Open in app

Sign in

Write

Sign in

Understanding AWS IAM: A Guide to Secure Access Management

am
AWSome Diary
5 min readMar 19, 2024

--

Amazon Web Services (AWS) Identity and Access Management (IAM) is a crucial component of AWS that helps in managing access to AWS services and resources securely. Through IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. This article provides a comprehensive tutorial on how AWS IAM works, its components, features, and includes examples, commands, and common use cases to help you understand and effectively implement IAM in your AWS environment.

Understanding AWS IAM

IAM enables you to control who is authenticated (signed in) and authorized (has permissions) to use resources. When a request is made to AWS, it goes through two primary steps:

  1. Authentication: The identity making the request must be authenticated using credentials, which can be a username and password, access key ID and secret access key, or temporary tokens for roles and federated users.
  2. Authorization: Once authenticated, IAM checks the policies attached to the identity (user, group, or role) to determine the permissions, granting or denying the request based on the policies.

Components of IAM

  • Users: An entity that you create in AWS to represent the person or application that interacts with AWS.
  • Groups: A collection of users. You can specify permissions for a group, and those permissions are applied to all users in the group.
  • Roles: Roles allow AWS services or users to assume temporary permissions to make AWS service requests. Roles do not have standard long-term credentials (password or access keys) associated with them.
  • Policies: Documents that define permissions and can be attached to users, groups, and roles. Policies are written in JSON format.

Features of IAM

  • Granular Permissions: IAM enables you to grant different permissions to different people for different resources.
  • Secure Access to AWS Resources: IAM provides secure access mechanisms to your AWS resources, including multi-factor authentication (MFA).
  • Free to Use: IAM is a feature of your AWS account offered at no additional charge.

Examples

Creating a New IAM User and Group

aws iam create-user --user-name JohnDoe

Create a New Group

aws iam add-user-to-group --user-name JohnDoe --group-name Developers

Attaching a Policy to a Group

aws iam attach-group-policy --group-name Developers --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Creating and Using IAM Roles

aws iam create-role --role-name my-s3-role --assume-role-policy-document file://trust-policy.json
  • Where trust-policy.json defines which service can assume this role.
  • Using Roles Services or users can assume a role to obtain temporary security credentials to make AWS API calls.

Common Use Cases

  • Multi-factor Authentication (MFA) for Enhanced Security: Enforcing MFA for sensitive operations or access to critical resources.
  • Least Privilege Access: Granting users and services the minimum permissions required to perform their duties.
  • Cross-account Access: Using roles to securely allow users from one AWS account to access resources in another.
  • Temporary Access for Users: Using roles and temporary security credentials for users needing temporary access to resources

Implementing effective security measures and managing access to resources in AWS requires well-defined IAM policies and a clear understanding of use cases. Below are sample use cases and corresponding IAM policy examples for various AWS resources, such as Amazon S3, Amazon EC2, AWS Lambda, and Amazon DynamoDB. These examples demonstrate how to apply the principle of least privilege and secure your AWS environment.

Use Case 1: Restricting Access to a Specific Amazon S3 Bucket

Scenario: You want to allow a group of users access to only a specific S3 bucket named my-app-bucket and permit them to perform all actions (s3:*) within that bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-app-bucket",
                "arn:aws:s3:::my-app-bucket/*"
            ]
        }
    ]
}

Use Case 2: Granting EC2 Instances the Ability to Access Amazon S3

Scenario: Your application running on an Amazon EC2 instance needs to read and write data to an S3 bucket named app-data-bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::app-data-bucket/*"
        }
    ]
}

Attach this policy to an IAM role, and then assign the role to your EC2 instance to grant it the necessary S3 access.

Use Case 3: Allowing Read-Only Access to DynamoDB Tables

Scenario: You have a team of data analysts who need read-only access to specific DynamoDB tables named CustomerData and OrderHistory.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:BatchGetItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:*:table/CustomerData",
                "arn:aws:dynamodb:*:*:table/OrderHistory"
            ]
        }
    ]
}

Use Case 4: Managing Lambda Functions

Scenario: You want to allow a group of developers to create, update, and delete AWS Lambda functions, but only within a specific region and for a particular project identified by tags.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:UpdateFunctionCode",
                "lambda:DeleteFunction"
            ],
            "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-project-*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/project": "my-project"
                }
            }
        }
    ]
}

Use Case 5: Enforcing Multi-Factor Authentication (MFA) for Sensitive Operations

Scenario: Enhance security by requiring MFA for any IAM user to perform sensitive operations, such as terminating EC2 instances.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "*",
            "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
        }
    ]
}

These use cases and policies illustrate the flexibility and power of AWS IAM in securing your resources and ensuring that only authorized users have the necessary access. Always test your IAM policies in a safe environment before applying them to production to avoid unintended access issues.

AWS IAM is a powerful tool for managing access to AWS services and resources. By understanding and implementing IAM best practices, such as using roles for cross-account access, enforcing MFA, and adhering to the principle of least privilege, you can enhance the security of your AWS environment. Remember, IAM is a critical aspect of AWS that requires careful planning and management to ensure your resources are secure and only accessible by authorized entities.

AWS
Aws Iam
Iam Roles
Iam Policy
Aws Iam Security

--

--

am
AWSome Diary

Written by am

227 Followers
Editor for

Unapologetically Nerdy. Privacy | Encryption | Digital Rights | FOSS | Video Tech | Security | GNU/Linux. Check out https://git.aloke.tech

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams