AWS Identity and Access Management (IAM) is a web service provided by Amazon Web Services (AWS) that enables you to securely control access to AWS services and resources. IAM allows you to manage users, groups, and roles, and define their permissions within your AWS environment. Here’s a detailed explanation of AWS IAM:
How does it work?
With AWS — Identity and Access Management (IAM), you can specify who or what can access services and resources in AWS by using the following components.
IAM workflow
1) Users:
Users represent individual entities (like people, applications, or services within AWS) that can interact with your AWS resources like EC2 instances or S3 buckets. Each user is assigned a unique username and access credentials (password or access keys) for authentication.
2) Groups:
Groups are collections of users (eg: Dev group or QA group). Assigning permissions to groups makes it easier than managing access for multiple users with similar roles or responsibilities. This simplifies the process of granting and revoking permissions across multiple users.
3) Roles:
Roles are similar to users, but they are not associated with a specific identity. Instead, roles are assumed by resources, such as EC2 instances, Lambda functions, EKS cluster, or applications running on Azure. This enables these resources to access other AWS services securely without needing long-term credentials.
4) Permissions:
Permissions define what actions are allowed or denied to access AWS resources. By default, all the permissions are denied. Permissions are managed through policies, which are JSON documents that outline the permissions in a structured way. Policies can be attached to users, groups, and roles.
Permission Name: ListBucketObjects
Action: s3:ListBucket
Resource: arn:aws:s3:::my-bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
}
]
}
5) Policies:
A policy is a document that defines permissions in a granular manner. AWS provides managed policies that cover common use cases, and custom policies also can be created. Policies can be attached at various levels (user, group, role, or resource) to control access.
Let us consider an example in which our EC2 machine wants full access to an S3 bucket in order to perform some operations related to files. Here, embedding a security key inside EC2 is not an ideal solution as anybody can crack the keys and gain access to our data on S3 bucket. Instead, let us make use of attaching an IAM Role to our EC2 machine so it has access to S3 bucket without hard coding any credentials.
The first part is to create an IAM Role:
- Under IAM go to Create a role and select AWS service i.e EC2 in this case (you can attach a role to another account, web identity, or also to other corporate federations).
2. Click on the Next: Permissions option after which you will be asked to select the permission policy (here we need S3 full access) and select AmazonS3FullAccess. Click on Next: Tags and give any naming tags if you wish to.
3. Give the relevant Role name and click on Create role and now your role is ready to attach to an EC2 instance. You can find your Role under the Role name list once it is created.
The second part is to attach the Role to the EC2 instance and verify:
- An IAM Role can be attached to an instance at the time of launching it or even after launching it via Modify IAM Role under the EC2 Actions tab.
(adding IAM Role in step3 while launching EC2 instance)
2. After attaching the required Role we can see in the below snip that the EC2 instance is able to make S3 calls without putting in any credentials.
Like this, we can use IAM Roles to define a set of permissions for making AWS service request.
— — — — — — — — — — — — — — — — — — — — — — — — — -
IAM Policies
After going through IAM Roles you must have now got little idea of what actually IAM Policies are.
IAM policies define permissions for action regardless of the method that you use to perform the operation.
Roles are set of permissions attached to IAM User or any AWS Service whereas Policies are the permission sets attached only to an IAM User.
By considering the above Role where we chose AWS S3 full access let's look inside this policy and understand how it is defined.
IAM Policies are defined in JSON and consist of key items such as Effect, Action, and Resource. We can make use of prebuilt Policies or can define our own.
In the above policy, it has been given Allow effect to perform any kind of Action on the Resource S3 bucket.
Let us take one more example policy below where an IAM User has only EC2 full access within a specific region. This user would not be able to perform any actions apart from EC2.
IAM Policies can be defined manually by using Policy Generator as per below steps:
Under IAM go to Policies and select Create Policy.
Will create a policy that provides S3 read-only access. Under service choose S3 and Actions is Read.
3. Under Resources choose specific points to which the access needs to be given. Once all required details are filled give a tag and create a Policy.
AWS IAM Switch Role
A role specifies a set of permissions that you can use to access AWS resources that you need. In that sense, it is similar to a user in AWS Identity and Access Management (IAM). … When you switch to a role, you temporarily give up your user permissions and work with the permissions that are assigned to the role.
Assume you are user A in account ABC having read-only access and now want to do some auditing in all other accounts and you need to switch to account B with read-only access. This can be achieved by performing Switch Role and in order to get this worked account id of A should be given permission in account B and account, A should be attached with STS (Security Token Service) permission.
CONCLUSION
AWS IAM is a fundamental component of AWS security, providing a flexible and secure way to manage access to AWS resources. Following IAM best practices ensures a robust and secure access management framework within your AWS environment.