IAM

What is AWS IAM?

In AWS, Identity and Access Management (IAM) is one of the AWS services and it is used to help users securely control access to AWS resources. Everything you do in AWS needs permission, which means that you will eventually encounter or use IAM features when building your own AWS services. IAM features include determining who is eligible to sign in, who or what has access to resources, and so on.

IAM Terminologies Cheatsheet:

  • IAM Resource: IAM Resources includes IAM user, IAM user group, IAM role, IAM policy, and identity provider objects.

  • IAM Identity: The resource objects in IAM that are used to identify and group resources.

  • IAM Entity: IAM users and IAM roles are two examples. Use AWS’s IAM resource objects for authentication.

  • Principal: A person or application with the authority to request an AWS action or operation. The principal must be authenticated as the AWS account root user or an IAM entity in order to make requests to AWS. This includes federated users and assumed roles.

IAM User

An IAM user is an AWS entity that you create to represent a person or application that interacts with AWS. AWS users are made up of a name and credentials.

IAM User Cheatsheet:

  • Brand new IAM users by default has no permissions

  • permission boundary can be add to a user

  • Each IAM user is associated with one and only one root user

  • When creating a IAM user, IAM username isn’t capitlization sensitive (meaning Bob equals bob)

3 ways to identify an IAM user:

  • Name: the name you gave when you created the user.

  • Amazon Resource Name (ARN): When you need to uniquely identify a user across all of AWS, you use the ARN.

  • Unique identifier: This ID is only returned when the user is created through the API, Tools for Windows PowerShell, or AWS CLI; it is not displayed in the console.

Root User

When an AWS account is newly created, you start with a single identity that has full access to all AWS services and resources in the account. This is the AWS account’s root user identity. An IAM user with administrator privileges is not the same as the root user of an AWS account.

Root user Cheatsheet:

  • One account one root user

  • A root user can create at most 5000 IAM users

  • Account-wide access to all AWS services and resources

  • Create or delete an AWS account

  • Best practice is to never use root user, create an IAM user and use that instead

Credentials

Different credentials are required depending on the user and how AWS resources are accessed.

  • Console password

    A password that must be entered by the user in order to access interactive sessions like the AWS Management Console.

    • Root user credential: email + password.

    • IAM user credential: account ID + username + password.

  • Access keys

    Access key is a combination of access key ID + secret key.

    • To access AWS resources programmatically via the AWS CLI, Tools for Windows PowerShell, AWS SDKs, or APIs, access keys are required.

    • An access key is associated with an IAM user.

    • One IAM user can have at most 2 access keys.

    • Access keys are unique across AWS; thus, it can be used to identify a specific user.

  • SSH keys for CodeCommit

    A SSH public key that can be used to authenticate with CodeCommit (OpenSSH formatted).

  • Server certificates

    Certain AWS services can be authenticated using SSL/TLS certificates. AWS Certificate Manager is used to provision, manage, and deploy server certificates (ACM).

If you use an IAM user’s long-term credentials in your application, avoid embedding access keys directly into the application code. As a best practice, use temporary security credentials (IAM roles) instead of long-term access keys.

IAM Users Real-Life Scenarios

  1. Team Members

    Every team member who needs to access AWS resources in a small organization or company will be given an IAM user account created by the company’s root user account. Each IAM user account will have its own set of credentials: username + password + accountID.

  2. Federated Users

    In a larger company with multiple teams and organizations, hundreds of thousands of employees may require access to AWS resources. The “single sign-on” strategy, which leverages AD (Microsoft Active Directory) to provide employees access to AWS services after they have been confirmed, is used by the majority of enterprises.

  3. Cross Account Users

    When AWS users from other accounts attempt to access your AWS resources, this is referred to as a cross account user. Accounts may come from the same or different organizations. This can be solved with IAM roles, which we will discuss in the following chapter.

  4. Programs and Applications

    Often times applications will request access for your teams AWS resource through AWS APIs or AWS CLI. In this case, they need an access key (access key ID + secret key) to authenticate their requests. Use temporary security credentials (IAM roles) instead of access keys as a best practice.

IAM User Group

An IAM user group is literally what it means – a group of IAM users. User groups allow you to specify permissions for multiple users, making it easier to manage those users’ permissions. For example, you could create a user group called Admins and grant that group standard administrator privileges. Any user in that user group has Admins group permissions by default. You can provide administrator capabilities to a new user who joins your company by adding them to the Admins user group. If a user in your company changes jobs, instead of altering that user’s permissions, you can remove him or her from the old user groups and add him or her to the necessary new user groups.

User Group Cheatsheet:

  • User groups can’t be nested; they can contain only users, not other user groups.

  • A user group can have many members, and a user can belong to multiple user groups.

  • There is no default user group that includes all AWS account users by default. If you want to have a user group like that, you must create it and assign each new user to it.

  • The number and size of IAM resources in an AWS account are limited, such as the number of groups and the number of groups that a user can be a member of. More information can be found at: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html.

  • IAM group don’t have credentials.

  • A single root account can only have 300 user groups.

  • There are a maximum of 300 user groups per root account.

Resources