Learn the basics of Amazon AWS IAM
Manage your company’s AWS account with confidence.
Tour de AWS
In 2003, Benjamin Black and Chris Pinkham of Amazon presented a paper describing a vision for Amazon’s vast computing infrastructure that was completely standardised and completely automated. Near the end, they mentioned the possibility of selling virtual servers as a service, proposing the company could generate revenue from the new infrastructure investment.
For more information, Read Benjamin Black’s blog.
Amazon always had many data centres. The servers in these data centres were not being used to their full capacity, so it was a good idea to offer virtual servers to other companies, start-ups, and individuals as a service. This led to the creation of Amazon Web Services or AWS.
Initially, AWS offered services for computing, storage and networking. Unlike traditional server contracts, AWS has no contract, you can end a server (or any other resource) as you like.
Subscribers (the people or companies who use AWS) only pay for what they use. Once you stop using the services, you don’t have to pay additional costs or termination fees and AWS provides security for all your systems.
Start-ups like Airbnb, Netflix migrated their infrastructure to AWS. Once they began using AWS resources, concerns like maintaining data centres, scalability, traffic distribution were no longer a barrier to their growth.
Netflix which used to be a startup has now become a global entertainment superpower. It was able to become a global company because AWS has servers all over the world; it operates from many geographical locations and offers services that make it easy to serve a customer from anywhere on the planet.
As of 2021, AWS offers services for computing, storage, networking, database, analytics, application services, deployment, management, machine learning, mobile, developer tools, and tools for the Internet of Things. The most popular include Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (Amazon S3), Amazon Connect, and AWS Lambda (a server-less function). For more info, see Wikipedia.
AWS Root User
When you create an AWS account, you become the Root User (or Admin) of the account. Through your account, you can manage AWS services, bills, etc.
Suppose you head the cloud team and are the root user of the AWS account of your company, Should your team members also be the root users? If too many people know the password of the root account, then it is highly likely that the password would be leaked or changed in no time. Also, the account is always linked to your bank, so it is not a good idea to have multiple root users.
AWS Solution: IAM
AWS offers a solution to this problem by introducing the IAM service. IAM stands for Identity and Access management. You can create IAM USERS: the people or the members of your team who will use the AWS account.
The IAM users log into the AWS account using their IAM usernames and passwords, they do not have the rights that a root user has.
As a root user, you can assign policies to IAM users, these policies contain permissions to limit the scope of access to AWS services.
IAM Policy
A Policy is a JSON document that consists of the version number of the policy, the ID of the policy and statements.
Statements define which services or resources the IAM users can and cannot access. Policies that are directly assigned to a user are called Inline Policies.
Although inline policies are useful, it becomes a tedious task to assign a policy to say, ten people. Instead of assigning the same policy to ten or a hundred people manually, you can create a group.
IAM Groups
The IAM users can be mapped to a group and the policy which will be assigned to the group will automatically be assigned to all members of the group.
IAM Password Policy
The Root user can devise a password policy for the IAM users. The root user can specify how frequently the password must be changed or what special characters are needed, in the password policy.
IAM Multi-Factor Authentication
Since passwords can be easily stolen or hacked, IAM provides Multi-Factor Authentication (MFA). If the root user enables MFA for the IAM users, then users can log into their IAM accounts using a password and an OTP from a physical device like a mobile phone or a Pendrive.
The chances of the MFA device being stolen are less so it provides extra security to your AWS account.
IAM Roles for Services
Policies can be assigned to AWS services like EC2, AWS Lambda, etc. Since services interact with other services, it is a good idea to limit the scope of access.
IAM Security Tools
IAM provides two security tools:
- IAM Credentials Report — It lists account users and the status of credentials.
- IAM Access Advisor — shows service permissions granted to users and how and when the users used those services.
The Shared Responsibility Model for IAM
The shared responsibility model is a document that lists the responsibilities of the root user. A root user is responsible for the following —
- Managing IAM users, roles, policies and monitoring.
- For enabling MFA.
- For rotating access keys and passwords.
- For using IAM tools to give permissions.
© Shreya Sinha 2021.
Written by Shreya Sinha, Thank you for reading.
Check out other stories by the Author: ShreyaSinha_Stories
See also:
Project on AWS: AWS automation using Terraform
Further Reading: https://docs.aws.amazon.com/
This post includes affiliate links.
