instantiate it with our own.
Another Example: Managing Access to a DynamoDB Table
Let's look at another, more interesting example that uses other IAM features. This policy document is attached toAllow Read Access to Specific Columns in a DynamoDB Table.
This policy document is similar to the example we saw above, but with some interesting features. First, note that inActionSection we list several actions here. In addition, we use a placeholder for thedynamodb:BatchGet* Action.
It is important to note here that wildcards can be used in many parts of the policy document, from the core feature to part of the actions themselves. This notation indicates that each action starts withBatchGetis permitted under this policy document. For example,LotObterItemwould be a permissible action here.
Also note belowResourceSection We use other advantages of wildcards in this statement:
arn:aws:dynamodb:*:*:tabla/MiTabla. The two *s here correspond to the region and account number. He
Mesa/MiMesaThe section states that these actions only apply to that specific table (or any matching pattern). The * is used here as a substitute forRegion(for example, us-east-1) and account number (for example, 755018473).
This means that the actions in this policy apply to a table name being accessed
My tablethat can exist in any region and under any account. This is a useful policy if you have a multi-stack environment and you are trying to create a policy that allows read access to each of these tables.
Finally, thatConditionsThe Policy section enables some interesting features.Conditionswe will provide the context in which this policy takes effect.
In the above directive, the parties below
ForAllValues: StringEqualsand the attributes listed below tell IAM that we want to restrict our permissions to just a specific set of column names as part of our table. There are some other condition keys we can use besides
dynamodb:Atributo. This one in particular is unique to Dynamo and allows us to restrict access at the column level.
the last part,
dinamodb: selectis another requirement for enabling column-level access control for Dynamo.
Don't worry if you don't understand much about it.Conditions. You can really go far on your AWS journey with little or no knowledge of it. For now, all you know is that they exist and what they generally do. If you want to know more about this, you can read the IAM condition documentation.Here.
Other important concepts: groups, roles, and trusts
So far I've talked enough about AWS IAM to get you pretty far, but there are a few other concepts you might encounter that you should be aware of. Let's explore them now.
IAM groups are simply a collection of AWS users. They are an important set of organizational tools that allow you to assign similar permissions to a collection of users all at once. You can visualize this concept in the following image:
Groups allow you to associate users added to the group with a standard IAM policy. This is very useful when you have collections of users that require shared permission levels. For example, I can create an "Internal Developers" group that has very permissive policies on the account. On the other hand, I might have a "Contractor" group that has some limited permissions that only apply to the project they're working on.
You can use groups in a variety of ways to organize users and control access to resources at the same time. Consult the documentation for more information about groups.Here.
Roles are similar to users in that we can assign IAM policies to them. Unlike users, however, roles are intended to grant short-term access to resources. In other words, if I want to grant a user short-term access to provide a specific job role, for example B. as an administrator, I can give him the opportunity to do soshow offa specific role. The user has all permissions defined in the accepted rule's policy document. Roles can be used by many different users at the same time if necessary.
Roles can be assumed by users and other AWS services. For example, when we create a Lambda function, we need to specify arollowhich will be used by the Lambda function. For example, if our function needs access to DynamoDB, I need to add dynamodb-specific information.Behaviorto the role policy document.
i like to think aboutrolloto wear many different hats. We may take on different roles at different times based on our job role or something we're trying to get done on a short-term basis. Interestingly, we can also create roles that allow users to access our resources.andersAWS account, which is our next topic of discussion.
trust relationshipsThey're not so much a core concept of IAM as they are a source of problems many developers face, so I think they're worth discussing.
trust relationshipsallow us to createrollothat allow users of ANOTHER AWS account to access it temporarily. For example, consider an example like the following where we have an account with a DynamoDB table and a user in another account wants to access it.
The ability to grant access to a user in another account is not immediately clear. To achieve this, we must help each othertrust relationshipsYrollo. First, we need to access the IAM console and create a trust between these two accounts. This process is two-way: account 1 needs an entry that says "I trust account 2", and account 2 needs an entry that says "I trust account 1".
