What Is Identity and Access Management (IAM) and How Is It Used?
Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. IAM lets you manage users, credentials, and permissions that control the usage of AWS services by users and applications.
What are the advantages of AWS IAM?
- Manage IAM users and their access – AWS IAM provides secure resource access to multiple users
- Manage access for federated users – AWS allows you to provide secure access to resources in your AWS account to your employees and applications without creating IAM roles
What are the features of IAM?
The features of IAM are as follows:
- Shared Access to our Account helps in sharing resources with help of the shared access features.
- Free of cost – AWS IAM is free to use and all the charges are added when we access other Amazon web services using IAM users.
- Centralized control over your Aws account – Helps in the new creation of users and groups of any form of cancellation.
- Grant permission to the user – It holds administrative rights, and the users can grant permission to access.
- Multifactor Authentication – It adds layers of security implemented on our account by a third party.
Are root users and IAM users the same?
No, the root user is also called the master user. The IAM user is a subset of the root user.
What are Temporary Security Credentials?
These are short-lived security credentials. There you can create from AWS STS service (AWS Security Token Service).
What is the IAM Hierarchy of Privileges?
- Root user
- IAM user
- user with temporary credentials
In the IAM service, can we monitor the IAM user activity?
Yes, you can monitor the activities of IAM users. If any violation, you can remove access for the IAM user
How is authentication controlled in the IAM service?
- You can manage the users. You can control access keys, passwords, and multifactor authentication.
- Manages federated users
What is federated user access management?
A user who is allowed to access AWS resources from third-party vendors – such as Google, Facebook, Linked In, Corporate credentials, etc.
How do you connect or associate people’s identities in a corporate directory such as Active Directory to IAM roles?
Federate corporate identities to AWS IAM with an Identity Provider. You can either manage your own AWS Identity Provider and Roles or connect the corporate directory to AWS SSO and provision permission sets that manage IAM roles from there.
See Effective IAM for AWS, Create IAM principals, and provision access, for how to federate AWS identity for human users.
How to control Authorization in AWS IAM?
You can control authorization by creating policies.
What are the different AWS IAM categories that you can control?
Using AWS IAM, you can do the following:
- Create and manage IAM users
- Create and manage IAM groups
- Manage the security credentials of the users.
- Create and manage policies to grant access to AWS services and resources
What are the 5 top security credentials in AWS IAM?
- User-id and Password
- E-mail address and Password
- Access Keyes
- Key pair
- Multi-factor authentication
What is MFA support for IAM?
MFA stands for Multi-Factor Authentication. IAM MFA provides an additional layer of security by prompting a user for a username and password (the first factor, intellectual information) and additionally requiring the user to also enter the code generated (the second factor, randomly generated token valid for a single login session) by the MFA device associated with the user account for entering the AWS management console.
To set up MFA for an account, one simply needs to buy a hardware device or simply install a free virtual MFA app on his mobile, other than this no extra cost is associated.
What are access keys for IAM Users?
Access keys can be created for IAM users or AWS account root users. These are long-term credentials, used to sign programmatic requests to AWS API or AWS CLI. Access Key is composed of 2 parts:
Access Key ID (AKIAIKATODNN7EXAMPLE)
Secret Access Key (wJnamXUtnFEMI/K7MAWQG/bPxRfiCYEXAMPLEKEY)
Access key id and secret access key should be used together, like a username and its password, to authenticate a request.
Amazon recommends using the IAM role rather than using Access keys. These are supposed to be confidential like the user credentials and are meant to be private to the IAM user or AWS account root user only. These users can create, view, modify, rotate and delete their access keys.
What is ABAC for AWS?
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. In AWS, these attributes are called tags. You can attach tags to IAM resources, including IAM entities (users or roles), and to AWS resources. You can create a single ABAC policy or a small set of policies for your IAM principals. These ABAC policies can be designed to allow operations when the principal’s tag matches the resource tag. ABAC is helpful in environments that are growing rapidly and help with situations where policy management becomes cumbersome.
What are the Roles?
Roles are used to providing permissions to entities that you can trust within your AWS account. Roles are very similar to users. However, with roles, you do not require to create any username and password to work with the resources.
- IAM user has permanent long-term credentials and is used to directly interact with AWS services however IAM role does not have any credentials and cannot make direct requests to AWS services.
- IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.
We create an IAM role and attach it to the EC2 instance to give access to applications running on the instance. When an application has a such role, all of the operations that are allowed by the policies attached to the role can be performed.
