IAM Flashcards
What is IAM ?
IAM stands for Identity and Access Management. It is a service provided by AWS (Amazon Web Services) that helps you securely control access to AWS resources.
IAM enables you to manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.
IAM is crucial for managing secure access to AWS services and resources. It enables you to control who is authenticated (signed in) and authorized (has permissions) to use resources.
IAM: What are Users & Groups ?
Users: These are persistent identities set up within your AWS account to represent the people or services who use your account.
Groups: These are collections of users that you can use to manage permissions for a collection of users, rather than having to manage permissions for each individual user.
What are permissions ?
Permissions in the context of AWS IAM (Identity and Access Management) are the declarations of what actions are allowed or denied to a user, group, or role. Permissions are granted to AWS entities through IAM policies.
- Users or Groups can be
assigned JSON documents
called policies - These policies define the
permissions of the users - In AWS you apply the least
privilege principle: don’t give
more permissions than a user
needs
What are policies ?
Policies: These are objects in AWS that, when associated with an identity or resource, define their permissions. AWS evaluates these policies when a principal entity (user or role) makes a request.
What is the IAM Policies Structure ?
–Consists of
Version: policy language version, always include “2012-10-17”
Id: an identifier for the policy (optional)
Statement: one or more individual statements (required)
–Statements consists of
Sid: an identifier for the statement (optional)
Effect: whether the statement allows or denies access
(Allow, Deny)
Principal: account/user/role to which this policy applied to
Action: list of actions this policy allows or denies Resource: list of resources to which the actions applied to
–Condition: conditions for when this policy is in effect
(optional)
What is the IAM – Password Policy ?
- Strong passwords = higher security for your account
- In AWS, you can setup a password policy:
- Set a minimum password length
- Require specific character types:
including uppercase letters
lowercase letters
numbers
non-alphanumeric characters
- Allow all IAM users to change their own passwords
- Require users to change their password after some time (password expiration)
- Prevent password re-use
What is the IAM – Password Policy ?
- Strong passwords = higher security for your account
- In AWS, you can setup a password policy:
- Set a minimum password length
- Require specific character types:
including uppercase letters
lowercase letters
numbers
non-alphanumeric characters
- Allow all IAM users to change their own passwords
- Require users to change their password after some time (password expiration)
- Prevent password re-use
Talk about Multi Factor Authentication - MFA
Users have access to your account and can possibly change
configurations or delete resources in your AWS account
* You want to protect your Root Accounts and IAM users
* MFA = password you know + security device you own
**Usrer password + MFA => succesful log in **
- Main benefit of MFA:
if a password is stolen or hacked, the account is not compromised
What are some MFA app and devices options in AWS ?
How can users access AWS ?
To access AWS, you have three options:
* AWS Management Console (protected by password + MFA)
* AWS Command Line Interface (CLI): protected by access keys
* AWS Software Developer Kit (SDK) - for code: protected by access keys
* Access Keys are generated through the AWS Console
* Users manage their own access keys
* Access Keys are secret, just like a password. Don’t share them
* Access Key ID ~= username
* Secret Access Key ~= password
What’s the AWS CLI?
- A tool that enables you to interact with AWS services using commands in
your command-line shell - Direct access to the public APIs of AWS services
- You can develop scripts to manage your resources
- It’s open-source https://github.com/aws/aws-cli
- Alternative to using AWS Management Console
What’s the AWS SDK?
AWS Software Development Kit (AWS SDK)
* Language-specific APIs (set of libraries)
* Enables you to access and manage AWS services
programmatically
* Embedded within your application
* Supports
* SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js,
C++)
* Mobile SDKs (Android, iOS, …)
* IoT Device SDKs (Embedded C, Arduino, …)
* Example: AWS CLI is built on AWS SDK for Python
What are Rolser and IAM Roles for Services ?
Roles: These are sets of permissions that grant access to actions and resources in AWS. Unlike users, roles do not have long-term credentials (password or access keys) associated with them. Instead, if a user or service assumes a role, temporary security credentials are created dynamically and provided to the user or service.
- Some AWS service will need to
perform actions on your behalf - To do so, we will assign
permissions to AWS services
with IAM Roles - Common roles:
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation
Some main IAM Security Tools ?
- IAM Credentials Report (account-level)
- a report that lists all your account’s users and the status of their various
credentials
- a report that lists all your account’s users and the status of their various
- IAM Access Advisor (user-level)
- Access advisor shows the service permissions granted to a user and when those
services were last accessed. - You can use this information to revise your policies
- Access advisor shows the service permissions granted to a user and when those
What are the IAM Guidelines & Best Practices ?
- Don’t use the root account except for AWS account setup
- One physical user = One AWS user
- Assign users to groups and assign permissions to groups
- Create a strong password policy
- Use and enforce the use of Multi Factor Authentication (MFA)
- Create and use Roles for giving permissions to AWS services
- Use Access Keys for Programmatic Access (CLI / SDK)
- Audit permissions of your account using IAM Credentials Report & IAM
Access Advisor - Never share IAM users & Access Keys
What is the Shared Responsibility Model for IAM ?
