Read on:

AWS for Beginners: Understanding AWS Terminologies: Part 1
AWS for Beginners: What is AWS EC2: Part 2
AWS for Beginners: AWS Compute Services: Part 3
AWS for Beginners: How to Protect AWS Security Tools: Part 4

In IT infrastructure, the first task in administration is managing access to the users. For any newly joined employee or existing employees, providing the right level of access and to the right resources is an important task. It is very critical to ensure only the right people have the right level of access in order to prevent misconfiguration, prevent improper usage of resources, prevent human errors, to properly monitor usage and to ensure compliance in case of PCI/SOX requirements. Whether it is an on-premise infrastructure or cloud environment, there are different ways to manage the users and secure the environment by providing only required access. AWS Cloud provides the Identity and Access Management (IAM) service to properly manage the users and its permissions.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

This article will walk you through the various components of IAM service in AWS and how it could be used to provide permissions and privileges to users.

Overview of AWS Identity and Access Management

Identity and access management (IAM) is a service offered by AWS that allows users to manage their level of access to the resources through the AWS console. By using IAM, you can set the right permissions & privileges to the users so that they can access the resources and perform their administration task. For example, some users would need access only to reboot the EC2 instances in AWS console and not perform any other actions like destroying the EC2 instance or adding new disks etc., IAM can be used to set such fine grain permissions so that the user can only perform specific tasks. AWS IAM is a global service. The permissions and privileges set for users in an AWS account through IAM will be the same for all the regions.

AWS IAM offers the following features

Download Banner
  • Control the AWS account in centralized manner
  • Able to configure identity federation and multi factor authentication
  • Provide granular permissions to users to perform specific tasks
  • Compliant with PCI/DSS standards
  • Integrates with AWS services like compute, storage, database and other application services

Components of IAM

There are four components in IAM with which access can be configured and controlled for the AWS account.

Identity and Access Management

IAM Users

Any individual with a set of permissions to an AWS account is an IAM user. Users can login to the AWS console and manage the AWS resources by using their credentials. IAM users can be configured to login in 2 ways.

  • Using password credential
  • Using Access Keys for programmatic access (Ex: Automation purposes, CLI access)

IAM Groups

A collection of IAM users is known as IAM groups. Permissions and privileges are assigned to the groups and each user in the group inherits the same set of permissions of the group.

IAM Roles

IAM roles are entities that are assigned with certain permissions. Roles can be assigned to any AWS service and the service assumes the role whenever it needs to perform a certain task. When a service assumes the role, a temporary token is generated for the service to perform the required task. Roles do not have any password or keys to authenticate with the AWS account.

IAM Policies

IAM policies define the permissions and privileges a user/group/role should have. Policies are a set of JSON documents that is known as Policy documents with which we can define the required permissions. There are policies that are available by default in the account and managed by AWS. These are known as AWS managed policies. Customers can create their own policies and attach to users or roles. These are known as Customer managed policies.

Advantages of managing permissions with groups

As the number of users increases in an organization, managing the permissions individually becomes a tedious task. Members in the same team would need the same set of permissions. In such cases, managing permissions at the user level is not only time consuming but also prone to human errors. Suppose if a team of 10 members requires read only permission for a S3 bucket, there is a chance that one user in the team is missed out while giving permissions. If in case the permissions have to be changed at a later time, then permissions have to be updated for each user separately. When a user leaves a team or a new member joins the team, then too updating the permissions for individual users becomes tedious. These kinds of trivial issues can be avoided by managing the permissions in groups.

Below are the various advantages of managing users with groups.

Identity and Access Management

Best practices for AWS IAM

Security is an important aspect for managing Identity and Access in an environment. Hence, it is important to follow some best practices in managing IAM so that the environment is secure and nobody is able to break the access policies and privileges.

  • Enable AWS IAM Identity centre for users to provide federated access. This provides temporary credentials for the users while accessing the AWS console
  • Enable Multi factor authentication for users that provides an additional layer of security for login. Each user requires both the password and one time code generated by the token to login
  • For any application workloads, configure roles to connect to AWS and execute specific tasks. Roles will help to define the permissions required for the application workloads and limits the tasks that can be executed
  • Do not use root user credentials directly to connect to AWS console and for everyday tasks
  • Implement least privilege permissions with policies. Always start with lesser permissions and as the infrastructure matures, then the permissions can be increased
  • AWS managed policies are available that can be used to start with for some common scenarios.
  • Add conditions to the policies that can act as additional layer of security and the permissions are applied only if the condition matches
  • Audit the user accounts, its permissions on a regular basis and remove those accounts that are no longer in use. There must a clear onboarding and offboarding process for user accounts and identities
  • Setup permissions boundaries whenever there is a need to delegate permissions to other users to perform administrative tasks. Permission boundaries setup maximum permissions a role can have by using the policy
  • Enable IAM access analyzer to find identities in your account that has been shared with some other external user and remove it. This can avoid any security risk posed to the account

What is IAM Access Analyzer

IAM access analyzer is an AWS service that can be used to inspect and validate the permissions assigned for the users and roles. Access analyzer can validate policies for syntax, whether the policies are compliant with best practices and based on the activity in the account it can generate policy statements that can be used to fine tune the policies assigned to the users/roles. In this way Access analyzer helps to achieve principles of least privilege. Access analyzer also helps to identify the resources that are shared with external entities in other accounts and organizations. Access analyzer is available at no additional cost. It is not a global service and hence needs to be enabled in all the regions and all the accounts separately wherever the resources are deployed. For example, a user might have been assigned with a specific policy and the user is not using all of those permissions assigned in the policy. This can be identified with access analyzer and keep only those permissions that the user actually requires.

Conclusion:

AWS IAM is a critical service and needs to be managed properly to secure the infrastructure. Always follow the best practices and implement multi-factor authentication for additional security. Ensure that the users can elevate to higher privileged access only on specific conditions. Always follow the principles of least privilege access to protect the infrastructure from any unintended access and prevent any misconfigurations by users.

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

5/5 - (2 votes)