“AWS IAM” service, ignored by Devs, but the most Critical AWS Service
Aug 26, 2017 · 2 min read
- Root Account use should be REMOVED or Disabled !!
- When we create a New User, that User does not have Access to any AWS API or Service
- Create Multiple Users — having different Permissions
- Assign Credentials and Permissions to each User
- Assign Permissions to Groups, not Users (Best Practice)
- Use MFA for User Authentication process (Best Practice)
- Users can use Access Keys to access AWS REST API or CLI
- Policy is a document that formally states one or more Permissions
- We can assign a Policy to a User, Groups or Roles
- We can assign Roles only to AWS Services !! not to Users/Groups
- By using Cross Account access feature, we can assign a Role indirectly — to a User or Group, using “Assume Role” attribute inside the IAM Policy document
- Grant Least Privilege to a User (Best Practice) **Lock down the Access
- If the User uses only the AWS Console, then do not create the Access Keys for that User
- Do not use *.* in your IAM Policy document (Best practice)
- Use AWS provided Policy doc templates (Best practice)
- Use a Strong password Policy
- Assign IAM Roles to EC2 Instances (Best Practice)
- If your Apps running inside EC2 instances want to access other AWS Services or Resources, please assign IAM Roles to EC2 instances
- Do not Store AWS Access Keys into EC2 instances !!
- Do not embed AWS Access Keys into AMI images !!
- Key Rotation required (Best Practice)
- Every IAM Role has these attributes: Name, Type, AccessKeyID, SecretAccessKey, Token, ExpiryTime (Temporary Credentials)
- If you are assigning IAM Roles to EC2, then always use SDK in EC2 (Best practice)
- IAM Role == Temporary Security Credentials (AccessKey, Secret,Token) — — to access selected AWS Services, based on Access given to this Role
- We can call AWS API, using the Temporary security credentials of a IAM ROLENAME
- How to use Roles in Cross account access? If we have a single User managing Multiple AWS Accounts, the User can use the same Username and Password to access multiple AWS accounts with the help of IAM Roles
- User can Assume multiple IAM Roles, to access multiple AWS accounts, the User does not need to remember multiple Security Credentials !!
- IAM Roles for EC2 automatically rotates Credentials — STS
Inside EC2 instance, get access to IAM Role information (Roles assigned to your EC2 instance)
- GET http://169.254.169.254/latest/meta-data/iam
- GET http://169.254.169.254/latest/meta-data/iam/security-credentials
- GET http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_ROLENAME
