Tuesday, June 8, 2021

IAM

 

Identity & Access Management (IAM)


  • Global Service
  • Root account created by default
  • Root account should only be used for initial account set up and then should never be used.
  • Users should be created and they can be grouped. For example, a group can be created for developers having certain enhanced privileges whereas another for operations team with a restricted access.
  • Users don't necessarily have to belong to a group and can be part of multiple groups.

Permissions

  • Users & groups can be assigned JSON documents called policies.
  • Defines permissions of users
  • AWS convention is to apply the least privilege principle; don't give more permissions than a user needs.


Policies


  • Policy at the group level - all users in an IAM group would have the same permissions
  • Inline policy - policy attached to an individual user - not part of a group.

Policy document structure : 

  • Version: policy language version, always "2012-10-17"
  • Id: an identifier for the policy (optional)
  • Statement : one or more individual rules (required)
Statement structure : 

  • Sid : an identifier for the statement (optional)
  • Effect : whether the statement allows or denies access (Allow / Deny)
  • Principal : account/user/role the policy is applied to
  • Action: list of actions this policy allows/denies
  • Resource: list of resources to which the actions are applied to
  • Condition: conditions for when this policy is in effect (optional)

Multi-factor Authentication

  • Virtual MFA devices - Google Authenticator, Authy
  • Yubikey - universal 2nd factor security key
  • Hardware devices - Key Fob by Gemalto
  • AWS GovCloud - Key Fob


IAM roles for Services


  • Some AWS services will need to perform actions on our behalf
  • Permissions need to be assigned to AWS services with IAM roles
  • Common roles : EC2 instance roles / Lambda function roles / Cloudformation


IAM Best Practices


  • Root user should not be used except for AWS account setup.
  • One physical user = One AWS user
  • Assign users to groups and assign permissions to groups
  • Create strong password policy
  • Use and enforce MFA
  • Create and use Roles for giving permissions to AWS services
  • Use access keys for programmatic access (CLI/SDK)
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)