SIVA 99
Contact Us
SIVA 99
Contact Us

Amazon Identity and Access Management (IAM)

IAM-intro

AWS IAM is one of the most powerful and important services enabling secure access management to AWS services and resources. With AWS IAM, we can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

  • IAM is free to use & Global Service
  • IAM deals with 4 terms such as users, groups, Roles, and Policies.
  • It controls both centralized and fine grained-API resources plus a management console.
  • You can specify permissions to control which operations a user or role can perform on AWS resources
  • IAM service provides access to the AWS Management Console, AWS API, and AWS Command-Line Interface (CLI)

AWS IAM — Key Features

Let’s look at some of the key features that make IAM so versatile and powerful:

  • Authentication: Authentication confirms that users are who they say they are. AWS IAM lets you create and manage identities such as users, groups, and roles, meaning you can issue and enable authentication for resources, people, services, and apps within your AWS account.
  • Authorization: Authorization gives those users permission to access a resource. Access management or authorization in IAM is made of two primary components: Policies and Permissions.

Authentication in IAM

Authentication or identity management in AWS IAM consists of the following identities:

Users: An IAM user is a user who can have the access to our console resources with username & password having permenent Access key & Secretkey.

  • Instead of sharing your root user credentials with others, you can create individual IAM users within your account that correspond to users in your organization. IAM users are not separate accounts; they are users within your account.
  • By default, a new IAM user has NO permissions to do anything.

Groups: An IAM group is a collection of IAM users. You can organize IAM users into IAM groups and attach access control policies to a group. A user can belong to multiple groups. Groups cannot belong to other groups.

Role: Communication between the different services using the role. A role does not have any credentials associated with it. An IAM user can assume a role to temporarily take on different permissions for a specific task.

Authorization in IAM

Authorization or access management in IAM is gives those users permission to access a resource.

Policy: A policy is a document with a set of rules, having one or more statements. Each policy grants a specific set of permissions and can be attached to any of the IAM identities users, groups, and roles. Policies are always written in JSON or YAML format and each policy has a name.

There are three types of policies are there.

  • AWS Managed policies
  • Customer Managed policies
  • Inline Policies

AWS Managed policies: An AWS managed policy is a standalone policy that is created and administered by AWS. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name.

Customer Managed policies: Customer managed policies are standalone identity–based policies that you create and which you can attach to multiple users, groups, or roles in your AWS account. You can manage and create policies using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the IAM API.

Inline Policies: These policies are directly applied to IAM entities. You use inline policies for a specific objective, which makes them non-reusable.

Become an IAM Policy Master in 60 Minutes or Less:

Liked This Article?

Hands-on IAM :

1. Create IAM user and give only s3 & Ec2 full access.

  • Given below is the IAM dashboard. Here you will get all the information about the IAM resources running.
Dashboard-IAM-1
  • To Create a new user, Click on Users & Click on Add User to add a new user.
Users-IAM-2
  • After clicking create user button, its navigate to the below screen.
  • Enter User Name & click on Next
  • Set permissions for user.
  • Add user to the group (or) Copy permissions from existing user (or) Attach existing policies directly. Select the required option.
  • Here I’m selecting Attach existing policies directly.
  • Add Permissions Policies, S3FullAccess & EC2FullAccess
  • Then Click on Next
Create-user-IAM-4
  • After clicking Next button, its navigate to the below screen.
  • Once Again check, enter details are correct or not. if correct click on Create User.
  • User Created.
  • Click on User
  • After click on user open the below screen.
  • Click on Security credentials. & enable console access
  • After click on Enable Console Access open the below screen.
  • Give Console Password whatever you want, i choosen autogenerated & enable theusers must create new password at sign-in. means user first sign-in, it ask password change. click onEnable console Access
  • After click on Enable Console Access open the below screen.
  • Download the .csv file. in that username & console password.
  • Now login with user credentials.
  • Check EC2 & S3 Services. you got permissions to perform opertions.

2. Attach RDS full access policy to already created IAM user

  • Click on users and click the developer user.
  • Click on Permissions tab.
  • Then click on Add permissions.
  • Click on Add permissions. open the below screen. select attech polices directly.
  • In search bar, RDS full access, select the the AmazonRDSFullAccess. then click on Next
  • Click on next. open the review tab. If correct click on Add permissions.
  • Click next : Add permissions
  • Now added the RDS Full access Policy.

3. Create IAM role and give access only to s3

  • Click on roles. open the below screen.
  • Click on create role.
  • After click on the create role. it open the below screenshot.
  • Trust entity type is AWS Service.
  • Use case service or use is S3.
  • Then click on Next.
  • Add Permissions. Give S3 fulla Access policy.
  • cllick next
  • Give role name what do you want.
  • Enter dexription also if require. Click on Create role.
  • Now role is created.
  • Again, come to roles & check role is created or not.
  • Click on created role and observe things.

4. How to Connect s3 using EC2 via IAM Role

  • Create an EC2 Instance by going to the EC2 Dashboard and clicking on Launch Instance.
  • Now open Below screen shot... Give name for EC2 instance.
  • Then come to Select Os & Architecture.
  • Then Select the instance type. choose the free tier Instance t2.micro.
  • Then coming to key-pair. click the create new key-pair. then following below screen shot.
  • Now Give Key pair name & select key pair type & choose private key file format.
  • if you putty Choose ppk format & if you use other SSH tools choose .pem format
  • Now coming to network settings .
  • choose VPC select Default VPC & select existing security group.
  • Now coming to Configure Storage.
  • AWS gives Default values... no need to change these values.
  • Now coming to Advanced Details.
  • Give Created IAM Role Here.
  • Then Click the Launch Instance.
  • Now come again to EC2 Dashboard.
  • Copy the public IP address.
  • Open the putty & do the like below screen shots.

4. Create Groups & add users

  • Open IAM Dashboard.
  • Then Select User Groups.
  • Now select Create Group.
  • Give User group name.
  • Add users to this group...
  • Add which permissions need to group.
  • Then click Create group.
  • Now come to again Dash board & click user groups.
  • See your created group is here.

4. Permission Boundary Concept & Hands On

A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

  • Open IAM Dash Board & go to users
  • And Open Users. then open one users.
  • After that Check the permissions Give the Adminstor access.
  • Now coming to permissions boundaries. Add S3 full Access.
  • Once you login the user account & check the S3. Next you can access any other services. you can't access because we added permission boundary. if you have added in permissions AWS administrator access it will work based on permisson boundary.

5. Setting up a password policy for your AWS Account using IAM

  • Open the IAM Dash board & select the account settings.
  • Then select the edit.
  • Once click the edit open below screen shot.
  • then default selection of IAM Default. this default policy provide by AWS
  • Then choose Custom.
  • Configure the options as you need. Then Save the cghanges.
  • From now onwards, it is the password policy for users.

6. Setting up Multi-Factor Authentication (MFA) using AWS IAM

Multi-Factor Authentication (MFA) protocols offer a great way to improve the overall security posture of your AWS cloud services and resources.

  • Go to the AWS console, and select your username in the top right corner
  • In the dropdown menu, select the My Security Credentials button
  • open the page top of the section titled Multi-factor authentication (MFA), then select the Assign MFA Device button.
  • Give the Device Name.
  • Select the MFA Device
  • Then Select the Next.
  • Download the google authenticator App from Play store & App store.
  • Scan the QR code.
  • After Enter the two MFA's Codes
  • Then click Add MFA.
  • you're successfully added MFA to ypur account.

Leave a Reply

Your email address will not be published. Required fields are marked *

Facebook Twitter Instagram Linkedin

2024 © sivakrishna. All rights reserved.