Understanding AWS IAM: Secure Your Cloud Resources

๐— ๐—ฎ๐˜€๐˜๐—ฒ๐—ฟ ๐—”๐—ช๐—ฆ ๐—œ๐—”๐—  ๐˜๐—ผ ๐—ฒ๐—ป๐˜€๐˜‚๐—ฟ๐—ฒ ๐˜†๐—ผ๐˜‚๐—ฟ ๐—ฐ๐—น๐—ผ๐˜‚๐—ฑ ๐—ฟ๐—ฒ๐—บ๐—ฎ๐—ถ๐—ป๐˜€ ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ฒ ๐—ฎ๐—ป๐—ฑ ๐—ฎ๐—ฐ๐—ฐ๐—ฒ๐˜€๐˜€๐—ถ๐—ฏ๐—น๐—ฒ ๐—ผ๐—ป๐—น๐˜† ๐˜๐—ผ ๐˜๐—ต๐—ผ๐˜€๐—ฒ ๐˜„๐—ต๐—ผ ๐—ป๐—ฒ๐—ฒ๐—ฑ ๐—ถ๐˜.

AWS Identity and Access Management (IAM) enables you to manage identities and access AWS services and resources securely. Instead of maintaining dozens of credentials, youโ€™ll work with roles and policies that allow fine-grained permissions that can not only be assigned to users but also to resources.

AWS IAM is a fundamental part of AWS security, as it ensures that only authorized users have access to your resources. Gaining deep knowledge in the beginning ensures that you donโ€™t create environments with crucial security flaws that are hard to revise in the future.

IAM is one of the services that is straightforward to get started with but hard to master, as the power lies in the wide range of features.
First things first: to make AWS IAM possible, you need to understand how resources are uniquely identified. This is done via Amazon Resource Identifiers, or ARNs for short. Each ARN string consists of
several parts, including the resource type, AWS region, and the account ID of the resource.

ARNs are used not only in IAM but also in various contexts, including AWS CloudFormation templates & AWS service APIs. They enable you to specify and authorize access to resources in a secure and
standardized manner.

IAM introduces concept of identities. An identity represents a user and provides access to resources within your AWS account. They can also be assigned to groups to more easily manage user rights. Each identity can be associated with one or more policies that specify the permissions for resources granted to that identity. Policies can also be attached to roles that donโ€™t represent users or identities but can be assumed by them.

Users are identities that can interact with AWS and its APIs. They consist of a name and credentials, as well as their AWS access type(s). It is recommended to use friendly, descriptive names for your users.

You can interact with AWS in two ways:

  • programmatically by using access keys to make calls to the AWS API
  • via the Management Console by using a password

Each AWS account comes with a single pre-defined identity that has complete access to all resources and services. Itโ€™s called the root user and you can sign in with the email address youโ€™ve used for the registration. This root user is not the same as an IAM user with administrator permissions, as some actions are only possible with the root user, including management of payment methods, assigning permissions to access billing and cost management, or completely closing your account and with that deleting all of its resources. AWS strongly recommends not using this user for any daily tasks due to its critical permissions.

Therefore your first task should be creating a dedicated IAM user and securing your rootโ€™s credentials.
This means:

  1. enabling multi-factor authentication.
  2. storing your credentials in a secure place.
  3. deleting access keys that could be used to access the AWS API.

AWS can be used in different ways, including interactive access via the AWS management console and your browser, or programmatic access via the AWS API, depending on the user credentials. The most prominent ones are console passwords and access keys.

  • Console passwords – they allow the user to sign into an interactive session at the AWS management console. Users will be prompted for the unique 12-digit account identifier, their IAM user name, and their password. The account ID is required as IAM user names donโ€™t have to be unique over all AWS accounts like S3 bucket names, but only per account.
  • Access keys – they are for programmatic access to AWS via its API. Generally speaking, itโ€™s good to remember that everything at AWS is an API. If youโ€™re using the AWS management console, the API calls are abstracted into a clickable user interface and the loaded scripts in your browser translate your action into calls to the AWS API. If using access keys, you can directly submit calls to the AWS API for creating, updating, deleting, or listing resources. There are multiple tools to make the use of the AWS API easier: PowerShell for Windows or aws-shell for Linux or macOS.

With an enabled MFA for your user, the API access via the Access Key ID and Secret Access Key also changed. Now, you need to request temporary credentials via your keys and the one-time security token thatโ€™s generated by your MFA application.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