Open in app

Sign in

Write

Sign in

IAM — AWS Solution Architect Associate Series — Part 5

AWS Identity and Access Management (IAM)

Ata Erdemir
6 min readFeb 7, 2024

This section will address identity and access management. When discussing identity and access management, there are some fundamental principle questions that need to be asked. Some questions with answers are sought for authentication, also known as identity verification.

  • Are you really who you say you are? This question is the fundamental question asked for authentication, namely identity verification.
  • What actions can you perform? Your identity has been verified, but the actions you are authorized to perform here depend on the permissions you are granted.

Identity and Access Management, abbreviated as IAM, essentially allows the IAM Root user to create other users and assign specific permissions to those users according to their needs.

Creating a User with AWS IAM

Groups, users, and roles can be defined for your AWS environment through IAM. In the scenario to be considered as an example, an admin user will be created. IAM may not always be available on the AWS Management Console toolbar, so you can search for it from the “search” section in the image below.

Afterward, you will encounter an AWS IAM Panel. On the IAM Panel, you can see the groups, users, and summary information managed by you.

On the left side of the panel, there is a sliding menu where you can take relevant actions downwards.

As understood from the menu, under the title “Access Management,” you can perform all addition, modification, and deletion operations related to access. Since our topic is user creation, a “test-admin” user will be created. For this, first, an admin group must be created.

As seen in the top right corner, you should click on “Create group” to create a group. A name should be given to the group, and if you already have a user, you can also include them in the new group.

Then, the critical point is that you can grant permissions to the group. Depending on the purpose of the group, you can define specific permissions for the group or directly use a pre-defined permission set.

After selecting your preferences in the above category, the “Create group” button is pressed as shown below.

Once the group is successfully created, it is necessary to create the relevant user. To create a user, go to the “Users” tab in the access management section on the left side of the screen.

As seen in the top right corner of the image, click on “Create user,” and a page for configuring user settings will appear. At this stage, you will be prompted to define a username.

Below, in the small box, if you want the defined user to have access to the AWS Management Console, you need to check the relevant box. When the box is checked, you will be presented with two options.

The first option advises you to use the Identity Center to provide console access to an individual. The Identity Center enables centralized management of user access to AWS accounts and cloud applications.

The second option, creating an IAM user, is a more detailed user creation option. You can set the user’s password and intervene in the password policy.

The preference is up to the person creating the user. Thus, by selecting the IAM user on the login screen where root users log in, you can enter as an IAM user by providing the relevant information.

When the IAM User option is selected, you will be presented with an Account ID. You will be asked to enter this value, and subsequently, it will prompt you to enter a username and password.

To learn the Account ID, you need to click on the username associated with the root user, and then you will find the value displayed. Afterwards, you will enter this value into the respective field.

In the “ARN” section, replace the “DIGITS” with the numerical value found in your ARN: “arn:aws:iam::DIGITS:user/test-admin”. Afterward, enter your username and password to access the management console.

IAM provides several key functional features to the user. These can be listed as follows:

  • Global (IAM is not tied to any specific region.)
    - Integrated with AWS Services (It can easily integrate with the services provided by AWS.)
    - Shared Access (You can grant permission to other identities to manage and use resources in your AWS account without sharing your password and keys.)
    - MFA (Supports Multifactor Authentication.)
    - Identity Federation (IAM supports identity federation, allowing users with passwords stored elsewhere (such as your corporate network or internet identity provider) to temporarily access your AWS account.)
    - Free to Use (It does not require any fees.)

IAM Policies

IAM policies on AWS are typically stored in JSON format. An example is shown below.

The JSON format contains certain pieces of information, which are as follows:

- Version: Indicates the language version of the policy.
- Effect: Indicates whether the policy allows or denies the specified permissions.
- Action: Describes the type of action that should be allowed or denied. In the example policy, the action is represented as “**\***”, known as a wildcard character, which is used to symbolize every action in your AWS account.
- Resource: Specifies the object or objects covered by the policy statement.

*NOTE: The “*” asterisks here can be used to allow or deny access to all API calls.*

In addition to the above, I would like to convey a best practice. Instead of creating a user for each employee and then creating permissions, it is more effective to categorize the tasks that employees will perform and create appropriate roles for them.

IAM Best Practices

Firstly, you should handle the root user with great care. In other words, be sensitive about the root user’s credentials and do not share them with anyone. Additionally, if there are access keys associated with the root user and you are not using them, you should delete them. Furthermore, you should also enable MFA as an additional security measure.

A term frequently heard in the cybersecurity world, “Least privilege,” also applies here. It is the principle of granting only the necessary permissions and access to the relevant individual/group.

IAM should not be used for purposes other than its intended scope. That is, using it for website authentication or similar tasks poses risks.

Lastly, IAM roles should be regularly reviewed, and unused users and roles should be deleted.

In the next topic, we will deploy an EC2 instance…

--

--

Ata Erdemir

Written by Ata Erdemir

95 Followers

An ordinary security guy and coffee addicted!

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams