AWS Identity and access management (IAM)
What is the Amazon Identity and access management tool (AWS IAM)
- A centralized service which is used to control user access and AWS resource use.
- Provides shared access to AWS account. Each user will have own user id and Password for authentication and access to AWS what has been permitted to use by each individual
- Provides Granular permission to each individual access to AWS resources. This enforces the security and access governance by limiting the each individual access to AWS, according to job responsibility
- Provides security for AWS resources that are used by application which is running on EC2 instances
- Supports multi-factor authentication (MFA) to root user extra access security called two-factor authentication. User need to provide user id, password and a code from special device which is mapped to that root account
- Support Identity Federation, this means, users can access AWS account with their own corporate credential or internet identity providers. this provide temporary access to your account
- Support auditing by integrating resource request logs to Cloudtrail. AWS CloudTrail provides the information about who has made request of resource based on IAM identification
- IAM is PCI DSS compliance. This means IAM support processing and transmission of credit cards by merchant or service providers. Please note AWS does not store any credit card related data. AWS infrastructure has been validated by payment card industry (PCI) and Data security standard(DSS)
- Like all other AWS services, IAM also follows eventual consistency. To achieve high availability, IAM data also get replicated across multiple servers within AWS data centers around the world. This is not recommended to include with such IAM changes in the critical, high-availability code paths of application. IAM Changes should be made in separate initialization or routine process that run less frequently, need time to replicate the IAM changes
- This is Free of cost. AWS does not charge anything for IAM users.
- Even STS (AWS Security Token Service) is an included feature of IAM with no additional charge, however using STS with other AWS resources will be charged.
- IAM can be accessed via browser based AWS management console or by programming or command line as AWS SDK, AWS Command line, and IAM APIs
What is Identity management?An Identity is a user (Human or Application) that can be authenticated and authorized to perform an action in AWS. Identities are Users, Groups, and Roles in AWS. Each user is associated with one or more policies that specify what a user or a member of a group or a role can do in AWS. A policy is a document which is used to specify the permission, what is allowed to do, what is restricted to use by a user or a member of a group or a role.
Types of User in AWS
- Users already have identities in a corporate directory
Root User: The owner of AWS account who has full control of all AWS resources belongs this his AWS account. Root user permission cannot be customized. He will have always full control to AWS resource within his AWS account. His user name must be emailed Id which is used to create the AWS account. The root user can have two-factor authentication by using of MFA (Multi-factor authentication). This is really an important to understand Root user. If an employee with root user access is leaving an organization, then must change the password of Root user by who is taking this AWS administrator role for the organization. Recommendation is, configure MFA with root user if it is not configured yet and let enables password reset policy
IAM User: IAM supports multiple users within an account. It allows creating multiple users with their own user and Password, no need to share user id and password between users. Root user will create IAM users and generate Password, Access Key and secret key for them. IAM user need to use User Id and Password to AWS management Console logging, however, Access key is used when accessing console programmatically, via Command line interface (CLI)
Federating Existing user: IAM supports single sign on (SSO) feature. If users with their own authentication process like corporate network or internet identity provider, s can be federated to AWS. Federated user can work on AWS management console or an application with federated access can make a request for AWS resource based on the permission granted. Federated user does not have permanent access to AWS account, identity is replaced by AWS temporary security token in order to grant access to AWS resources.
- Users already have identities in a corporate directory
- If corporate support SAML2.0 then Configure corporate directory to provide Single-Sign on to AWS. Else use a broker application to provide SSO to AWS
- If Corporate use Microsoft active directory then AWS Directory Service can be used to established trust between corporate directory and AWS account
- A Mobile App or Web App which can let users identify themselves through internet identity providers like google, amazon, Facebook, they can use federation to access AWS
A group is a collection of IAM users, who all are supposed to perform similar actions in AWS. This is simplifying the user and permission management. Instead of associating the one or more policies to each individual IAM user. For better Identity and access management, Managing user permission is easiest ways and less error-prone, assigning new permission to or revoking existing permission of each individual from the large team may be tedious task compare to assigning new permission or revoking existing permission, just a single step for the group.
Please note- Examination perspective, Group is not considered as true identity so that this can not be considered a principal in the policy document. This is just a way to attached policies to a number of IAM users in one time.
- An alternative to IAM User who uses access key to authenticate and keep access keys into configuration files
- This eliminates the use of configuration file to store access key.
- common use case to use IAM Role is, providing access to the application running on EC2 instance to S3 bucket
- IAM role to be configured during EC2 instance launch only
- Another use case of IAM Role is Cross-account Access
- Roles use temporary Security tokens
Temporary Security tokens
- Very important for advanced IAM users, enable to use some external system to authenticate the users by using of AWS STS service
- Temporary and Time-based, lifetime from 15 minutes to 36 hours
- roles and temporary security token enable multiple use cases, for example, EC2 roles, Cross-Account Access, Federation
- Enable to use on-premises User authentication system for any organization, or use of any internet identity provider systems like Amazon, facebook, google. IAM Identity provides the ability to federate out side identity to IAM and assign privileges to authenticate by using OpenID Connect to those users who all are out side of AWS IAM.
- For federated internal identities such as Active directory, IAM supports integration with SAML 2.0. A SAML 2.0 Complaint LDAP, uses ADFS (Active Directory Federation Service) to federate the internal directory to IAM
There are three ways to authenticate a User (Principal)
- User Name and Password - Management console can be accessed by using User name and password.
- Access Key: This authentication is used to deal with AWS resource through programming interface (APIs) or CLI
- Access Key/Session Token- This has one more level of authentication "Session token" in order to grant access to AWS resources
- Manage the access of the principal to protect AWS Resources. This specifies what actions of a user (Principal) can or can't access
- IAM use policy document to manage authorization
- Policy document consists of Effect, Service, Resource, Action, and conditions
- Policy can be attached to an IAM User, IAM Group or IAM Role
- A recommendation is, always create a group for specific task/Job type, and create a policy document accordingly to allow or deny, attached to Group. Then add IAM user to that group who all need that particular access permissions.
- Multiple policies can be added to IAM User, IAM Group, and IAM Role
- Aggregation of permission will be applied to a user. If all attached policy will allow the access then the user will have access. Any explicit Deny override all allows
Multi-factor authentication can be added an additional layer of security to protect AWS Resources. For Accessing the AWS resources, additional One time Password to be required along with User ID and Password. Need a physical device or a virtual device (app installed on the smartphone) to get this One-time password (OTP)
Best Practice - Have a monthly key rotation policy to ensure your AWS resources security