AWS- Identity Access Management
IAM is the discipline of providing the right users, the right access, to the right resources, at the right time.
It’s a combination of policies, processes, and technologies for managing identities and securing access.
Authentication & Authorization
Authentication is the act of validating that a user is who they say they are.
There are many different ways to authenticate yourself, such as token-based authentication, using biometric data like a fingerprint or your face, but the most common way is through usernames and passwords.
Single Factor Authentication
You go to a website, you log in with an email and a password, and then you’re inside your account successfully.
In the above case, you use just one type of authentication, such as an email and a password to log into your system, and hence you are using single-factor authentication
It’s the simplest and most common authentication method. However, because of its simplicity, single-factor authentication can lead to security vulnerabilities
Multifactor Authentication(MFA)
MFA requires two or more authentication methods, such as a combination of passwords, PIN numbers, fingerprints, faces, security tokens, and more to authenticate yourself.
Using a combination of this information allows systems to provide a layered approach to account access.
Authorization
Authorization is the process of giving users permission to access a specific resource or service. This determines whether or not the user can perform some action, whether it be to read, edit, delete, or create resources.
Authorization always follows authentication.
Authentication is getting yourself into the door of service or account. It answers the question, are you who you say you are?
After you’re inside your accounts, you might want to know the answer to the question, what can I do? What actions can I perform? And that’s where authorization comes into play.
The important part though is that authentication and authorization are used together.
What is IAM?
IAM is a fundamental service provided by AWS
It gives you control of who is allowed to authenticate within your AWS account and what resources they’re authorized to access.
You can manage identities by creating users and assigning them security credentials such as passwords, access keys, and multi-factor authentication devices.
You can manage access by creating and assigning policies, which are permissions that grant access to resources.
You can also manage access for users whose identities exist outside of your account in AWS
AWS allows you to provide only the needed access to your resources, through the ability to create granular permissions.
IAM Identity and Role
The identity part of AWS Identity and Access Management establishes who a user is, also known as authentication.
An IAM identity can be a user, group, or a role
An IAM user is a resource object you create that represents a human or an application.
An IAM group is a collection of users. they just provide a convenient way of attaching policies to multiple users at one time.
A role is similar to an IAM user, but it can be assumable by anyone who needs it.
Identity Provider [IdP]
Identities external to AWS are often stored in an identity provider, also known as an IdP.
An IdP is a system for creating and managing identities and is typically the source of truth for an organization’s identities
Microsoft Active Directory, for example, is a well-known on-prem IdP. IAM can use authenticated identities from inside and outside AWS.
Authenticated identities can also be used from another AWS account, also known as cross-account access.
Authenticated identities can even exist outside of AWS entirely, such as within an on-prem IdP.
IAM entity and Principal
An entity is a user or a role. Technically it’s a resource used for authentication
A principal is simply a person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
Root User
When you first create an AWS account, you are provided with a root user. And this user has full access to everything in the account.
It is recommended not to use your root user credentials for everyday access and not to share root credentials with anyone
It is encouraged is that you create users for all tasks that need to be handled in the account.
one of the first things we recommend you do when creating a new account is to create an administrative user that can be utilized for managing all other permissions.
Group
A group is a collection of IAM users. Groups enable you to specify permissions from multiple users at once, which would make it much easier to manage the permissions of those users.
Within a group, permissions associated with the group are adopted by every user within the group.
Nested Groups are not allowed
If you want the Test Group to have similar permissions as the Developers, but then something extra, you would need to create a new group with the specific permissions, you wanted each group
I AM Roles
An IAM role is simply another type of identity that you can create in your accounts that has specific permissions
Difference between I AM User and Role
The first difference is that a role provides temporary credentials for a configurable period of time between 15 minutes and 36 hours. This is different than an IAM user whose credentials are considered long-term and stay with that user until there’s a forced rotation by an admin.
The second difference is that a role is not associated with a person or a machine like a user is. Instead, roles are adopted. IAM users, applications, or AWS services such as EC2 instances can adopt the role or assume the role when they need to.
when you assume a role, it means that you’re adopting a set of temporary credentials that doesn’t belong to the person or machine that assumed that role. This is different than IAM users.
If you have an IAM user named Micky and a user named Olive, Micky wouldn’t use Olive’s credentials to log in because Micky’s credentials belong to Micky and Olive’s credentials belong to Olive.
IAM roles, on the other hand, don’t belong to any specific person and can be assumed by multiple people, so both Micky and Olive can assume a single IAM role without it belonging to either person.