Additionally, Account 1 (which contains the resource being accessed) must create arollowho has the necessary access. From there, we need to give the specific user on Account 2 the ability to do this.show offthis article A more complete diagram of this process can be seen below:
In general, you must not provide third parties with direct access to your AWS resources; this usually must be done by exposing an API. However, there are some circumstances where shared access makes sense, and trusts are the means by which AWS makes this possible.
Pro tips (learned from my frustration)
Before closing, I want to take a moment to share some pro tips I've collected over the years. These tips are the result of years of experience with AWS and hours of frustration as I banged my head against the keyboard trying to figure out "why can't my X access my Y?".
Tip 1: Protect your root account
They aresourceThe account is the AWS "owner" account. Access is usually gained by going to the AWS sign-up page and signing in with the email address you originally used to register your account.
The root account is special, it's like the top node in an organizational hierarchy. Using it gives you special abilities like the ability to revoke ANY other user account or access account-level billing information.
If a malicious actor gains access to your root account, you have no choice but to call or email AWS for assistance. If so, you might be in trouble and dealing with some pretty awesome AWS bills.
Take my advice and create an account for your daily activities. Give admin access and move on.NoUse your root account for daily access, you'll thank me later.
Tip 2: Explicitly Deny wins Explicitly Allow
As mentioned above, AWS IAM has two access control modes:allow or deny. If for some reason you get stuck in a scenario where policies are assigned against you that affect the same resource, deny always wins. This can happen especially if you're taking on a role you're not familiar with, so keep that in mind.
This problem caused me headaches and trauma for many hours. Hope I can save you some time.
Tip 3: Use the Least Privilege Model
The least privilege model is a general security approachGrant only the level of access necessary to perform the required function, and no more.. In other words, don't be too generous with your IAM policies and grant access to actions like:
Dinamodb:*for example (this grants access to all DynamoDB actions).
This leaves your application unduly exposed to attack vectors and vulnerabilities if an attacker accidentally accesses one of your IAM roles or users. Protect yourself in advance and only grant access to what you need.
Tip 4 – Use AWS Policy Simulator for IAM debugging
AWS Policy Simulator is a useful AWS tool that you can use to simulate actions for your IAM policy. It's especially useful when you're stuck in a scenario where you're rethinking your policy.it shouldHave access to a specific resource, but no.
The tool allows you to select the IAM users that you have created in your account and test access permissions as shown in the following diagram to run simulations.
The policy simulator can be accessed at https://policysim.aws.amazon.com. Make sure you are signed in to your AWS account so that you can access the IAM user profiles currently in your account so that you can run simulations.
In this article, I've introduced the most important fundamentals of IAM so you can start learning AWS. As a quick summary of most of the things we've learned, remember the following:
We createdfrom the userwho uses theirscredentialsthat grant access based on the content of theirpolicy document.
We createdrollowhat can be assumedentitieswithin or outside account limits with atrust relationship.(Video) An Introduction to AWS CDK (and why you should be using it!)
If you liked this article, check out the others I have on this site, and if you have any questions or comments, be sure to leave them below.
What is the main purpose of AWS IAM? ›
With AWS Identity and Access Management (IAM), you can specify who or what can access services and resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions across AWS.What is an AWS IAM user? ›
An IAM user is a resource in IAM that has associated credentials and permissions. An IAM user can represent a person or an application that uses its credentials to make AWS requests. This is typically referred to as a service account.How does AWS IAM improves the security of the application? ›
AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your AWS users, groups, and roles. Using IAM, you can create and manage fine-grained access controls with permissions, specify who can access which services and resources, and under which conditions.Which of the following are best practices of IAM in AWS? ›
- Require multi-factor authentication (MFA) ...
- Rotate access keys regularly for use cases that require long-term credentials. ...
- Safeguard your root user credentials and don't use them for everyday tasks. ...
- Set permissions guardrails across multiple accounts.
