AWS Identity and Access Management ( IAM )
- Control who is authenticated (signed in) and authorized (has permissions) to use resources.
- AWS account root user is a single sign-in identity that has complete access to all AWS services and resources in the account.
- You can grant other people permission to administer and use resources in your AWS account without having to share your password or access key.
- You can grant different permissions to different people for different resources.
- You can use IAM features to securely provide credentials for applications that run on EC2 instances which provide permissions for your applications to access other AWS resources.
- You can add two-factor authentication to your account and to individual users for extra security.
- You can allow users to use identity federation to get temporary access to your AWS account.
- You receive AWS CloudTrail log records that include information about IAM identities who made requests for resources in your account.
- You use an access key (an access key ID and secret access key) to make programmatic requests to AWS. An Access Key ID and Secret Access Key can only be uniquely generated once and must be regenerated if lost.
- IAM has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS).
- IAM is eventually consistent. IAM achieves high availability by replicating data across multiple servers within Amazon’s data centers around the world.
- IAM and AWS Security Token Service (STS) are offered at no additional charge.
- Your unique account sign-in page URL:
- You can use IAM tags to add custom attributes to an IAM user or role using a tag key–value pair.
- An entity that can make a request for an action or operation on an AWS resource. Users, roles, federated users, and applications are all AWS principals.
- Your AWS account root user is your first principal.
- When a principal tries to use the AWS Management Console, the AWS API, or the AWS CLI, that principal sends a request to AWS.
- Requests includes the following information:
- Actions or operations – the actions or operations that the principal wants to perform.
- Resources – the AWS resource object upon which the actions or operations are performed.
- Principal – the user, role, federated user, or application that sent the request. Information about the principal includes the policies that are associated with that principal.
- Environment data – information about the IP address, user agent, SSL enabled status, or the time of day.
- Resource data – data related to the resource that is being requested.
- To authenticate from the console as a user, you must sign in with your user name and password.
- To authenticate from the API or AWS CLI, you must provide your access key and secret key.
- AWS uses values from the request context to check for policies that apply to the request. It then uses the policies to determine whether to allow or deny the request.
- Policies types can be categorized as permissions policies or permissions boundaries.
- Permissions policies define the permissions for the object to which they’re attached. These include identity-based policies, resource-based policies, and ACLs.
- Permissions boundary is an advanced feature that allows you to use policies to limit the maximum permissions that a principal can have.
- To provide your users with permissions to access the AWS resources in their own account, you need identity-based policies.
- Resource-based policies are for granting cross-account access.
- Evaluation logic rules for policies:
- By default, all requests are denied.
- An explicit allow in a permissions policy overrides this default.
- A permissions boundary overrides the allow. If there is a permissions boundary that applies, that boundary must allow the request. Otherwise, it is implicitly denied.
- An explicit deny in any policy overrides any allows.
Actions or Operations
- Operations are defined by a service, and include things that you can do to a resource, such as viewing, creating, editing, and deleting that resource.
- An object that exists within a service. The service defines a set of actions that can be performed on each resource.
- Instead of sharing your root user credentials with others, you can create individual IAM users within your account that correspond to users in your organization. IAM users are not separate accounts; they are users within your account.
- Each user can have its own password for access to the AWS Management Console. You can also create an individual access key for each user so that the user can make programmatic requests to work with resources in your account.
- By default, a brand new IAM user has NO permissions to do anything.
- Users are global entities.
- If the users in your organization already have a way to be authenticated, you can federate those user identities into AWS.
- An IAM group is a collection of IAM users.
- You can organize IAM users into IAM groups and attach access control policies to a group.
- A user can belong to multiple groups.
- Groups cannot belong to other groups.
- Groups do not have security credentials, and cannot access web services directly.
- A role does not have any credentials associated with it.
- An IAM user can assume a role to temporarily take on different permissions for a specific task. A role can be assigned to a federated user who signs in by using an external identity provider instead of IAM.
- AWS service role is a role that a service assumes to perform actions in your account on your behalf. This service role must include all the permissions required for the service to access the AWS resources that it needs.
- AWS service role for an EC2 instance is a special type of service role that a service assumes to launch an EC2 instance that runs your application. This role is assigned to the EC2 instance when it is launched.
- AWS service-linked role is a unique type of service role that is linked directly to an AWS service. Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
- An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
- Users or groups can have multiple policies attached to them that grant different permissions.
