Demystifying AWS IAM
If you are beginner in AWS IAM, Please follow
Quick Recap, IAM Provides us with
- Centralized Control at one place
- Shared Access of AWS Resources
- Multifactor Authorization
- Able to integrate with various AWS Services
- Identity Federation
- Able to provide temporary Access to Different Services/Users
- Granular Permissions
Policy
A policy is an object in AWS that, when associated with an identity or resource, defines its permissions.
In AWS, Policies grouped under Identity Based Management are:
- AWS Managed Policies: Managed by AWS fully and can be assigned to Individual, group or entity. These are rarely updated by AWS and is available for every AWS account for usage.
- Customer Managed Policies: These are managed by users and are fully editable. These type of policies can be assigned to multiple Users, Groups or entities and can exists even after last assigned entity got deleted. We can always generate custom policies here https://awspolicygen.s3.amazonaws.com/policygen.html
- Inline Policies: These policies are in One to One mapping with Users group or role. The Policy got deleted when assigned entity got deleted. These can be created in Users Section in IAM page. Please note this policy is not recommended by AWS for use.
We can always test our newly generated policy at AWS Policy Simulator before committing it to Production.
Web Identity Federation
Web Identity Federation enables users access to AWS resources after they have successfully authenticated with external identity provider (IdP) like Amazon, Facebook, Google etc.
Use Case: If we want Facebook, Google users to access our AWS resources without have to push AWS IAM credentials into their system, Web Identity Federation is a solution for that.
AWS Cognito is recommended identity broker for this use case which does major heavy lifting, particularly for mobile devices.
But we want to manage Federation Manually, we have to write code that interacts with a web IdP, such as Facebook, and then calls the AssumeRoleWithWebIdentity API to trade the authentication token we get from those IdPs for AWS temporary security credentials.
Access Reports
This is region specific unintended resource or data access reporting.
Supported resource types:
- Amazon Simple Storage Service Buckets
- AWS Lambda Functions and Layers
- AWS Identity and Access Management Roles
- Amazon Simple Queue Service Queues
- AWS Key Management Service Keys
So, for instance if someone has accidentally set S3 bucket policy that allows external entity access to a resource, an Access Report will get generated notifying Admin of this change. Admin will have now option to either modify the access permissions or achieve them to mark it as intended.
Default frequency for any policy change detection is 30 mins at resource level. So, if we did any policy change, we have to manually re-scan it to reflect the change in Access Report Findings.
Please note as of now there is limited AWS availability regions supported for this feature and hence only resources made in supported regions are monitored.
Reach me on LinkedIn