- a principal is an IAM entity allowed to interact with AWS resources, and can be permanent or temporary, and represent a human or an application.
- three types of principals. ...
- Root User. ...
- IAM Users. ...
- Roles/Temporary Security Tokens.
- Access Management. ...
- Identity Governance and Administration. ...
- Privileged Access Management. ...
- Customer IAM. ...
- Adjacent Technologies.
IAM roles are of 4 types, primarily differentiated by who or what can assume the role: Service Role. Service-Linked Role. Role for Cross-Account Access.What are two types of access for IAM user? ›
Temporary IAM user permissions – An IAM user or role can assume an IAM role to temporarily take on different permissions for a specific task. Cross-account access – You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account.How do I create an IAM? ›
- Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to AWS in the AWS Sign-In User Guide.
- On the Console Home page, select the IAM service.
- In the navigation pane, select Users and then select Add users.
IAM services can lower operating costs. Using federated identity services means you no longer need local identities for external uses; this makes application administration easier. Cloud-based IAM services can reduce the need to buy and maintain on-premise infrastructure.
What is the importance of IAM in cybersecurity? ›
IAM is a critical cybersecurity function that organizes all sizes of privileged access management. It boosts security and provides greater control of user access to your system. This helps organizations mitigate data breaches, identity theft and illegal access to sensitive corporate information.What are the different types of IAM? ›
- IAM and AI. ...
- IAM, cloud and IDaaS.
- IAM from the cloud: Identity as a Service (IDaaS) and managed identity services. ...
- IAM for the cloud. ...
- IAM and BYOD. ...
- IAM and IoT.
IAM database authentication works with MariaDB, MySQL, and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token. An authentication token is a unique string of characters that Amazon RDS generates on request.What are the five pillars of IAM? ›
The five pillars of IAM: Lifecycle and governance; federation, single sign-on and multi-factor authentication; network access control; privileged account management; and key encryption.How does IAM work in cloud computing? ›
IAM enables you to grant access to cloud resources at fine-grained levels, well beyond project-level access. Create more granular access control policies to resources based on attributes like device security status, IP address, resource type, and date/time.How is IAM implemented in AWS? ›
First, a human user or an application uses their sign-in credentials to authenticate with AWS. Authentication is provided by matching the sign-in credentials to a principal (an IAM user, federated user, IAM role, or application) trusted by the AWS account.What are three IAM risks? ›
- Centralized management creates a single, centralized target. ...
- Improper management of network/application/data access. ...
- Who forms access rules? ...
- Insufficient process automation. ...
- Failing to plan for scalability. ...
- Lack of management training.
Identity Access Management is a security discipline that manages identity and access privileges for a physical or virtual resource. IAM ensures that the user's identity (authentication) and that they can access the applications and resources which they have permission to use (authorization).What are 3 types of roles in cloud IAM? ›
- Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
- Predefined roles, which provide granular access for a specific service and are managed by Google Cloud.
- Custom roles, which provide granular access according to a user-specified list of permissions.
You can create root user access keys with the IAM console , AWS CLI, or AWS API. A newly created access key has the status of active, which means that you can use the access key for CLI and API calls. You are limited to two access keys for each IAM user, which is useful when you want to rotate the access keys.
