Hello, Connections…
In this blog, I will show you the key features, and components of AWS IAM, and how to secure our AWS account and resources using the best practices of AWS IAM.
Before moving to IAM service I will explain some popular security services provided by AWS(Amazon Web Services).
> IAM(Identity and Access Management)
IAM is one of the main security services to provide secure access to AWS resources from unauthorized access. We can manage users, group permissions, and policies to avoid unauthorized access to AWS services and resources and it’s integrated with all AWS services. Three key tasks are performed by IAM service i.e., Identification, Authorization, and Authentication.
> Amazon Guard Duty
Amazon GuardDuty is one of the security services that continuously monitors malicious activity to protect AWS accounts, workloads, and data. It identifies threats by continuously monitoring network activity and data access patterns in real-time.
> Amazon Macie
Amazon Macie is one of the data security services that protect large-scale and confidential data in the Amazon Web Services (AWS). It mainly supports Amazon Simple Storage Service (Amazon S3)
> AWS KMS(Key Management Services)
AWS Key Management Service (KMS) is one of the key services in Amazon Web Services (AWS) that allows users to create, control, and manage cryptographic keys for their applications in the AWS. It integrates with most other AWS services. We use KMS keys for encryption, decryption, signing, and verification.
> Amazon Inspector
An automated vulnerability management tool called Amazon Inspector continuously checks AWS workloads for software flaws and unauthorized network access. It is designed to help improve the security and compliance of deployed applications.
The key components of AWS IAM (Identity and Access Management)
Advantages of IAM
> Better Security
> Data Sharing(Information)
> User-friendly Access
> Cost Effective
IAM Key Components
Access Management-
Access Management provides access to AWS resources and it will allow or deny based on user role after verifying the identity of a user.
Permissions:
To manage access permissions for an AWS organization, the administrator can attach permissions policies to IAM identities such as users, groups, and roles.
Authentication and Authorization:
IAM provides both authentication and authorization. Authentication is used to validate the login user identity. Authorization is the process of verifying the necessary permissions of users to access AWS resources.
Users-
Using IAM service we can create and manage AWS users. We can give us permission to allow or deny access to AWS resources.
Groups-
Using IAM service we can create and manage AWS user groups. We can create groups in which users have the same permissions.
IAM Roles-
IAM roles are entities that can be presumed by users to gain temporary access to resources. We can create and manage long-term user accounts also. We have four types of roles in IAM.
Service Role-
Service role allows AWS services to access the resources based on the requirement. which is allowed to run applications inside any service as per the defined role.
Service-Linked Role-
This role will help you to add the necessary permissions to a particular service to work properly. It will create or delete roles automatically.
Cross-Account Access-
This role allows entities in one AWS account to access resources in another AWS account. If we need cross-account access we have to create roles.
Identity Provider Access-
This role is used for identity federation, which allows an external identity provider to take the role and access AWS services.
Policies-
Resource-Based Policies-
Resource-based policies are IAM policies that are attached to AWS resources, such as Amazon S3 buckets or Amazon EC2 instances.
Identity-Based Policies-
Identity-based policies are defined for a particular user, group, and role. The policies are attached to targeted users to access resources.
Managed policies-
Managed policies can be reused and attached to multiple entities. By default lot of policies are given by AWS. Organizations also create their own managed policies.
Inline policies-
Inline policies are used directly by IAM entities. These are not reusable and cannot be attached to multiple entities.
Access Analyzer-
Access Analyzer helps to validate and manage the policies. It also helps to monitor policies allocated to particular resources in aws environment using Cloudtrail logs.
IAM Tools
Single Sign-On(SSO)
AWS Single Sign-On (SSO) is one of the security features and using SSO credentials we can access multiple cloud applications and AWS accounts. It provides access to third-party applications as well. We can create and manage IAM users and groups using SSO. This feature is completely free.
MFA(Multi Factor Authentication)
MFA is one of the security features in IAM that provides multiple layers of protection for IAM authentication. It requires users to provide additional information along with sign-in details, such as an OTP or Verification code sent to their linked devices or a biometric, to access a n AWS account.
Anomaly Detection
Anomaly detection is one of the security features that monitors user behavior and identifies any misuse or attacks. It detects attacks by monitoring signals such as the velocity of traffic, and detection of login patterns.
IAM Best Practices
> Avoid using the root account to perform regular tasks.
> Provide temporary credentials to access AWS resources based on the requirement
> Create additional security layer like MFA(Multi-factor Authentication)
> Provide least privileged permission based on real-time usage.
> Add users to related groups and give permission to groups.
> Use the IAM Access analyzer to validate policies with the IAM Credentials Report.
> Create a strong password policy like (Upper case, Lowe case, Special Characters, and Numbers)
> Don’t share IAM users and Access keys.
> Change passwords randomly.
> Set a timeline for validation of verification code or OTP.
> Create and Use roles to give permission for accessing AWS Resources.
> Use Access keys for accessing AWS resources and applications.
> Review the users, permissions and policies regularly based on reatime usage.
Lets see how to create user
> Log in to your AWS Management Console and select the IAM service
> If you selected programmatic access, you will need to create an access key and secret access key for the user.
> In the navigation panel, select “Users” and then click “Create user”
> Specify the user details like username and if you want to give “AWS Management Console” access you can select then click on next
> Select the Permission Policies you want to give to particular user.
> Review and create check the details you choose and finally click on Create user.
Creating User group
> Give the name of the Group and add users under the group along with attaching the policies and finally click on Create Group.
IAM policy elements are defined in JSON format
The Syntax format are included below elements-
Version: It Specifies the version of the policy language.
Statement: It contains multiple statements and elements.
Sid (Statement ID): It specifies the statement ID.
Effect: This element shows the values Allow or Deny
Action: Specifies the actions that are allowed
Not Action: Specifies the actions that are denied
Resource: Specifies the ARN details in the resource
Not Resource: Specifies the resources to which the policy explicitly does not apply.
Condition: It allows for additional conditions to be specified policy.
Sample Code - (Source- AWS Official Documentation)json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::BUCKET-NAME",
"Condition": {
"StringLike": {
"s3:prefix": ["", "home/", "home/${aws:username}/"]
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/home/${aws:username}",
"arn:aws:s3:::BUCKET-NAME/home/${aws:username}/*"
]
}
]
}Conclusion
This is a beginner’s guide to provide basic knowledge on how to enhance aws security using IAM. I hope it will help you to understand on IAM.
Thank You All…
Follow me for more updates on Cloud & Devops topics