AWS Identity and Access management-Practical Guide (Cheat sheet)

This is the Practical guide to understand and revise AWS IAM service. This can also be looked as quick review cheat sheet.

IAM: Users & Groups

• IAM = Identity and Access Management, Global service
• Root account created by default, shouldnt be used or shared
• Users are people within your organization, and can be grouped
• Groups only contain users, not other groups
• Users dont have to belong to a group, and user can belong to multiple groups

IAM: Permissions

• Users or Groups can be assigned JSON documents called policies.
• These policies define the permissions of the users.
• In AWS you apply the least privilege principle: dont give more permissions than a user needs.

IAM Policies Structure

1. IAM Policies Consists of

• Version: policy language version, always include 2012-10-17
• Id: an identifier for the policy (optional)
• Statement: one or more individual statements (required).

2. Statements consists of

• Sid: an identifier for the statement (optional)
• Effect: whether the statement allows or denies access (Allow, Deny)
• Principal: account/user/role to which this policy applied to
• Action: list of actions this policy allows or denies
• Resource:list of resources to which the actions applied to
• Condition: conditions for when this policy is in effect (optional).Example:

{  "Version": "2012-10-17",  "Statement": [    {      "Sid": "FirstStatement",      "Effect": "Allow",      "Action": ["iam:ChangePassword"],      "Resource": "*"    },    {      "Sid": "SecondStatement",      "Effect": "Allow",      "Action": "s3:ListAllMyBuckets",      "Resource": "*"    },    {      "Sid": "ThirdStatement",      "Effect": "Allow",      "Action": [        "s3:List*",        "s3:Get*"      ],      "Resource": [        "arn:aws:s3:::confidential-data",        "arn:aws:s3:::confidential-data/*"      ],      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}    }  ]}

IAM Password Policy

• Strong passwords = higher security for your account
• In AWS, you can setup a password policy:
  • Set a minimum password length
  • Require specific character types:
  • including uppercase letters
  • lowercase letters
  • numbers
  • non-alphanumeric characters
  • Allow all IAM users to change their own passwords
  • Require users to change their password after some time (password expiration)
  • Prevent password re-use.

Multi Factor Authentication - MFA

• Users have access to your account and can possibly change configurations or delete resources in your AWS account
• You want to protect your Root Accounts and IAM users
• MFA = password you know + security device you own

MFA devices options in AWS

• Virtual MFA device: Google authenticator, Authy.
• Universal 2nd Factor (U2F) Security Key: YubiKey by Yubico (3rd party)

How can users access AWS ?

• To access AWS, you have three options:
  1. AWS Management Console (protected by password + MFA)
  2. AWS Command Line Interface (CLI): protected by access keys
  3. AWS Software Developer Kit (SDK) - for code: protected by access keys
• Access Keys are generated through the AWS Console
• Users manage their own access keys
• Access Keys are secret, just like a password. Dont share them
• Access Key ID ~= username
• Secret Access Key ~= password

IAM Roles for Services

• Some AWS service will need to perform actions on your behalf
• To do so, we will assign permissions to AWS services with IAM Roles
• Common roles:
  • EC2 Instance Roles
  • Lambda Function Roles
  • Roles for CloudFormation

IAM Guidelines & Best Practices

Dont use the root account except for AWS account setup
One physical user = One AWS user
Assign users to groups and assign permissions to groups
Create a strong password policy
Use and enforce the use of Multi Factor Authentication (MFA)
Create and use Roles for giving permissions to AWS services
Use Access Keys for Programmatic Access (CLI / SDK)
Audit permissions of your account with the IAM Credentials Report
Never share IAM users & Access Keys

IAM Summary

Users: mapped to a physical user, has a password for AWS Console
Groups: contains users only
Policies: JSON document that outlines permissions for users or groups
Roles: for EC2 instances or AWS services
Security: MFA + Password Policy
Access Keys: access AWS using the CLI or SDK
Audit: IAM Credential Reports & IAM Access Advisor