Identity and Access Management (IAM) (Part 1 )
IAM is one of the key services by AWS. IAM is used to manage AWS users and their access to AWS resources. When we first create an AWS account we will have root access. It is not a good idea to use the root account because the root account has complete access to all the AWS resources. So let us learn how to create different users and assign them permissions using IAM.
Now let us see the best practices of IAM. Login to your AWS Console and navigate to IAM from AWS services under Security, Identity and Compliance. This is how your IAM Dashboard looks like.
If you see the dashboard the security status of AWS account is very poor. It's a good practice to maintain all the checklists suggested by AWS. Out of five points, we have one default option when we create an account. Now let's try to fulfill the remaining options one by one.
Activating MFA for the root account:
The root account is what we used to create an AWS account. MFA stands for Multi-Factor Authentication. MFA adds extra security to the account by generating 6 digit pin continuously. Whenever you want to login into your root account you have to provide 6 digit pin that is generated by MFA.
We can implement MFA in two ways one is by using a hardware device or using a virtual device. Here we will use Google Authenticator as a virtual authenticator to activate MFA.
Once you choose to activate the MFA option from the dashboard. It will pop up a window to choose which method to use. Here we are using virtual MFA
Then it shows a new window with a QRcode. Now you have to download the Google Authenticator app on your mobile and scan this QR code. After scanning this QR code you can see a 6 digit number on your mobile. This 6 digit pin keeps changing continuously. In order to activate MFA for the first time, we have to enter two 6 digit pins from Google Authenticator. Once we enter those two pins our MFA is activated for our Root account.
The next step from the checklist is Creating IAM Users
Creating IAM users:
Now navigate to users from IAM dashboard and choose an option to Add users. Here we have to fill the details like user name, password, what kind of access we are giving to this user. Most of the options here are self-explanatory. Choose whatever fits your need.
Once we give all the details the next step is to assign permissions to the user. There are predefined permissions from AWS and we can choose what fits the user. As am creating an admin user we are giving admin permissions.
The next step is adding tags to the user and this is an optional step. Adding tags has two fields one is key and the other one is value. Tags are used to have additional information like email, job role, etc. In this example, I am creating a tag called Name with a value admin user.
Once we enter tags the next step is to review the whole information we gave and then proceed to create a user. Now we successfully created and it pops up a new window with newly created user details. We can download the file or send that information to our email. We should not share our access key id and secret access key to anyone. Using those details anyone can gain access to our console.
If a new IAM user has to login to AWS console they have to use the URL that mentioned in the IAM dashboard instead of logging in from AWS management console. You can find that URL on your IAM dashboard
Few important points to remember :
- We should not use the root account. Creating an IAM user and giving them permissions is best practice.
- When you create any user in AWS they will have no permissions initially. We have to explicitly give them permissions.
- I AM is a global service it is not restricted to one region.
In the next article will discuss creating groups, assigning policies to groups and Roles.
