All About AWS Identity & Access Management Chapter:- 1
If you ever have worked with AWS cloud in a group project or in an organization then you must have come across the security service that is provided by AWS that is IAM (Identity and Access Management). And if you ever had made your hands dirty while doing the setup of IAM then you must be knowing how much confusion it creates while assigning a policy or a role that may be allowed or a denied, that could be an AWS managed policy or maybe a custom-designed. But we still have confusion so first we assign it and check it from the other side is it working or not if not then we look for another, just like hit and try method.
Now there are only four main words that is Roles, Policy, Allow and Deny. If we are all clear about these four then we are done with the main part of the IAM service.
So before moving deep inside to IAM let's go from basic . So if I am telling basic then we have to look after the DEFINITION OF IAM. So Identity and Access Management (IAM) is the primary service that handles authentication and authorization within AWS environments , via policies that can be attached to users, groups, and roles. So now don't go deep into the definition we will go step by step and it will be all clear.
So basically IAM is use to share AWS resources with others that may be users or any kind of APIs (there are lot more use cases of IAM also ), by controlling the access to the resources you want to share. So now let’s move into the IAM console.
The above image no 1 is the image of the IAM console which you can see by searching for IAM in the Services tab from the root AWS account (for the first time ONLY). By default you can only manage the IAM service from the root AWS account when it is done for the first time ONLY. Why I am telling you for the first time ONLY I will explain it soon. From this IAM console we can create new users' accounts with there separate account credentials and assign them policies and roles to access your AWS account resources. There are various details on the IAM dashboard which I will take you into soon.
Creating IAM Users.
So, first of all, let’s see how to create a new IAM user and how an IAM user access to their AWS account. We will proceed according to as shown in Image no:- 2. Before proceeding further, note that you must have an AWS account with root account credentials or else you may not have the access to use the IAM service. If you do not have an AWS account you can create one just Click Here to create a new account and enjoy the AWS Free tier benefits. So now login with your AWS root account credentials and you will enter into the AWS Management Console, there on the top left corner near to the AWS logo, you will find a service tab, click on the tab and search for IAM and click on it to go to the IAM dashboard (Image:- 1). To create a new user click on the user tab on the left panel of the screen. Then you can see a blue color button to Add User then you will be directed redirected to the Add User page where you can add users give a name to it and for the time being just click on the AWS Management Console access in the Access types tab and rest I will be telling you soon. When you select the AWS Management Console access it will ask to set a password for it and deselect Users must create a new password at next sign-in as it is for lab work so not required, so what happen till now is you are creating a user name Xyz who can log in into the AWS Management Console using the credentials you just created but you will have no access to any kind of resources. And now just need to click, three-time next and click on add user then your user Xyz will be created. Now do the same for the Abc user also. If you could not follow then just have a look at this below 50-sec video (Video 1) you will be very clear.
So till now, we have created two users Xyz and Abc as shown in the Image no:-2 . So that the root user can share the AWS resources with both of them. So now let’s see how can we log in into the AWS console of an IAM user using the assigned credentials.
So now have a look to the Image no :- 1 that is the IAM dashboard of the root user so go to your IAM dashboard from the root user and there you can find an IAM user sign-in link copy that link and open it in a new incognito window. You can also customize this link using the customize link just right side of the link and you can have your own Alice name as your name or your company name as well, But in my case, it is a number that is by default assign by AWS that means I have not modified it . So now let’s move to the incognito window there we can see three fields one for Account ID (12 digits) or account alias which is auto-filled as we have used the IAM sign-in link. And the second one is the IAM User name and the last field is Password, so now let’s try to login into Xyz account first by giving the username as Xyz and the respective password . Now I am damn sure you can now see the beautiful AWS Management console for Xyz user with the Alice ID (As shown in the below Image no:- 3). So now log out from this and have a try once by using Abc user credentials also and from that also if you are able to see the AWS Management console then you are successful 😎 till this point.
