AWS Identity & Access Management
If you want to control who are the users who will have access to what services, access to control policies and how they will use them, all these can be done by AWS IAM concepts by configuring users, groups, and access control policies.
AWS IAM is configured by following methods:
- Via AWS management control
- Via CLI
- Via AWS SDK
A principal is an IAM entity which interacts to AWS resources. There are three types of principal available in AWS, Root users, IAM users, Roles/temporary security tokens. Principal can be temporary or permanent.
Root User: Root user is a user which has complete access to your AWS account, as soon as you will create the account in AWS you will act as root user. It has all privilege to perform any work in your account.
IAM Users: IAM users are individual users whose accounts are created to perform certain duties, like IAM users of your operation tem. These users can be created by IAM administrators at any time via AWS console, CLI, SDK.
Roles/Temporary Security Tokens: Roles are specific task which is associated to any IAM users, which they can perform once it is assigned to them. It is specific privilege which is granted to IAM users. AWS provides
When a role is assigned to users then users will use the temporary security tokens from AWS Security Token Service (STS) to access the AWS cloud service.
Following are the use cases for roles/ temporary security tokens.
- Amazon EC2 Roles: Which grants permission to application running on EC2 instance.
- Cross Account Access: Which grants permission to users from other AWS account.
- Federation: Which grants permission to users authenticated by a trusted external system. In this IAM can integrate two different types of outside identity Providers (IDP). As an example to federate Facebook, google or login with Amazon, it supports integration via OpenID Connect (OIDC). And for federating internal identities such as Active directory , LDAP, it supports integration via Security Assertion Markup language 2.0 ( SAML)
A principal can be authenticated by IAM in three ways, described below:
- Username / Password: When a user wants to interacts with AWS console, then, user must provide the username and password to verify their identity.
- Access Keys: It is the combination of access Key ID (20 characters), and access secret key (40 characters), When we use API to interacts with AWS services these values are used for authentication.
- Access Keys / Session Token: When a process operates under an assumed role interacts with AWS console or ASW API, it uses the temporary Session key and session token to authenticate.
Once authentication is done, it is important to make sure what the principal can do means what it is authorized to do and what it is not. Authorization is done in IAM by defining specific privilege and associating these to principal.
Policies: It is the JSON document that defines set of permission to access and manipulate AWS resources. These permission defines:
- Effect : Allow or Deny
- Service: What service does this permission or effect applied to?
- Resources: It defines what resources or infrastructure this permission applies. This is called as Amazon Resource Name (ARN).
Format of ARN is: “arn: aws: service: region: account-id: [resource type:] resource”
- Action: Action values specifies the subset of actions within a service that the permission allows or denies.
- Condition: The condition value optionally defines one or more additional restrictions that limit the actions allowed by the permission. For instance, the permission might contain a condition that limits the ability to access a resource to calls that come from a specific IP address range.
Associating Policies with Principal:
There are following ways to associate policies with principal. A policy can be associated directly with IAM users in two ways:
- User Policy: This Policy are only acted to user and to which they are attached. I console a user policy is entered in to the user interface on the IAM user page.
- Managed Policies: On the IAM user page these policies are created in policies tab and exists independently of any individual user. By this this policy can be associated with many users or groups of users.
Another method for associating policies with users is with IAM groups. There are also two ways a [policy can be associated with an IAM groups.
- Group Policy: These policy can be applied to a certain IAM groups and is applicable to those groups to which they are attached.
- Manages Policies: It can be associated with IAM users, and can be associated to individual large number of IAM groups.