In previous blog post I provided an overview of each AWS Service as well as listed out the main topics that are covered in the Solutions Architect Associate exam. This blog is focused on the Amazon Identity Access Manager (IAM) which is an extremely important exam topic.
Identity Access Manager (IAM)
IAM allows you to manage users and their level of access to the AWS console.
What does IAM give you?
- Federation (LinkedIn, Facebook, Active Directory (on-prem) )
- Multifactor Authentication (MFA)
- Granular Permissions
- Shared access to your AWS account
- Centralized control of your AWS account
- Provide temporary access for users / devices / services
- Supports PCI DSS compliance
- User – End Users (think people)
- Groups – A collection of users under one set of permissions (Finance, Accounting…etc.)
- Roles – You create roles and can then assign them to AWS resources
- Policy – Document that that defines one, or more permissions
- User, Groups and Roles can share a policy
Security Identify & Compliance
IAM is global/universal, not tied to a region – does not matter where your users are located.
IAM users sign-in link:
- The IAM sign-in URL is different from the Root account sign-in URL.
- Root account is the account you chose to setup your account with AWS. Root account gives you unlimited access to create anything in the cloud.
- Only ever login to root once or twice – create users, groups and assign policy – not root.
Multifactor Authentication (MFA) can be setup using either a virtual MFA device or a hardware MFA device
- Virtual MFA – Android, iPhone, Windows Phone or Blackberry
- 2 different types of access Programmatic access (enables an access key ID and secrete access key) for AWS API, CLI, SDK and other development tools
- AWS Management Console – Enables a password that allows users to sign-in to the AWS Management Console.
- A user can have both types of access
- Policy: JSON based (key value pairs)
- PowerUserAcccess: Access to all AWS services except the management of groups and users within IAM.
- Access Key ID / Secret access Key – Used to login programmatically – can’t use to login to the console
- Secret Access key is visible only once so download the CSV file to reference in the future.
- You can attach permissions both to users and to groups.
IAM Password Policy is a set of rules that define the type of password and IAM user can set.
- Roles – a secure way to grant permissions to entities that you trust.
- IAM User in another account
- Application code running on an EC2 instance that needs to perform actions on AWS resources