It’s a best practice to use roles over users whenever possible.
I AM Policy
IAM policies are used to define permissions for action.
Be it an action performed programmatically or through the AWS management console, the same policy can be used to grant or remove access to that particular action.
Identity-based policy
These are policies that are attached to IAM identities that grant permissions to that identity.
A policy is a JSON-formatted document that is used to outline what is and is not allowed for the identity.
Example: This is where you say yes to launching a virtual server or no to deleting the S3 Bucket.
Policies also allow for you to get very granular with the types of permissions you provide.
Its always recommended that you should always focus on granting the least amount of privilege by making the policies granular as much
With IAM, your policy or policies are referenced whenever you try to perform an action with your identifying credentials. And if the policy doesn’t allow the action, your request will be denied.
Let's look into a sample Policy
First, you see the version, it specifies the language syntax rules that are used to process a policy. This is required and should always be set as the current AWS version, which can be found in the AWS documentation.
Next, the statement element is the main section of a policy. It can contain a single statement or an array of individual statement elements. The individual statement elements that we see here are the core components for a policy for an IAM user. These are effect, action, and resource, and each one provides a part of the picture for defining permissions.
The Effect is the element that specifies whether the statement results in an allow or an explicit deny. The only acceptable values are Allow and deny. Allow is to permit action and deny is to, deny an action.
Below that is Action. This part describes the specific action or actions that will be allowed or denied. Each AWS service has its own set of actions that describe tasks that you can perform with the service.
The last element we see here is Resource. This piece describes the object or objects that this statement covers, and is specified through a resource's Amazon Resource Name or ARN.
As you see, there is an * or wildcard in this section. it just means that it applies to all S3 resources.
Hopefully, you can see how this could be risky. This is why it is encouraged to grant ‘least privilege access, by using wildcards sparingly.
Both the resource and the action elements permit wildcards
Users should only be given the access they need, and only when they need it.
Identity Federation
Identity federation is a way to delegate authentication of a user to a trusted external system.
An external user who is trusted in AWS through this method is called a federated identity.
In AWS, both the AWS Single Sign-On and the AWS IAM services support federation.
AWS Single Sign-On
AWS Single Sign-On, also known as AWS SSO, is a service that assists in providing one central location to manage identities and access to multiple AWS accounts and business applications.
It can function as an AWS native identity provider, or you can also configure it so that it trusts externally authenticated identities provided by your IdP.
This way, a user needs to only sign in once with their IdP and having authenticated, can then log in to their accounts through IAM roles authorized by AWS SSO.
Both AWS SSO and AWS IAM support the industry-standard SAML 2.0, which stands for the Security Assertion Markup Language, to establish trust and exchange identity information between them and your IdP.
Amazon Elastic Compute Cloud- EC2
In AWS, the servers are virtual and they’re called Amazon EC2 instances.
Advantages of EC2
The first advantage is that you can modify the number of resources, you have at a moment’s notice.
You can resize the instances to better meet spikes in traffic or demand.
For example, you can scale up to a larger instance as you need more compute power and scale down to a smaller size when demand goes down.
The other advantage you get is that you only pay for what you use. When your instances are running, you pay for them. When your instances are not running, you won’t pay for them
Amazon Simple Storage Service-S3
This service allows you to store and retrieve any amount of data at any time from anywhere.
The data in S3 is referred to as an object. That’s what you’re storing, objects. be it a video file, an image, a text file, or application components, they’re all objects.
These objects are stored and organized into what are called buckets
A bucket is a container for the objects stored in S3. Every object is contained in a bucket.
For example, if you have an image file named photo .jpeg, once uploaded it would be stored in a bucket
Each bucket has unlimited storage and serves purposes such as account identification, access control, and aggregation for reporting.
S3 also provides granular security to control who and what has access to the items being stored by you in S3 and what actions those with access are able to take
S3 also provides options to help you control the durability and availability of the data you’re storing, as well as methods to help you upload and serve the data faster and from a variety of locations around the world.
AWS Command Line Interface, or CLI
Everything you do in AWS is done as an API call
The AWS Command Line Interface, or CLI, is one of the easiest and most direct ways to access the API calls that you need to make.
The command used to the configuration is aws configure.
Question Time?
You have a few employees all working out of the same AWS account. You want some of those employees to be able to modify your EC2 instance, but your other employees should only be able to view your instance. How can you restrict access from a user to a user?
Answer: Through I AM
IAM identities can be a user, group, or role. Access management is the glue that connects them to the resources that need to be accessed.
