When talking about secure access, it is important the organizations have control over whom to permit access to their AWS resources, what are the available resources, and what actions authorized users are permitted to perform. In short, the ultimate goal of this service is to help IT administrators in managing AWS user identities and their different levels of access to AWS resources. In simpler words, it gives you the power to control access by creating users and groups and assigning them specific permissions and policies.
So here in this article, we’ll be covering the fundamentals of AWS Identity and Access Management, how it helps you identify its unique benefits while helping you learn how to safeguard your AWS accounts. We will take you through its key important features and all the latest updates.
Defining AWS Identity and Access Management (IAM)
AWS IAM is a web service that allows you to have secure access control to AWS resources. IAM lets you grant permissions on who is authenticated and authorized to use the resources. It can manage users and security credentials as well. Let’s understand this in a better way
On creating an AWS account for the first time, you need a single sign-in identity for accessing various AWS services. This identity is the AWS account root user, which can be accessed by signing in the username and password that were used to create an account. Now AWS IAM will help you in the following ways:
- You can set users, permissions, and roles with its help and can grant access to the different parts of the AWS platform.
- Organizations can centrally manage users and security credentials with the help of AWS IAM
- It allows the AWS customers to manage users and user permissions in AWS
- It also facilitates creating multiple users, each having their unique security credentials that will be controlled and billed to a single AWS account
Since cloud security remains the biggest barrier in the adoption of the cloud, following the best security practices for a smooth transition and building a strong foundation is important. This is where AWS IAM’s granular approach helps in providing permissions and access control within your environment. It gives you the freedom to control who can and who cannot use the specific resources and in what ways. In this way, AWS lets you create exceedingly secure environments.
Features that set AWS IAM apart
- AWS Organizations: For control on multiple AWS accounts, AWS Organizations can be used to segment the different accounts into groups with permission boundaries assigned. It helps in centrally managing the control access, compliance, and security and sharing resources across your AWS accounts.
- Identity Federation: This feature helps you integrate access from other identity providers. This means users with passwords elsewhere can access federated services.
- Secured Shared Access to AWS Accounts: You can permit people to administer and use resources in your AWS account without having to share your credentials.
- Granular Permissions: IAM lets you configure and tune permissions as per the needs of your users. In simpler words, different permissions can be granted to different people for different resources.
- Authentication (MFA): You can create and manage identities with IAM while enabling authentication for people, services, apps, and resources within your AWS account, adding an extra layer of security to it.
- Authorization: This feature comprises two main components- policies and permissions, where each “Policy” grants a specific set of permissions, and “Permission” allows you to perform actions on AWS resources.
- Access Analyzer: This is the newest addition to AWS IAM. Access Analyzer comes with an additional level of security that allows you to continuously examine and analyze permissions given using policies for all organization’s resources.
Different ways to access AWS IAM
Working with AWS IAM can be done in any of the following ways:
- IAM HTTPS API
IAM and AWS can be accessed programmatically with the help of IAM HTTPS API that allows you to issue HTTPS requests directly to the service. When using HTTPS API, always include code to digitally sign requests using your credentials.
- AWS SDKs
AWS comes with Software Development Kits (SDKs) that include libraries and sample code for different programming languages and platforms. The SDKs help with a convenient way to create programmatic access to IAM and AWS.
- AWS Command Line Tools
There are two sets of command line tools in AWS- AWS CLI (Command Line Interface) and AWS Tools for Windows PowerShell. These tools can be used to issue commands at your system’s command line for performing AWS and IAM tasks. These tools are also useful while building scripts that perform AWS tasks. As compared to console, they are faster and convenient.
- AWS Management Console
You can access IAM and AWS resources with the help AWS Management Console. The console is a browser-based interface, ensuring secure and easy access while bringing in the unparalleled depth of AWS to your system or mobile phones. It helps you find new AWS services, configure services, and much more. It lets you take action quickly.
How do AWS IAM works?
