IAM
Security is a critical aspect of any organization. This blog focuses on the account security measure provided by AWS — IAM. IAM stands for Identity and Access Management and is used for controlling access to AWS services and resources. There are no additional charges for using IAM.
For people new to IAM, the basic concepts are:
User: A user is similar to a login user in various operating systems like Microsoft Windows. A user can log in to the AWS console using their username and password. In the AWS world, this user can be an individual, system, or application requiring access to AWS resources and services.
Groups: A group is a collection of users. Instead of assigning similar permissions to multiple users individually, a group can be created with a set of permissions and users can be added to it. The benefit of creating groups is that it simplifies the tasks of managing a large number of users and their permissions.
Role: A role is a set of permissions required to make AWS service requests. But this role cannot be directly assigned to a user or group, instead of roles can be assumed by a user, an application, or an AWS service like EC2 to make service requests. When a user has assumed a role then their existing permissions are no longer applicable till the time they are using that role and can only perform actions specified in permissions associated with that role.
Policy: A policy is a JSON document that specifies the actions that are allowed or denied for various AWS services. A policy can be attached to a user, group, or an IAM role. AWS also provides IAM policy generator and sample policies which can help in getting started with IAM policies.
IAM can be used for:
- Managing users and their access: Users and groups can be created and their access to various AWS services can be controlled.
- Manage IAM roles: The primary benefit of using an IAM role is that it provides the entity temporary access credentials to make AWS Service requests. And there is no need to give long-term credentials or define permissions for each entity that requires access to an AWS resource.
- Manage Federated users: IAM can also be used to enable identity federation which can allow on-premises users to access AWS management console, call AWS APIs and use other AWS resources without creating new IAM accounts for each entity.
We, at CloudThat, adhere to the following IAM best practices:
Here is how our password policy looks like:
One can also use the credential report which is available from the IAM console to see the status of the credentials of all the users in your account. This can help you come up with the rotation policy for passwords and access keys.
*****************************************************************
AWS CLI tool allows you to switch between multiple IAM accounts. This becomes very handy while you are writing a script that involves multiple IAM user accounts.
Prerequisites :
AWS CLI tool
Configuring Multiple Accounts:
When you configure your AWS CLI tool, a configuration file gets created at ~/.aws/config in Linux/Unix or at C:\Users\Edwin\.aws\config , which looks like:
This has a default profile, that gets created when you run “ aws configure “
Now to create multiple profiles, append the following to your AWS configuration file ( ~/.aws/config ) :
Note that you need to append the string “profile” before the profile name.
Now, whenever you want to use this user, you have to invoke the AWS command with the --profile command line parameter, or else you can set the environment variable AWS_DEFAULT_PROFILE. If this variable does not specify a profile, the AWS CLI uses the profile named default.
Example:
Miscellaneous Tips
Auto-Completion :
To enable auto completion for you AWS CLI, add the below line in your /etc/bashrc file :
Configuring the command output :
By default the output of the AWS CLI is json, but it also supports other formats like table and text. To change the default output you can either
*****************************************************************
I hope this blog gave you an idea as to how you can use IAM and adhere to the best practices in order to keep your account secure. Please feel free to post questions, comments, and suggestions below.
Coming Soon!!!
Hold tight… We are uploading new content soon!!!