What is IAM
AWS Identity and Access Management (IAM) is a service provided by Amazon Web Services (AWS) that allows you to manage access to AWS resources securely. With IAM, you can control who is authenticated (signed in) and authorized (has permissions) to use AWS resources. IAM has the ability to use identity federation that is delegating authentication to a trusted external party like Facebook or Google and IAM also supports Multi Factor Authentication (MFA) – you can use google authenticator along with AWS login credentials to have additional layer of security.
IAM entities
AWS Identity and Access Management (IAM) entities are the different components within IAM that you can use to manage permissions and access control for AWS resources. These entities include:
IAM Users:
An IAM user is a unique identity within your AWS account that can be assigned permissions to access resources.
IAM users can have their own security credentials (password, access keys) for authentication and authorization.
Users are typically associated with individual people (such as employees) who need access to AWS resources.
IAM Groups:
An IAM group is a collection of IAM users that share common permissions.
You can assign policies to a group, and all users in the group inherit the permissions defined by the policies.
Groups simplify user management by allowing you to assign permissions to multiple users at once.
IAM Roles:
An IAM role is a set of permissions that can be assumed temporarily by a user, application, or AWS service.
Roles are useful for granting temporary access to AWS resources, such as when an application needs to access a resource on behalf of a user.
Roles can also be used for identity federation, allowing users from external identity providers to assume a role and access AWS resources.
IAM Policies:
IAM policies are JSON documents that define permissions for IAM entities (users, groups, roles).
Policies specify which actions are allowed or denied on specific resources, and they can include conditions under which the permissions apply.
You can attach policies to users, groups, or roles to manage access control.
Example : To grant full AWS Organizations administrator permissions to an IAM user
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "organizations:*",
"Resource": "*"
}
}
However, If you want to grant limited permissions instead of full permissions, you can create a policy that lists individual permissions that you want to allow in the Action
element of the IAM permissions policy. As shown in the following example, you can use wildcard (*) characters to grant only the Describe*
and List*
permissions, essentially providing read-only access to the organization.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
}
}
You can also apply policy to allow access to specific resource only. Like in below example we grant access on a table in the us-west-2
AWS Region, which is owned by the AWS account specified by account-id
. The Amazon Resource Name (ARN) in the Resource
value specifies the table that the permissions apply to.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeQueryScanBooksTable",
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Books"
}
]
}
Priority Levels in IAM:
Explicit Deny: Denies access to a particular resource and this ruling cannot be overruled.
Explicit Allow: Allows access to a particular resource so long as there is not an associated Explicit Deny.
Default Deny (or Implicit Deny): IAM identities start off with no resource access. Access instead must be granted.
IAM Password policy:
If an administrator does not set a custom password policy, IAM user passwords must meet the default AWS password policy.
The default password policy enforces the following conditions:
Minimum password length of 8 characters and a maximum length of 128 characters
Minimum of three of the following mix of character types: uppercase, lowercase, numbers, and non-alphanumeric character (! @ # $ % ^ & * ( ) _ + - = [ ] { } | ')
Not be identical to your AWS account name or email address
Never expire password
OR you can use Custom password policy options
When you configure a custom password policy for your account, you can specify the following conditions:
Password minimum length – You can specify a minimum of 6 characters and a maximum of 128 characters.
Password strength – You can select any of the following check boxes to define the strength of your IAM user passwords:
Require at least one uppercase letter from the Latin alphabet (A–Z)
Require at least one lowercase letter from the Latin alphabet (a–z)
Require at least one number
Require at least one nonalphanumeric character ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
Turn on password expiration – You can select and specify a minimum of 1 and a maximum of 1,095 days that IAM user passwords are valid after they are set. For example, if you specify an expiration of 90 days, it immediately impacts all of your users. For users with passwords older than 90 days, when they log into the console after the change, they must set a new password. Users with passwords 75-89 days old receive an AWS Management Console warning about their password expiration. IAM users can change their password at any time if they have permission. When they set a new password, the expiration period for that password starts over. An IAM user can have only one valid password at a time.
Password expiration requires administrator reset – Select this option to prevent IAM users from using the AWS Management Console to update their own passwords after the password expires. Before you select this option, confirm that your AWS account has more than one user with administrative permissions to reset IAM user passwords. Administrators with iam:UpdateLoginProfile permission can reset IAM user passwords. IAM users with iam:ChangePassword permission and active access keys can reset their own IAM user console password programmatically. If you clear this check box, IAM users with expired passwords must still set a new password before they can access the AWS Management Console.
Allow users to change their own password – You can permit all IAM users in your account to change their own password. This gives users access to the iam:ChangePassword action for only their user and to the iam:GetAccountPasswordPolicy action. This option does not attach a permissions policy to each user. Rather, IAM applies the permissions at the account-level for all users. Alternatively, you can allow only some users to manage their own passwords. To do so, you clear this check box. For more information about using policies to limit who can manage passwords, see
Prevent password reuse – You can prevent IAM users from reusing a specified number of previous passwords. You can specify a minimum number of 1 and a maximum number of 24 previous passwords that can't be repeated.
IAM Security Tools:
IAM Access Advisor(user level)
Access advisor shows service permissions granted to a user and when those services were last accessed.
You can use this information to revise your policies.
IAM Credentials Report (account level)
- a report that lists all of your account users and the status of their various credentials.