“AWS IAM” service, ignored by Devs, but the most Critical AWS Service

Docker Turtle
Aug 26, 2017 · 2 min read
  1. Root Account use should be REMOVED or Disabled !!
  2. When we create a New User, that User does not have Access to any AWS API or Service
  3. Create Multiple Users — having different Permissions
  4. Assign Credentials and Permissions to each User
  5. Assign Permissions to Groups, not Users (Best Practice)
  6. Use MFA for User Authentication process (Best Practice)
  7. Users can use Access Keys to access AWS REST API or CLI
  8. Policy is a document that formally states one or more Permissions
  9. We can assign a Policy to a User, Groups or Roles
  10. We can assign Roles only to AWS Services !! not to Users/Groups
  11. By using Cross Account access feature, we can assign a Role indirectly — to a User or Group, using “Assume Role” attribute inside the IAM Policy document
  12. Grant Least Privilege to a User (Best Practice) **Lock down the Access
  13. If the User uses only the AWS Console, then do not create the Access Keys for that User
  14. Do not use *.* in your IAM Policy document (Best practice)
  15. Use AWS provided Policy doc templates (Best practice)
  16. Use a Strong password Policy
  17. Assign IAM Roles to EC2 Instances (Best Practice)
  18. If your Apps running inside EC2 instances want to access other AWS Services or Resources, please assign IAM Roles to EC2 instances
  19. Do not Store AWS Access Keys into EC2 instances !!
  20. Do not embed AWS Access Keys into AMI images !!
  21. Key Rotation required (Best Practice)
  22. Every IAM Role has these attributes: Name, Type, AccessKeyID, SecretAccessKey, Token, ExpiryTime (Temporary Credentials)
  23. If you are assigning IAM Roles to EC2, then always use SDK in EC2 (Best practice)
  24. IAM Role == Temporary Security Credentials (AccessKey, Secret,Token) — — to access selected AWS Services, based on Access given to this Role
  25. We can call AWS API, using the Temporary security credentials of a IAM ROLENAME
  26. How to use Roles in Cross account access? If we have a single User managing Multiple AWS Accounts, the User can use the same Username and Password to access multiple AWS accounts with the help of IAM Roles
  27. User can Assume multiple IAM Roles, to access multiple AWS accounts, the User does not need to remember multiple Security Credentials !!
  28. IAM Roles for EC2 automatically rotates Credentials — STS

Inside EC2 instance, get access to IAM Role information (Roles assigned to your EC2 instance)

  1. GET http://169.254.169.254/latest/meta-data/iam
  2. GET http://169.254.169.254/latest/meta-data/iam/security-credentials
  3. GET http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_ROLENAME

)

Docker Turtle

Written by

Containers on Cloud

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade