IAM Overview - Bozoworks

AWS Identity and Access Management (IAM) is a service that allows AWS customers to manage user access and permissions for the accounts and available APIs/services within AWS. IAM can manage users, security credentials (such as API access keys), and allow users to access AWS resources - Create users and grant permissions to those users. - Create groups and roles. - Control access to AWS resources. IAM is Universal: It does not apply to regions at this time. #### Root Account The root account is the email address you used to sign up for AWS. The root account has full administrative access to AWS. For this reason, it is important to secure this account. Secure it as soon as possible and do not use it to log in day to day. ##### Four steps to secure the root account - Enable multi-factor authentication on the root account. - Create an admin group for your administrators, and assign the appropriate permissions to this group. - Create user accounts for your administrators. - Add your users to the admin group. #### How Do We Control Permissions Using IAM? We assign permissions using policy documents, which are made up of JSON ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } ``` #### Building Blocks of IAM - **Users** - a physical person - Always work on the principle that one user equals one physical person. - Never share user accounts across multiple people. - By default, a user has no permissions when first created - [[Inheriting Permissions.canvas | It’s best practice for users to inherit permissions from groups]] - **Groups** - Functions, such as administrator, developer, etc. Contains users - **Roles** - Internal usage within AWS #### Principle of Least Privilege Only assign a user the minimum amount of privileges they need to do their job. #### Tips and other details - Access key ID and secret access keys are not the same as usernames and passwords. Access key ID and secret access keys are used for programmatic access (i.e., via the command line or APIs) - You only get to view these once. If you lose them, you have to regenerate them. So, save them in a secure location. - Always set up password rotations. You can create and customize your own password rotation policies. - IAM Federation: You can combine your existing user account with AWS. For example, when you log on to your PC (usually using Microsoft Active Directory), you can use the same credentials to log in to AWS if you set up federation. - Identity Federation: Uses the SAML standard, which is Active Directory. --- #### More info [Determining whether a request is allowed or denied within an account](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) [Policies and Permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) [AWS Identity and Access Management (IAM) FAQs](https://aws.amazon.com/iam/faqs/) [Example IAM identity-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html)