With the best infrastructure in place, AWS IAM controls all the authorization and authentication. Here’s how the entire system works:
- The principal takes an action on the AWS resource. The first principle is the administrative IAM user that can grant access to the users for specific services in order to assume a role. Federated users can also be allowed access to your AWS services.
- When using the AWS management console, a request is sent to the AWS by the API or CLI, specifying the following information:
Actions are defined as the principals, which can be performed on the resources and the principle information includes the details of the GET request that has been previously made.
- After the above two steps, comes the authentication which is the most commonly used principle to sign in for AWS while sending it the request. While it also consists of Amazon S3 services that allow requests from the unknown users, so to authenticate from the console, you must sign-in with your login credentials like username and password. However, to authenticate, you will also need to provide the access key along with other required additional security information.
- Next is authorization, in which all the matching policies will be checked and evaluated for the request made while deciding whether to allow or deny it. Then AWS IAM comes into the picture to inspect all the policies with respect to the requests. In case the single action gets denied, the entire request will be denied by IAM with no evaluation of the remaining ones too, which is known as explicit deny. Below are the general rules for evaluating a request within a single account:
1. All requests are denied by default except the ones made through the AWS root account
2. This default is overridden by an explicit, which is allowed in any permission policy
3. An explicit deny can override any allow in any policy
- After the request authorization, the action is approved by AWS in the form of a request, where you are permitted to perform your requested actions like creating, editing, deleting, and viewing.
- Once all the operations get approved in your request by AWS, they can be performed on the related resources within your account.
In this way, the entire system works in sync to manage all the identities and access.
The best AWS IAM practices to follow
To secure your AWS resources the right way, here the best AWS IAM practices that you must take note of.
- Do not use your root account unless it is strictly necessary
Avoid using your root account for your day to day admin activities. The root account user has access to all resources for all AWS services by default, therefore, it’s best to create IAM users with least privilege access. Also, do not create access keys for your root account unless it is necessary. It is important to secure your root account with consistent monitoring, which detects and alerts on all the account activities followed by a hardware-based multi-factor authentication setup for accessing root account.
- Never share your credentials with anyone
It is advisable to use temporary credentials for anyone who has access requirements. In this regard, credentials that are dynamically generated and expire after a specific period of time, are a great way to keep the security intact.
- Follow the least privilege principle and check all IAM permissions periodically
It is important to go with the least privilege method to ensure complete security, which means if a user doesn’t want to interact with a resource, it is better not to provide them access to that resource. IAM permissions allow for very granular access controls, so avoid using policy statements that give access to all resources, actions, or principals. Additionally, make use of the IAM Access Advisor on a regular basis to make sure all the assigned permissions to a specific user are being used.
- Make use of policy conditions for an extra layer of security
Define the conditions under which your IAM policies grant access to a resource. For instance, conditions can be on allowing a specific range of allowable IP addresses. You can also set conditions requiring the use of SSL and MFA.
- Regularly monitor the activities in your AWS account
Use the logging features in AWS to check out the actions users have taken in your account and what resources have been used. The log files indicate the time and date of actions, the source IP from where the action is taken, and actions that failed due to inadequate permissions, and much more. The AWS services like Amazon CloudFront, AWS CloudTrail, Amazon CloudWatch, AWS Config, and Amazon S3 come with logging features that can help you keep track of the users’ activities.
- Ensure Multi-factor Authentication
Add an extra layer of security for all users in your account with MFA. This way both the user’s credentials and device-generated response will be required to complete the sign-in process. Even if the user’s password or access keys are compromised, your account resources will still be secured because of the additional authentication in place.
- Create a strong password policy
Enforce a strong password policy that requires the users to create strong passwords, rotate their passwords periodically, allowing only alphanumeric characters and so on.
AWS is the biggest cloud platform and cloud service provider that has brought in several measures to improve security, out of which, IAM is the most important and widely used one. In this article, we have tried to cover most of the aspects that will help you learn about AWS IAM, its advanced security features, and the best practices in the simplest way possible. We hope this article will help you understand Identity and Access Management in a better way.