So now let’s move forward, As you already logged in into Abc account so let's use the same account. Now let us try to use some for the resources as the identity of Abc user . Now try to create an EC2 instance in Abc user account . 1. Go to services
2. Search for EC2 click on it to move to EC2 dashboard.
3. Then scroll down to Launch instance tab.
4. Click on launch instance.
5. Select an AMI from the list.
Now you will see an error message is popped up, the error is shown in the below Image no:- 4. This error is coming because you are not authorised to create any kind of resources in this Abc user account and also same for Xyz account also you can have a look .
So now came the most important words that is Policy and Role.
If an IAM user is not assigned any permission to access resources that means it has no policy or roles , then by default according to AWS it can not access anything of AWS resources . Even if not the AWS Management Console . But in this case while creating the users we have ticked the box under access types that is AWS Management Console Access. If we would have not chosen that then we could not be able to access the AWS Management Console as well . So that is also a policy, if we would have given Programmatic access then the user could access AWS resources only programmatically using the secret key pairs. What is secret key pairs I will be talking about it soon.
So now let’s move deep inside the topic let’s see first how can we attach policy and how can our two users Abc and Xyz have access to AWS Resources .
Policy:-
Now sign in to your AWS Root account using the root account credentials. Now let’s take an example suppose you as a root user want that your Xyz IAM user can connect to any EC2 instance present in your account. As there is no permission or policy attach to this user so everything is now implicit Deny, which means by default everything is denied for the IAM user (Xyz). Now we have to attach a Policy so that our Xyz user can connect to any EC2 instances. So for that we have to move to the IAM dashboard click on user tab, then we can able to see the two user Abc and Xyz then we have to click on Xyz user as we want to attach a policy to our Xyz user. This policy can be attached while creating the user but i am attaching it now for a better explanation.
In the above Image no:- 5 you can see that there is an option to add permission you can click on it to attach a policy, now you will be inside the Add Permission tab there you can see the first option is that Add user to a Group which means if there are more number of IAM user to and there work is same like in our case if user Abc and Xyz both of them work is same to connect to Ec2 instance then we could create a group and add both the user inside that and can attach a policy to the group rather attaching them one by one to the users.
Note :- If you attach a policy to Xyz to access S3 (separately) and add both Xyz and Abc inside a group and attach one more policy to the group to access EC2 instance the the user Xyz will have two policy attach to him .
By default everything is Implicitly deny(No access to any resources) but if there is an Explicitly Allow it overwrite the Implicitly deny and the user is granted with that permission .
But if there is an Explicitly/ Implicitly Allow and then you are giving a permission of Explicitly Deny then the Deny rule is executed and the User is not granted with any permission . Ex :- Explicitly allow is attach to a user to create EC2 instances but if i add that user into a group and attach Explicitly Deny policy for EC2 creation to the group then the user can not create any Ec2 resources (Image no :-6) . I will be showing this how this work .
Ok keeping this apart let’s move to the next that is Copy permission form existing user that means if you have given some permission to Abc user and you want to give same permission to Xyz user then you can use this . Next is attach existing policy, after clicking on this you can see list of AWS Managed policies that mean these are some basic policies which are created and managed by AWS (any changes or update to this policy by AWS will affect your resources ) . From here we have to search for a policy so that our Xyz user can connect to EC2 instances . We can create our own policy as well by clicking on create policy tab but we will look into it later. So now in the search box type EC2 , then you can find various policy for EC2 only . You can read the name and can be very clear for the work of the policy or else click on it to look into the JSON code . So now scroll down and you will find a policy named “EC2InstanceConnect” select that and click on next then click on add permission . And now your policy with permission EC2 Connect is attached with user Xyz . So to verify it in the root account in a particular region launch an EC2, download the pem key and then try to connect to that instance by login as Xyz user. And if it is getting connected then you are successful or else kindly verify again . But now if you will try to create an EC2 for the Xyz user then you will be having the same error that is shown in Image no:- 4. That is because we do not have the permission to do that and by default in AWS IAM user everything is denied. But by default in a Root user everything is allowed.
So now let’s move to another example to get clear knowledge for the above note and the Image no :- 6 . First of all let’s see how the combination of policy is working .