What is the difference between an IAM role and an IAM user?
The two key differences between the IAM role and the IAM user are:
An IAM role is an IAM entity that defines a set of permissions for making AWS service requests, while an IAM user has permanent long-term credentials and is used to interact with the AWS services directly.
In the IAM role, trusted entities, like IAM users, applications, or an AWS service, assume roles whereas the IAM user has full access to all the AWS IAM functionalities.
What happens if you have one IAM statement that allows a principal to operate on a resource and another statement that denies that same operation on the same resource?
The Deny effect always wins when multiple statements apply.
What are policies and what are the different types of policies?
Policies define the permissions required to execute an operation irrespective of the method used to perform it. AWS supports six types of policies:
- Identity-based policies
- Resource-based policies
- Permissions boundaries
- Organizations SCPs
- ACLs
- Session policies
1- Identity-based policies- They are JSON permissions policy documents that control what actions an identity can perform, under what conditions, and on which resources. These policies are further classified into 2 categories:
Managed Policies– These policies are standalone identity-based policies that can be attached to different users, and groups in your AWS environment.
Inline policies- These policies are directly attached to a single user, group, or role. In situations where inline policies are used, a strict one-to-one relationship between a policy and an identity is maintained.
2- Resource-based policies- These policies are the ones attached to a resource such as an Amazon S3 bucket. They define which actions can be performed on the particular resource and under what circumstances.
3- IAM permissions boundaries- They refer to the maximum level of permissions that identity-based policies can grant to a specific entity.
4- Service Control Policies (SCPs)- SCPs are the maximum level of permissions for an organization or organizational unit.
5- Access Control lists- They define and control which principals in another AWS account can access the resource.
6- Session policies- They are advanced policies that are passed as a parameter when a temporary session is programmatically created for a role or federated user.
What are the managed policies in AWS IAM?
There are two types of managed policies; one that is managed by you and one that is managed by AWS. They are IAM resources that express permissions using IAM policy language. You can create, edit, and manage them separately from the IAM users, groups, and roles to which they are attached.
What are the policies that you can set for your user’s passwords?
Following are the policies that can be set for user’s passwords:
- You can set a minimum length of the password.
- You can ask the users to add at least one number or special character to the password.
- Assigning the requirements of character types, including uppercase letters, lowercase letters, numbers, and non-alphanumeric characters.
- You can enforce automatic password expiration, prevent the reuse of old passwords, and request a password reset upon their next AWS sign-in.
- You can have the AWS users contact an account administrator when the user has allowed the password to expire
What is a Power User Access in AWS?
An Administrator User will be like the owner of the AWS Resources. He can create, delete, modify, or view the resources and also grant permissions to other users for the AWS Resources.
A Power User Access provides Administrator Access without the capability to manage the users and permissions. In other words, a user with Power User Access can create, delete, modify, or see the resources, but he cannot grant permissions to other users.
Explain best practices to manage access to AWS resources.
- Do not use root accounts – Since root accounts have access to all the AWS resources and services, sharing or using them is not a good idea.
- Use Groups – Create groups, grant access to them, and add users to them – so that all users within the group have the same access.
- Enable Multi-factor Authentication (MFA) – MFA should be enabled for privileged users such as admins. MFA adds a layer of security.
- Grant least privileges – Only grant permissions that are necessary for the user or group.
How do you manage users in AWS and what privileges are provided to dev, QA, Mgs, CI, and Admin?
We create users and attach those users in groups. We have groups such as developers, DevOps, and Admin. These groups have appropriate policies attached to them. Then we provide users with AWS IAM user sign-in link.
We create roles and assign those roles in EC2 instances … ex — an ec2 instance needs to have full admin access to S3, then we create an appropriate role for s3 and attach that role to an EC2 instance.
In what ways can AWS IAM be used?
You can work with AWS IAM in various ways, such as:
- AWS SDKs
- AWS Management Console
- IAM HTTPS API
- AWS Command Line Tools
Your organization has around 50 IAM users. Now, it wants to introduce a new policy that will affect the access permissions of an IAM user. How can it implement this without having to apply the policy at the individual user level?
It is possible using AWS IAM groups, by adding users to the groups as per their roles and by simply applying the policy to the groups.
Your organization has four instances for production and another four for testing. You are asked to set up a group of IAM users that can only access the four production instances and not the other four testing instances. How will you achieve this?
We can achieve this by defining tags on the test and production instances and then adding a condition to the IAM policy that allows access to specific tags.