Hello & welcome back to our #100DaysOfAWS series! While this blog is a revisit to an earlier post, it is a critical foundation that we must grasp before we continue our AWS journey. In this blog, we're diving deep into the world of AWS Identity and Access Management (IAM) – the linchpin of security within the AWS ecosystem. AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services and resources. It enables you to control access by creating users and groups, assigning specific permissions and policies to specific users, setting up MFA for additional security and so on. And the best part is that the IAM feature is offered at no additional charge.
When we first create AWS account, we begin with a single sign-in identity that has complete access to all the AWS services and resources in the account. This identity is known as AWS account root user. We can access this root account by signing in with the email address and password that we used to create the account. It is strongly recommended to use root user for what's truly necessary and not for our everyday tasks, even the administrative ones. Instead create user that would be an administrator and then securely lock away the root user credentials and use then to perform only a few account and service management tasks.
IAM Key Features -
You can think of IAM as the first step towards securing AWS services and resources. Let's take a quick look at some of the key features that makes IAM so powerful -
1. Shared access to your AWS accounts
You can grant permissions to other people to administer and use the resources in your AWS account without sharing your password/access key.
2. Authentication
IAM lets you create and manage identities like users, groups and role, meaning you can provide authentication to users, resources in your AWS account.
3. Granular permissions
You can grant different permissions to different people for different resources. For example, you might allow some users complete access to EC2, S3 bucket and some other services. For some other users, you can allow read-only access only to EC2 or only on S3 buckets.
4. Identity Federation
You can allow users who already have password elsewhere (from other identity providers like OKTA, AD, etc.), to get temporary access to your AWS account. IAM enables you to do this with a feature called Identity Federation.
5. AWS Organizations
For fine-grained control for multiple AWS accounts, you can use AWS Organizations to segment accounts into groups and assign permission boundaries.
6. Multi-factor Authentication
You can add two factor authentication to your account to provide some additional security.
Accessing IAM -
You can work with AWS IAM in following different ways.
AWS Management Console
The console is a browser-based interface to manage IAM and AWS resources.
AWS Command Line Tools
You can use the AWS command line tools to issue commands at your system's command line to perform IAM and AWS tasks. The command line tools are useful if you want to create scripts that perform AWS tasks.
AWS provides two sets of command line tools: the AWS Command Line Interface (AWS CLI) and the AWS Tools for Windows PowerShell.
AWS SDKs
AWS provides SDKs (software development kits) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to IAM and AWS. For example, the SDKs take care of tasks such as cryptographically signing requests, managing errors, and retrying requests automatically.
IAM HTTPS API
You can access IAM and AWS programmatically by using the IAM HTTPS API, which lets you issue HTTPS requests directly to the service. When you use the HTTPS API, you must include code to digitally sign requests using your credentials.
Best Practices to secure your AWS resources
1 . Use MFA
Add an extra layer of protection to an access key or password using Google Authenticator, DUO, etc.
2. Generating Temporary Credentials
Dynamically generated credentials that last expire after a configurable interval. Never share your credentials with anyone. It’s advisable to create individual users for anyone who has access requirements.
3. Encryption
Avoid plaintext storage of long or short term credentials.
4. Centralized User Management
Dedicated “Identity” AWS accounts to centralize all users and groups and enforce least privilege. Federated access can also be set up with systems such as Okta or OneLogin.
5. Root Account Usage
Avoid the use of root account unless strictly necessary to perform daily tasks. Additionally, do not create access keys for the root account unless strictly necessary.
6. Monitor account activity regularly
It's always a good practice to monitor your account regularly using IAM Access Analyzer and AWS CloudTrail.
7. Enforce strong passwords
Enforce strong passwords by configuring account password policy that involves password rotation, discourages the use of old passwords, only allows alphanumeric characters, and more.
With this, I'll wrap up this post here.
In the next few blogs we will discuss about Users, Groups, Roles and Permissions. Stay tuned for the enlightening journey ahead as we explore AWS IAM.
Thank you for reading and joining me on this #100DaysOfAWS adventure.
*** Explore | Share | Grow ***
Comments