So for that let’s create a group, so for creating a group move into the IAM Dashboard in your AWS Root account . Then in the left side panel you can find an option of Groups then click on it, a new tab will be coming with a blue color button to Create a new group click on that and name that group as “S3FullAccess”. As we are going to attach S3 full access policy to this group that means any member of this group will have S3 full access. So now click on next step to attach policy (You can skip it and attach policy later also) and in search box search for S3 then all S3 list of policy will be shown and then select “AmazonS3FullAccess” and click on next . Review it and create a group . Now our group is created with no members inside it. If you could not follow then just have a look at this below 50-sec video (Video 2)and you will be very clear.
Now let’s add our two user Abc and Xyz into our group named S3FullAccess to add user into the group you can do it form the Groups tab and you can also add users one by one by going into the users tab . So as we are inside the group tab we will do it from here so click on the group name and you will find a button named Add Users to Group click on it then it will show our list of user so add both of then into the group by selecting them and clicking on add user. Now go to our Xyz user using the credentials of Xyz user and try to create bucket you can easily create same from the Abc user side also. But Xyz is having extra permission that is “EC2InstanceConnect” that is directly connected to Xyz only, so Xyz is allowed for two task as the permissions are now combined but Abc is having only one permission as he is a member of the group .
Now let’s take a look to the Image no :- 6 and understand clearly with an example .
So by default when we created user Abc it was having no access to the AWS resources (Implicitly Deny) but when we add the user to the group named S3FullAccess and then a policy was attached named “AmazonS3FullAccess” then it was allowed to access AWS Resources of S3 (Explicitly Allow). Hence we conclude that
- Explicitly Allow overwrite Implicitly Deny(Image no:- 7)
So now just have a look at the different scenarios, in this, we will attach a policy directly to the Abc user so login back to the AWS Root Account user and move to the IAM Dashboard and click on the Users tab and then click on Abc user . Then click on add permission button and select the option to Attach existing policies directly. For our example we'll be adding a deny S3 policy so in the below list you can not find any AWS managed deny policy, now we have to create a policy. Now click on the create policy tab then you will be redirected to a Create policy page.
You can use the visual editor to design your self-managed policy but deny policy can not be designed using this. We can also create policy by using JSON programming, we will now use the JSON programming to do that. If you are not aware of JSON then not to worry it is not rocket science it is just like other programming languages. Ok now click on the JSON tab and copy the below code into the editor .
{
“Version”: “2012–10–17”,
“Statement”: {
“Effect”: “Deny”,
“Action”: “s3:*”,
“Resource”: “arn:aws:s3:::*”
}
}The above code is describing that any action on S3 is effect to deny and the resource arn of S3 in mentioned in Resource line. So if the policy is attached the user can not access to S3.
After that click on review if there is no error then it will ask to give a policy name as S3Deny and keep the description also the same . And then click on create policy then you will see the list of policy search your managed policy by the policy name that is S3Deny and select it and attach it to the Abc IAM User . Now if we look into the combination rule Abc user also have two policies attached one is directly attached and one more is because he is a member of a group. One is Explicitly Allow to S3 (Full Access) and the other is Explicitly Deny (S3 no access) so in this case, the Explicitly Deny will overwrite the Explicitly Allow policy and the user Abc will have no access to S3 you can log in to Abc user and check it in S3 you will see below error mentioned in Image no:-9.
So we conclude that any Explicitly Deny policy can overwrite any Explicitly/Implicitly Allow policy (Image no :- 10).
Notes :- By default an IAM User can be member of 10 groups . By default we can have 300 groups (Can increases on request).
- An IAM user can be attached with ten policies.
Till now we are cleared up to policy and there are some more or I can say much more in IAM like main one is role which I will be covering soon in chapter two. Till then have a look to this and be fluent in all the above scenarios and try to do some more policy (self-managed). Once you are clear with IAM Policy and roles (which I will be explaining soon) then you will be master in IAM. Till then have fun with this policy and make your hands dirty :)
