AWS Identity Access Management – AWS IAM

  • by

Well! today we will discuss about identity access management or AWS IAM. AWS Identity and Access Management (AWS IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. Temporary access can be enabled through identity federation with corporate directory or third party providers.

IAM allows users to access AWS resources, without requiring the user to have accounts with AWS, by providing temporary credentials for e.g. through corporate network or Google or Amazon authentication. This is often termed as Identity federation.

AWS IAM is FREE and you don’t have to pay for the users and groups you create. You just need to pay for the resource that your users will use.

Overview

In the next sections, we will explore AWS IAM in detail.

In order to access the GUI of AWS IAM, you need to login to AWS Management Console. By now, I believe, you’re aware about the login process. In case if you are not sure about the steps of AWS account creation or if you don’t know how to login to AWS Management Console. I suggest to check my earlier articles which will guide you about those.

Once you login to AWS Management Console, you will see an interface as shown below.

First, let us understand the IAM dashboard. We will then explore the functionalities and process.

One important point to note here is – AWS IAM is independent of AWS Availability Zone (AZ). It is normal as it doesn’t make sense to create users per AZ.

For your better understanding, I’ve divided the IAM dashboard into 4 parts – A, B, C, and D.

Section D contains AWS official whitepapers and recommendations. These are useful documentations for reference.

Section C contains the security status of your AWS account. It gives you a schematic overview on main security issues that you should consider.

Section B consists of the statistics of AWS IAM users, groups and policies.

Section A represents AWS IAM options which we will explore one by one.

AWS IAM dashboard (Section A) can be broadly classified into 2 specific segments – Access Management and Access Report. Refer the right hand side image ->

An AWS Identity and Access Management (AWS IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials.

AWS IAM user with administrator access and root account are NOT same!

How AWS identifies an IAM user

When an IAM user is created, you provide the name of the user. In AWS term, it is called as a friendly name of your user. This is the name that is getting displayed in AWS Management Console. AWS allocates a ARN or AWS Resource Name for your user. So, it will vary from one user to the other. You do require this ARN to provide a specific access for any specific IAM user. For example, you need to use this ARN to specify the user as a Principal in an IAM policy for an Amazon S3 bucket. AWS IAM user ARN looks like below:

arn:aws:iam::account-ID-without-hyphens:user/DibyenduKonar

When IAM creates a user, group, role, policy, instance profile, or server certificate, it assigns to each resource a unique ID.

It looks like: AIDAJQBALZX6A3QDU576Q

This unique ID has a important significance. However, for the most part, you use either friendly names and/or ARNs when you work with IAM resources.

Let me take a very common AWS example to explain the need of unique ID.

Your company uses Amazon S3 and has a bucket with folders for each employee. The bucket has a resource-based policy (a bucket policy) that lets users access only their own folders in the bucket. Suppose that the employee named Joe leaves your company and you delete the corresponding IAM user. But later another employee named Joe starts and you create a new IAM user named Joe. If the bucket policy specifies the Joe IAM user, the policy allows the new Joe to access information that was left by the former Joe.

However, every IAM user has a unique ID, even if you create a new IAM user that reuses a friendly name that you deleted before. In the example, the old IAM user Joe and the new IAM user Joe have different unique IDs. You can create resource policies for Amazon S3 buckets that grant access by unique ID and not just by user name. Doing so reduces the chance that you could inadvertently grant access to information that an employee should not have.

AWS IAM options

IAM Group

The first option of AWS Access Management is ‘Group1‘.

An IAM group is a collection of IAM users. As the name suggests, it allow you to manage permission of multiple users at a single shot. Note that a group is not truly an “identity” in IAM because it cannot be identified as a Principal in a permission policy. It is simply a way to attach policies to multiple users at one time.

Characteristics of a IAM Group:

  • A group can contain many users, and a user can belong to multiple groups.
  • Groups can’t be nested; they can contain only users, not other groups.
  • There’s no default group that automatically includes all users in the AWS account. If you want to have a group like that, you need to create it and assign each new user to it.
  • The number and size of IAM resources in an AWS account are limited.

How to create AWS IAM Group

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Groups and then click Create New Group.
  3. In the Group Name box, type the name of the group and then click Next Step.
  4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click Next Step.
  5. Click Create Group.

You need to use “aws iam create-group –group-name <group_name> if you want to create group using AWS CLI. Alternatively, you may use CreateGroup option in case if you want to create group through API call. A sample request can be like below:

https://iam.amazonaws.com/?Action=CreateGroup
&GroupName=Admins
&Version=2010-05-08
&AUTHPARAMS

IAM User

We know that AWS IAM user defines access to those people who we want to deal with for managing the AWS resources within our AWS account. Every AWS IAM user consists of a name and credentials. By default, a brand new IAM user has no permissions to do anything! Each IAM user is associated with one and only one AWS account. Remember, the number and size of IAM resources in an AWS account are limited. However, you can request AWS to increase the defined limit.

