Identity Access Management
IAM - Core Components
IAM allows management of access of users and resources
IAM Users - End users who log into the console or interact with AWS resources programmatically
IAM Groups - Group up your users so they all share permission levels of the group e.g. Administrators, Developers, Auditors
IAM Roles - Associate permissions to a Role and then assign this to an User or Groups
IAM Policies - JSON documents which grant permissions for a specific user, group or role to access services. Policies are attached to IAM Identities
A user can belong to a group Roles can be applied to groups to quickly add and remove permissions en-masse to users
A user can have a role directly attached. A policy can be directly attached to a user (called an Inline Policy)
Roles can have many policies attached
Various AWS resources allow you to attach roles directly to them.
IAM - Managed vs Customer vs Inline Policy
Managed Policies
A policy which is managed by AWS, which you cannot edit. Managed policies are label with an orange box
Customer Managed Policies
A policy created by the customer which is editable. Customer policies have no symbol beside them.
Inline Policies
A policy which is directly attached to the user.
IAM - Policies
Version Policy language Version
Statement : container for the policy element you are allowed to have multiples
Sid (optional) a way of labeling your statements
Effect Set whether the policy weill Allow or Deny
Principal account, user, role, or federated user to which your would like to allow or deny access
Action list of actions that the policy allow or denys
Resource the resource to which the policy actions applies
Condition (optional) circumstances under which the policy grants permission
Password Policy
In IAM you can set a Password Policy. To set the minimum requirements of a password and rotate password so users have to update their password after X days
Programmatic Access Keys
Access Keys allow users to interact with AWS services programmatically via the AWS CLI or SDK
You’re allowed two keys per user
MFA
MFA can be turned on per user.
The user has to turn of MFA themselves, Administrator cannot directly enforce users to have MFA.
The Administrator account could create a policy requiring MFA to access certain resources.
Temporary Security Credentials
Temporary credentials are just like Programmatic Access Keys except they are temporarye.g.
Temporary credentials are useful in Scenarios that involve:
- identity federation
- delegation
- cross-account access
- and IAM roles
They can last from minutes to an hour
They are not stored with the user but are generated dynamically and provided to the user when requested.
They are the base for roles and identity federation
Identity Federation
What is Identity Federation?
The means of linking a person’s electronic identity and attributes, stored across multiple distinct management systems
IAM supports ✌🏾 two types of identity federation
- Enterprise identity federation
- SAML (Microsoft Active Directory)
- Custom Federation broker
- Web identity federation
- Amazon
- OpenID Connect (OIDC) 2.0
Security Token Service (STS)
A web serviced that enables you to request temporary limited-privilege credentials for IAM users or for federated users
AWS Security Token Service (STS) is a global service, and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com
An STS will return:
- AccessKeyId
- SecretAccessKey
- SessionToken
- Expiration
You can use the following APl actions to obtain STS:
- AssumeRole
- AssumeRoleWithSAML
- AssumeRoleWith Webldentity
- DecodeAuthorizationMessage
- GetAccessKeylnfo
- GetCallerldentity
- GetFederation Token
- GetSessionToken
AssumeRoleWithWebIdentity
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.
Cross Account Roles
You can grant users from different AWS account access to resources in your account through a Cross-Account Role. This allows vou to not to have to create them a user account within your system.
The role you create has a policy which grants access to the sts:AssumeRole
[[IAM]]