- Most permission policies are JSON policy documents.
- The IAM console includes policy summary tables that describe the access level, resources, and conditions that are allowed or denied for each service in a policy.
- The policy summary table includes a list of services. Choose a service there to see the service summary.
- This summary table includes a list of the actions and associated permissions for the chosen service. You can choose an action from that table to view the action summary.
- To assign permissions to federated users, you can create an entity referred to as a role and define permissions for the role.
- Identity-Based Policies
- Permissions policies that you attach to a principal or identity.
- Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account.
- Inline policies are policies that you create and manage and that are embedded directly into a single user, group, or role.
- Resource-based Policies
- Permissions policies that you attach to a resource such as an Amazon S3 bucket.
- Resource-based policies are only inline policies.
- Trust policies – resource-based policies that are attached to a role and define which principals can assume the role.
AWS Security Token Service (STS)
- Create and provide trusted users with temporary security credentials that can control access to your AWS resources.
- Temporary security credentials are short-term and are not stored with the user but are generated dynamically and provided to the user when requested.
- By default, AWS STS is a global service with a single endpoint at https://sts.amazonaws.com.
- Lock Away Your AWS Account Root User Access Keys
- Create Individual IAM Users
- Use Groups to Assign Permissions to IAM Users
- Use AWS Defined Policies to Assign Permissions Whenever Possible
- Grant Least Privilege
- Use Access Levels to Review IAM Permissions
- Configure a Strong Password Policy for Your Users
- Enable MFA for Privileged Users
- Use Roles for Applications That Run on Amazon EC2 Instances
- Use Roles to Delegate Permissions
- Do Not Share Access Keys
- Rotate Credentials Regularly
- Remove Unnecessary Credentials
- Use Policy Conditions for Extra Security
- Monitor Activity in Your AWS Account
Customer managed policies in an AWS account
Groups in an AWS account
Roles in an AWS account
Managed policies attached to an IAM role
Managed policies attached to an IAM user
Virtual MFA devices (assigned or unassigned) in an AWS account
Equal to the user quota for the account
Instance profiles in an AWS account
Access keys assigned to an IAM user
Access keys assigned to the AWS account root user
Aliases for an AWS account
Groups an IAM user can be a member of
IAM users in a group
Equal to the user quota for the account
Users in an AWS account
Managed policies attached to an IAM group
MFA devices in use by an IAM user
MFA devices in use by the AWS account root user
SSH public keys assigned to an IAM user
Tags that can be attached to an IAM role
Tags that can be attached to an IAM user
Become an IAM Policy Master in 60 Minutes or Less:
AWS IAM-related Cheat Sheets:
Validate Your Knowledge
You recently created a brand new IAM User with a default setting using AWS CLI. This is intended to be used to send API requests to your S3, DynamoDB, Lambda, and other AWS resources of your cloud infrastructure. Which of the following must be done to allow the user to make API calls to your AWS resources?
- Do nothing as the IAM User is already capable of sending API calls to your AWS resources.
- Enable Multi-Factor Authentication for the user.
- Assign an IAM Policy to the user to allow it to send API calls.
- Create a set of Access Keys for the user and attach the necessary permissions.
You are working as a Solutions Architect for a leading insurance firm where you are instructed to provision access to certain IAM users which performs application development tasks in your VPC. The access should allow the users to create and configure various AWS resources such as deploying Windows EC2 servers. In addition, the users should be able to see the permissions in AWS Organizations to view the information about the user’s organization, including the master account email and organization limitations.
Which of the following should you implement to follow the standard security advice of granting least privilege?
- Attach the
PowerUserAccessAWS managed policy to the IAM users.
- Attach the
AdministratorAccessAWS managed policy to the IAM users.
- Create a new IAM role and attach the
SystemAdministratorAWS managed policy to it. Assign the IAM Role to the IAM users.
- Create a new IAM role and attach the
AdministratorAccessAWS managed policy to it. Assign the IAM Role to the IAM users.
For more AWS practice exam questions with detailed explanations, check this out:
Additional Training Materials: AWS IAM Video Courses on Udemy
- Step by Step: Fault-tolerant, Scalable and Secure AWS Stack by Savitra Sirohi
AWS Certifications are consistently among the top paying IT certifications in the world, considering that Amazon Web Services is the leading cloud services platform with almost 50% market share! Earn over $150,000 per year with an AWS certification!