What is IAM security tools? ›
Identity and Access Management (IAM) security is an essential part of overall IT security that manages digital identities and user access to data, systems, and resources within an organization. IAM security includes the policies, programs, and technologies that reduce identity-related access risks within a business.What is the difference between IAM user and AWS account? ›
An IAM user is an entity you create in AWS that represents the person or service that uses the IAM user to interact with AWS resources. These users are identities within your AWS account that have specific custom permissions.How many roles we can create in AWS? ›
You can have up to 300 IAM groups per account. Attach the managed policy to the IAM user instead of the IAM group. You can attach up to 20 managed policies to IAM roles and users.What is IAM example? ›
Here are simple examples of IAM at work. When a user enters his login credentials, his identity would be checked against a database to verify if the entered credentials match the ones stored in the database. For example, when a contributor logs into a content management system, he's allowed to post his work.Is IAM a software? ›
Identity and access management (IAM) software helps companies protect their systems from unauthorized access or misuse by only allowing authenticated, authorized users (typically employees, based on job roles) to access specific, protected company systems and data.Is there an IAM certification? ›
The IAM Certificate is aimed at those new to asset management or with some initial experience of working in an asset management role. Equally, you may have worked in asset management for a while and wish to embark on discipline relevant qualifications.What problems does IAM solve? ›
A robust IAM solution can ease management pains, streamline provisioning and de-provisioning, and boost user productivity, while lowering costs, reducing demands on IT, and providing the enterprise with comprehensive data to assist in complying with regulatory standards.What is IAM architecture? ›
An access management architecture will have components that enable only those accounts that are authorized to perform an action on a protected enterprise resource. The key functions supported in an Access Management Architecture are: User Authentication (staff, contractors, business partners) Access Policy Management.What are the two types of IAM managed policies? ›
There are two types of managed policies: AWS managed policies – Managed policies that are created and managed by AWS. Customer managed policies – Managed policies that you create and manage in your AWS account.
You can use the AWS Management Console, AWS CLI, or AWS API to create customer managed policies in IAM. Customer managed policies are standalone policies that you administer in your own AWS account.
What are the 3 principles of access control? ›
Three elements make up access control: identification, authentication, and authorization.How many phases are there in IAM? ›
Building an IAM program can be broken down into three stages: assessing foundational elements, putting in place essential controls and, finally, operationalizing the IAM program.What is IAM concepts? ›
Identity and access management (IAM) ensures that the right people and job roles in your organization (identities) can access the tools they need to do their jobs. Identity management and access systems enable your organization to manage employee apps without logging into each app as an administrator.What is difference between IAM and Active Directory? ›
Azure Active Directory streamlines the management of licenses through group-based licensing for Microsoft cloud services. This way, IAM provides the group infrastructure and delegated management of those groups to the proper teams in the organizations.Is AWS IAM a service? ›
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.Which are the four types of database platforms in AWS? ›
Amazon Relational Database Service
Amazon RDS is available on several database instance types - optimized for memory, performance or I/O - and provides you with six familiar database engines to choose from, including Amazon Aurora , PostgreSQL , MySQL , MariaDB , Oracle Database , and SQL Server .
Choose from 15 purpose-built databases, including relational, key-value, document, in-memory, graph, time-series, and ledger databases.Why do I need an IAM? ›
Having a central IAM system helps you to keep all user credentials, login information, and passwords in one place to streamline your monitoring efforts; this allows you to manage and export your records for multiple regulatory needs at once.Why is identity and access management IAM important? ›
IAM is a critical cybersecurity function that organizes all sizes of privileged access management. It boosts security and provides greater control of user access to your system. This helps organizations mitigate data breaches, identity theft and illegal access to sensitive corporate information.What skills is required for IAM? ›
- Minimum of 7 years in Identity and Access Management (IAM).
- Knowledge on Active Directory, Kerberos, LDAP, OAUTH 2.0, OpenID Connect, 2FA solutions.
- Programming and scripting experience Python or similar.
- Project management experience.
- Degree from Information Technology or equivalent discipline.
What is IAM in simple terms? ›
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.What is IAM beginner? ›
Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. With an IAM framework in place, information technology (IT) managers can control user access to critical information within their organizations.What problem does IAM solve? ›
A robust IAM solution can ease management pains, streamline provisioning and de-provisioning, and boost user productivity, while lowering costs, reducing demands on IT, and providing the enterprise with comprehensive data to assist in complying with regulatory standards.What does an IAM analyst do? ›
The Identity and Access Management Analyst participates in the development of workflows, system configuration, documentation, optimization and support related to access, while working with application teams to deploy new applications and functionality.Is IAM part of cyber security? ›
Identity and access management is a major part of the cybersecurity training curriculum in the current market.