Quick notes on AWS Identity and Access Management (IAM)

The following are some quick reference notes on AWS IAM. IAM is broken down into 4 main concepts:

  1. Users – people who have access to AWS services
  2. Groups – one or more person grouped with shared roles
  3. Roles – the actual permission that is granted
  4. Policies – definition of the permissions (there are many out-of-box policies provided by AWS)

Users may be in one or many groups. Group policies are defined (by an admin usually) on what those groups have permissions to. For example, there might be some AWS service that groups have permissions to. Lets assume those are read and write permissions, which are then two separate roles. The definition of those roles (that it can read or write) is defined by the policy which is managed by an administrator.

 

Policies

Policies are what defines the effect, actions, resources and optional conditions for user access in AWS. It can be restricted to specific regions.

IAM policies are JSON files that track the version and statement. The statement defines what is allowed or not allowed. It is based on Actions and Resources (action-statements and resource-statements):

{
 "Version": "2017-12-01",
 "Statement": [
  {
   "Effect":"Allow",
   "Action": "*",
   "Resource": "*"
  }
 ]
}

 

Remember to always use strong and unique passwords, multi-factor authentication, Principle of Least Privileges and limit access to the root account. Note that AWS supports Federation and users maybe authenticated by third-party providers such as corporate Active Directory or internet providers such as Google, Amazon or Facebook.

Federated User Accounts

 

References

AWS User Guide
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html