[AWS DVA] 1. AWS IAM

AWS Identity & Access Management (AWS IAM)

1. IAM (Identity and Access Management)

- Service that allows you to manage access to AWS services and resources securely.
- Enable to contorl who(authentication) can access what(authoriaztion) whitin AWS environment.

 

2. Users & Groups

1) Root
- Account created by default, shouldn't be used or shared

2) Users
- Represent individuals or applications interacting with AWS services
- Have unique security credentials to access AWS resources

3) Groups
- Users can be organized into groups
- Simplify permission management by assigning policies to groups rather than individual users.

 

3. Policies

- JSON documents that define permissions
- Specify what actions are allowed or denied on which AWS resources for which users, groups, or roles.

- Apply the least privilege principle

 

[IAM Policies Structure]

1) Version : Mandatory element indicating policy language version. Currently AWS use version "2012-10-17"

2) ID(optional) : An identifier for the policy

3) Statement : An array containing one or more individual statements

  - Sid(optional) : An identifier for the statement

  - Effect : Determines whether the statement allows or denies access (Allow, Deny)
  - Principal(optional) : Account/User/Role to which this policy applied to
  - Action : Specifies the permitted or denied actions
  - Resource : Identifies the AWS resources to which the actions apply 
  - Condition(optional) : Defines additional contextual contraints

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        },
        {
            "Effect": "Deny",
            "Action": "ec2:TerminateInstances",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

 

4. MFA (Multi Factor Authentication)

- A security feature that adds an extra layer of protection to user sign-ins and account access
  (MFA = password you know + security device you own)
- Requires users to present two or more forms of verification before granting access to AWS resources
- Additional step than enhances security by making it harder for unauthorized users to gain access

 

5. Access AWS

1) AWS Management Console : protected by password + MFA

2) AWS Command Line Interface (CLI) : protected by access keys
 - Users manage their own access keys
 - CLI is a tool that enables users to interact with AWS services using commands in command-line shell
3) AWS Software Developer Kit (SDK) : protected by access keys
 - SDK enables users to access and manage AWS services programmatically and can be embedded within application

 

6. IAM Security Tools (Audit)

1) IAM Crendentials Report (account-level)

  - A report that lists all account's users and the status of their various credentials

2) IAM Access Advisor (user-level)

  - Shows the service permissions granted to a user and when those services were last accessed