AWS Identity Access Management (IAM)

  1. IAM is an AWS service that allows humans and programs to access AWS services and infrastructure.
  2. The IAM provides very granular control over the resources in that you can specify who can access what resource and perform what action on that resource from a specific ip/CIDR at a specific time range.
  3. IAM is not OS level user management tool. For OS level user management use LDAP or Active Directory Services.
  4. AWS is not application level user management tool. For application level user management such as the users that registered on your eCommerce website, use Application User Repositories or in case of Mobile apps, use AWS Cognito.
  5. IAM principal is an IAM entity (human or application) that can access AWS resources. Three types of principals:
  6. Root user
    • use email/password to access
    • can use root user keys to access AWS services from applications but strongly NOT recommended
    • Should enable MFA (Multi Factor Authentication) for better security
  7. IAM users
    • Can be person or application
    • Can have userid/password
    • Can have Security Access Key ID/Secret Access Key combination (ID is 20 char and Secret Access Key is 40 char)
    • Can be associated with policies containing permissions to ALLOW/DENY access to specific AWS resources
  8. IAM roles/temporary security tokens
    • Roles are used to provide specific privileges to specific IAM principals for a set duration (time window) of min 15 min to 36 hours
    • Following use cases of Roles are important to remember
      • EC2 roles can be assigned to give access to processes on the EC2 to access AWS resources.
        • In fact it is a best practice to use the EC2 roles as opposed to using the Access Key (Access ID/Secret Access Key combo) inside the config files or hard coding in side the program code.
        • Also with this practice, no need to worry about access key rotation
      • Cross Account Access: Provide access to IAM principals from another account. This is better practice than distributing Access Keys.
      • Federation:
        • Users of trusted external systems such as Google/Facebook users can be granted access to AWS resources thru roles and temp security tokens. OpenId Connect (OIDC) protocol is used.
        • Users of LDAP/Active Directory are federated thru Security Assertion Markup Language (SAML)

 

 

<<< Introduction to Amazon Web Services (AWS)AWS IAM Authentication >>>
Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .