AWS Identity and Access Management (IAM) enables you to control who can do what in their AWS environment. It provides you securely control access to AWS services and resources for your users.
IAM main parameters:
a) users, roles and permission
b) Control: IAM control can be defined based on use cases such as centralised, fine-grained -APIs, resources, AWS management console.
c) Security: Security provides the configuration of secure (deny) by default, multiple users security setup, individual security credentials and permissions.
AWS IAM functions:
IAM assists users in creating roles and permissions based on organisational hierarchy and policy management. It allows three different ways to manage, access and control users, and roles and permission policies.
Manage IAM users and their access– IAM allows customers to create users and manages users credentials based on user’s operational performance. IAM assign users individual security credentials such as access keys, password, and muli-factor devices authentication or request temporary security credentials to provide users access to AWS products.
Manage IAM roles and their permissions- with IAM, customers create roles and manage permissions to control the entity, AWS services perform operations, and that is defined in the role. Therefore, Administrator can check which entity is allowed to assume the role.
Manage federated users and their Permissions – without creating an IAM user for each identity, customers can enable identity federation in their enterprise to access the AWS management console, APIs, access resources to allow existing identities like users, group and roles.
TOP IAM Enterprise best Practices
IAM best practices are applied in the enterprise to manage and control multiple users in the centralised operation.
1. Basic user and permission management:
Users – Create individual users.
Benefits: It provide unique credential, individual credential rotation and individual permission.
Groups – Manage permissions with groups.
Benefits: Easier to assign the same permission to multiple users and also with IAM, administrator cab reassign permission based on a change in responsibilities, and one change of update permission can be applied to multiple users.
Permissions – Grant least privilege.
Benefits: with IAM permission, there is a minimum chance to users for making mistake. It provides more granular control and relaxes to users.
Conditions – Restrict privileged access further with conditions.
Benefits: Additional granularity when defining permission. It can be enabled for any AWS services API, and It also minimises chances of accidently performing privileged actions.
Auditing – Turn on AWS CloudTrail.
Benefits: IAM enabled AWS cloudTrail to get logs of API calls. Visibility into AWS account users activity by recording AWS API calls to an Amazon S3 buckets.
2. Credential Management:
Password – Configure a strong password policy.
Benefits: It ensures and gives confident to the enterprise that their users and data are protected.
Rotate – Rotate security credentials regularly.
Benefits: The benefit to rotate the security credential regularly and consider normal best practice.
MFA – Enable MFA for privileged users.
Benefits: A one-time code is to be required during authentication of supplements username and password.
Roles – Use IAM roles for Amazon EC2 instances.
Benefits: Easy to manage access keys on the EC2 instance, access key rotated automatically. It also provides the benefit of assign least privilege to the application, AWS SDKs and CLI fully integrated.
Sharing – Use IAM roles to share access.
Benefits: The delegation benefits of sharing are that no need to share security and no need to store long-term credentials. The use cases are cross-account access and intra-account delegation, and federation.
Root – Reduce or remove the use of root.
Benefits: It reduces the potential misuse of root user credentials.
When should use IAM users and Federated users?
Ans: Where you want to use IAM users and Federated users, it depends on where you want to manage your users.
IAM users: In your AWS account
Federated users: On-Premises, delegating access to your account and mobile application access (IAM roles).
When we use access key and passwords?
Ans: When you need to use access key or passwords, it depends on how your users will access AWS services. For the console access, users use passwords policy whereas, API, CLI, SDK are accessed by access keys. The most essence notification is that make sure each case you are rotated credential regularly. Some factors must be reminded when using a password and access key policies such as user credential report to audit credential rotation, configure password policy, and configure the policy to allow access key rotation.
When should you use INLINE policies and MANAGED Policies and How many policies you can attach to an IAM role?
Ans: Use INLINE Policies when you need to enforce a strict one-to-one relationship between policy and principal. When you need to avoid policy being attached to a principal and you need to delete the principal make sure that you also delete the policy.
Use MANAGED Policies when you need to reusability, central change management, versioning and rollback, the delegation of permission management, policy size is large, and automatic update for Aws managed policies.
The total aggregated policy size of INLINE (The sum size of all inline policies) per entity cannot exceed the following limits but you can add as many INLINE policies as you want to a user, group, or role:
User policy size cannot exceed 2,048 characters.
Role policy size cannot exceed 10,240 characters.
Group policy size cannot exceed 5,120 characters.
You can add maximum 10 managed policies to a user, role, or group. The size of each managed policy cannot cross the limit of 5,120 characters.
IAM is a feature of AWS account offered at no additional charge. Customer will be charged only for use of other AWS services by their users.
Thank you 🙂