An Interest In:
Web News this Week
- April 2, 2024
- April 1, 2024
- March 31, 2024
- March 30, 2024
- March 29, 2024
- March 28, 2024
- March 27, 2024
AWS Identity and Access management-Practical Guide (Cheat sheet)
This is the Practical guide to understand and revise AWS IAM service. This can also be looked as quick review cheat sheet.
IAM: Users & Groups
- IAM = Identity and Access Management, Global service
- Root account created by default, shouldnt be used or shared
- Users are people within your organization, and can be grouped
- Groups only contain users, not other groups
- Users dont have to belong to a group, and user can belong to multiple groups
IAM: Permissions
- Users or Groups can be assigned JSON documents called policies.
- These policies define the permissions of the users.
- In AWS you apply the least privilege principle: dont give more permissions than a user needs.
IAM Policies Structure
- Version: policy language version, always include 2012-10-17
- Id: an identifier for the policy (optional)
- Statement: one or more individual statements (required).
2. Statements consists of
- Sid: an identifier for the statement (optional)
- Effect: whether the statement allows or denies access (Allow, Deny)
- Principal: account/user/role to which this policy applied to
- Action: list of actions this policy allows or denies
- Resource:list of resources to which the actions applied to
- Condition: conditions for when this policy is in effect (optional).Example:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "FirstStatement", "Effect": "Allow", "Action": ["iam:ChangePassword"], "Resource": "*" }, { "Sid": "SecondStatement", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "ThirdStatement", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*" ], "Resource": [ "arn:aws:s3:::confidential-data", "arn:aws:s3:::confidential-data/*" ], "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} } ]}
IAM Password Policy
- Strong passwords = higher security for your account
- In AWS, you can setup a password policy:
- Set a minimum password length
- Require specific character types:
- including uppercase letters
- lowercase letters
- numbers
- non-alphanumeric characters
- Allow all IAM users to change their own passwords
- Require users to change their password after some time (password expiration)
- Prevent password re-use.
Multi Factor Authentication - MFA
- Users have access to your account and can possibly change configurations or delete resources in your AWS account
- You want to protect your Root Accounts and IAM users
- MFA = password you know + security device you own
MFA devices options in AWS
- Virtual MFA device: Google authenticator, Authy.
- Universal 2nd Factor (U2F) Security Key: YubiKey by Yubico (3rd party)
How can users access AWS ?
- To access AWS, you have three options:
- AWS Management Console (protected by password + MFA)
- AWS Command Line Interface (CLI): protected by access keys
- AWS Software Developer Kit (SDK) - for code: protected by access keys
- Access Keys are generated through the AWS Console
- Users manage their own access keys
- Access Keys are secret, just like a password. Dont share them
- Access Key ID ~= username
- Secret Access Key ~= password
IAM Roles for Services
- Some AWS service will need to perform actions on your behalf
- To do so, we will assign permissions to AWS services with IAM Roles
- Common roles:
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation
IAM Guidelines & Best Practices
Dont use the root account except for AWS account setup
One physical user = One AWS user
Assign users to groups and assign permissions to groups
Create a strong password policy
Use and enforce the use of Multi Factor Authentication (MFA)
Create and use Roles for giving permissions to AWS services
Use Access Keys for Programmatic Access (CLI / SDK)
Audit permissions of your account with the IAM Credentials Report
Never share IAM users & Access Keys
IAM Summary
Users: mapped to a physical user, has a password for AWS Console
Groups: contains users only
Policies: JSON document that outlines permissions for users or groups
Roles: for EC2 instances or AWS services
Security: MFA + Password Policy
Access Keys: access AWS using the CLI or SDK
Audit: IAM Credential Reports & IAM Access Advisor
Original Link: https://dev.to/tanmaygi/aws-identity-and-access-management-practical-guide-cheat-sheet-3528
Dev To
An online community for sharing and discovering great ideas, having debates, and making friendsMore About this Source Visit Dev To