AWS ‐ IAM (Identity & Access Management)
- Secure access control to Authenticate and Authorize users with our accounts
- Login with Root user to create account credentials and create another aws account
- Never use root account to launch any aws resources as root user is a powerful user
- Verifying the identity of the user
- Specify Access control policies
- To control access to resources and services
Below users can be provided permissions to access aws resources
- AWS Root Users - with unlimited privileges, it has Total access, login using email and password
- IAM Users - Native to aws, Created, stored and managed within aws
- It uses Access key and password for accessing the resources
- Newly created user has no permissions by default, it has to configured to accordingly
- User can have one aws account, can access across regions
- Service Accounts - used to perform actions on aws resources on behalf of other users/services
- Federated Users - Users Authenticated via external providers (Active Directory, Facebook, Google), these users not stored in aws database, managed by external providers
- IAM User Groups - collection of IAM users, governed by policies
- IAM Roles- An IAM role is an identity that grants permissions to users, it has permissions to enable users what action can they perform on aws resources
- IAM Temporary credentials - short lived & limited privileged credentials, it lives for limited time and expires automatically after
- Logging with AWS CloudTrail
- Record of actions - to capture actions performed on the console or api calls for IAM
In Order to manage the permissions - Policies can be created and assigned to AWS Identities
- Explicit Deny - anything denied everything denied
- Deny By Default
- AWS Resources denies permissions unless explicitly allowed permissions
- Each part of request must be granted
- It contains Information about Who (the principal), Which Resource, What Conditions
- Policy Attached to IAM identity or AWS Resource
- Policy is evaluated whenever request is made
- Policy changes take effect immediately
- Policy objects are stored as JSON documents
- Permissions are required to be enabled between services (service to service access)
-
Identity Based Policy
- These policies directly attached to IAM user groups or roles to specify the actions allowed to perform
-
Resource based Policy
- Specified to resources to specify allowed actions
-
Permissions boundaries
- Defines maximum permissions to user groups or roles or other policies
-
Service Control Policies (SCPs)
- To define the policies at the root level of the organization
-
ACL
- To specify permissions for Amazon S3 objects not for any other aws services
-
Session Policies - to specify permissions aws session tokens created
-
Policy can be versioned
-
3 Pillars of Security
- Availability
- Confidentiality
- Integrity
-
Resilience - Regions & Availability Zones Isolated from each other - Provides Availability, Fault Tolerance and Scalability
-
Infrastructure security
-
Configuration & Vulnerability analysis - AWS has procedures and ways to check the vulnerabilities
-
Secure Root User Keys
- Enable MFA
- Do not use for any regular purpose, use this only on emergency purposes
- Store the keys securely
- Regularly Monitor the use of root account for any suspicious activity
-
Create Individual users - with the minimum required permissions to perform their tasks
-
Create user groups
-
Enforce least privileges
-
Use AWS managed policies - created and managed by aws security experts, regularly updated for security
-
Validate policies regularly to check if it meets the requirements
-
Use Customer managed policies
- to meet the customer specific security requirements
-
Secure the access keys
-
Rotate the credentials periodically
-
Delete unused credentials
-
Monitor regularly
- Used to generate and validate IAM policies
- It is a fully managed user authentication and identity management service