An IAM user can represent a person or an application that uses its credentials to make AWS requests. This is typically referred to as a service account. If you choose to use the long-term credentials of an IAM user in your application, do not embed access keys directly into your application code. The AWS SDKs and the AWS Command Line Interface allow you to put access keys in known locations so that you do not have to keep them in code.

How to create AWS IAM user?

IAM users2 can be created in 3 distinct ways – via AWS Management Console, using AWS CLI or using AWS API. Let’s start..

IAM user creation via AWS Management Console

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Users and then choose Add user.
  3. Type the user name for the new user. This is the sign-in name for AWS. If you want to add more than one user at the same time, choose Add another user for each additional user and type their user names. You can add up to 10 users at one time. User names can be a combination of up to 64 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), underscore (_), and hyphen (-). Names must be unique within an account. These usernames are not case sensitive.
  4. Select the type of access this set of users will have. You can select programmatic access, access to the AWS Management Console, or both.
    • If the users require access to the API, AWS CLI, or Tools for Windows PowerShell, choose Programmatic Access.
    • Select AWS Management Console access if the users require access to the AWS Management Console. This creates a password for each new user. You can opt auto generated password or you can choose custom password.
  5. Choose Next: Permissions.
  6. On the Set permissions page, specify how you want to assign permissions to this set of new users. You can choose either of the below:
    • Add user to group: If you’ve groups predefined that manages the level of permission for your users, you can select this option. Alternatively, you can create the group at this stage if you want to manage the permission using groups.
    • Copy permissions from existing user: Choose this option to copy all of the group memberships, attached managed policies, embedded inline policies, and any existing permissions boundaries from an existing user to the new users.
    • Attach existing policies to user directly: Choose this option to see a list of the AWS managed and customer managed policies in your account. Select the policies that you want to attach to the new users or choose Create policy to open a new browser tab and create a new policy from scratch.
  7. Next step is optional. It is an advanced feature. Option name is Permission Boundary. Open the Set permissions boundary section and choose Use a permissions boundary to control the maximum user permissions.
  8. Now, you can tag in the next option. In the other words, you can add metadata at this stage.
  9. The last step is to review all the options and the permission that you’ve chosen so far. If all are OK, you can click on “Create user“.
  10. You can view users’ access keys (access key IDs and secret access keys), choose Show next to each password and access key that you want to see. To save the access keys, choose Download .csv and then save the file to a safe location. Be careful, you’ll get this option for once only. You must provide this information to your users before they can use the AWS API. Save the user’s new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step.
  11. On the final page, you can choose Send email next to each user.

IAM User creation using AWS CLI

You can create AWS IAM user in 6 simple steps. For your better understanding, I’m documenting them sequentially in a tabular format.

CommandDescriptions
aws iam create-userCreate a user
aws iam create-login-profileThis step is an optional step. Give the user access to the AWS Management Console. This requires a password. You must also give the user the URL of your account’s sign-in page.
aws iam create-access-keyIt is also an optional step. It is for programmatic access.
aws iam add-user-to-groupAdd the user to one or more groups.
aws iam attach-user-policyAttach a policy to the user that defines the user’s permissions.
aws iam tag-userAdd custom attributes to the user by attaching tags
IAM User Creation using AWS CLI

IAM User creation using AWS API

It is quite similar than that of AWS IAM user creation using AWS CLI. This can also be achieved using 6 simple steps. Refer to the below table for your better understanding.

API CommandsDescriptions
CreateUserCreate a user
CreateLoginProfileLike CLI, it is also on optional steps. Give the user access to the AWS Management Console. This requires a password. You must also give the user the URL of your account’s sign-in page.
CreateAccessKeyGive the user programmatic access.
AddUserToGroupAdd the user to one or more groups.
AttachUserPolicyAttach a policy to the user that defines the user’s permissions.
TagUserTo attach tags to an IAM user (AWS API)
AWS IAM user creation using AWS API

IAM Roles & IAM Policies

An IAM role3 is an IAM identity that you can create in your account that has specific permissions. An IAM policy is an entity that, when attached to an identity or resource, defines their permissions. Roles and the policies are so interlinked that it would be difficult to discuss them separately. For the better understanding of my readers, I prefer to discuss both of the identities under a single heading. First, lets take a look at their basic features.

  • IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS.
  • It is not intended to be uniquely associated with a particular user, group or service and is intended to be assumable by anyone who needs it.
  • IAM role does not have any credentials (password or access keys) associated with it and whoever assumes the role is provided with a dynamic temporary credentials.
  • This helps in access delegation and granting permissions to someone that allows access to resources that you control.
  • IAM roles can help to prevent accidental access to or modification of sensitive resources.
  • Modification of a role can be done anytime and the changes are reflected across all the entities associated with the role with an immediate effect.
  • IAM role plays a very important role in the following scenarios:
    • Services like EC2 instance running an application that needs to access other AWS services
    • Allowing users from different AWS accounts have access to AWS resources in different account, instead of having to create users.
    • Company uses a Corporate Authentication mechanism and don’t want the User to authenticate twice or create duplicate users in AWS.
    • Applications allowing login through external authentication mechanism e.g. Amazon, Facebook, Google etc
  • Role can be assumed by
    • IAM user within the same AWS account.
    • IAM user from a different AWS account
    • AWS service such as EC2, Backup, EMR to interact with other services
    • An external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect (OIDC), or a custom-built identity broker.
  • Role involves defining two mainly policies
    • Trust policy
      • Trust policy defines – who can assume the role
      • Trust policy involves setting up a trust between the account that owns the resource (trusting account) and the account who owns the user that needs access to the resources (trusted account)
    • Permissions policy
      • Permissions policy defines – what they can access
      • Permissions policy determines authorization, which grants the user of the role with the needed permissions to carry out the desired tasks on the resource
  • Federation is creating a trust relationship between an external Identity Provider (IdP) and AWS
    • Users can also sign in to an enterprise identity system that is compatible with SAML
    • Users can sign in to a web identity provider, such as Login with Amazon, Facebook, Google, or any IdP that is compatible with OpenID connect (OIDC).
    • When using OIDC and SAML 2.0 to configure a trust relationship between these external identity providers and AWS, the user is assigned to an IAM role and receives temporary credentials that enables the user to access AWS resources

How to create IAM Role?

As we discussed in earlier section, IAM role can be of a user, an AWS service or for a third party provider.

In this section, we will see the process of creating IAM roles for an IAM user in detail.

Creating a role to delegate permissions to an IAM user:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane of the console, choose Roles and then choose Create role.
  3. Choose the Another AWS account role type.
  4. For Account ID, type the AWS account ID to which you want to grant access to your resources.
    • Note: The administrator of the specified account can grant permission to assume this role to any IAM user in that account. To do this, the administrator attaches a policy to the user or a group that grants permission for the sts:AssumeRole action. That policy must specify the role’s ARN as the Resource.
  5. If you are granting permissions to users from an account that you do not control, and the users will assume this role programmatically, then select Require external ID. The external ID can be any word or number that is agreed upon between you and the administrator of the third-party account. This option automatically adds a condition to the trust policy that allows the user to assume the role only if the request includes the correct sts:ExternalID.
  6. If you want to restrict the role to users who sign in with multi-factor authentication (MFA), select Require MFA.
  7. Choose Next: Permissions.
  8. IAM includes a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions policy or choose Create policy to open a new browser tab and create a new policy from scratch.
  9. Open the Set permissions boundary section and choose Use a permissions boundary to control the maximum role permissions. Select the policy to use for the permissions boundary. However, this is an optional step.
  10. Choose Next: Tags.
  11. Add metadata to the role by attaching tags as key–value pairs. I recommend to tag for your resource reference.
  12. Choose Next: Review.
  13. Type a name for your role. Role names must be unique within your AWS account. They are not distinguished by case.
  14. Type a description of the new role.
  15. Review and create role.

Role to delegate permissions to an AWS service

Many AWS services require a specific role to be created for using that service. A role that a service assumes to perform actions on your behalf is called a service role. When a role serves a specialized purpose for a service, it is categorized as a service role or a service-linked role.

Creating a role for a third-party Identity Provider (federation)

You can use identity providers instead of creating IAM users in your AWS account. With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to access AWS resources in your account.

Identity Providers

If you already manage user identities outside of AWS, you can use IAM identity providers instead of creating IAM users in your AWS account. With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account. This is useful if your organization already has its own identity system, such as a corporate user directory. It is also useful if you are creating a mobile app or web application that requires access to AWS resources.

When you use an IAM identity provider, you don’t have to create custom sign-in code or manage your own user identities. The IdP provides that for you. Your external users sign in through a well-known IdP, such as Login with Amazon, Facebook, or Google. You can give those external identities permissions to use AWS resources in your account. IAM identity providers help keep your AWS account secure because you don’t have to distribute or embed long-term security credentials, such as access keys, in your application.

Account Settings

This section will be updated soon.

Access Analyzer

This section will be updated soon.

Archive rules

This section will be updated soon.

Analyzers

This section will be updated soon.

Settings

This section will be updated soon.

Credential report

This section will be updated soon.

Organization activity

This section will be updated soon.

Service control policies (SCP)

This section will be updated soon.

Monitoring of AWS IAM

Last but not least point about AWS IAM is to monitor the activities and access for your IAM users. This can be achieved through AWS CloudTrail. CloudTrail can be used to receive log records that include information about those who made requests for resources in the account.

AWS IAM has PCI DSS Compliance. This means IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being Payment Card Industry Data Security Standard (PCI DSS) compliant.

Tags: