Companies around the world are opting for cloud services. According to a survey by Gartner, the market for cloud computing will go up to US$397 billion in 2022 compared to US$270 billion in 2020. Cloud computing has been one of the biggest trends in the IT industry in the last few years. The benefits that come along with cloud computing vastly overshadow the trend of companies building their own data centers. Now that there is so much data on the cloud, including company resources and sensitive information, it should come as no surprise that companies are putting cloud service providers under scrutiny. Due to this reason, AWS IAM has been gaining a lot of traction. Let us talk about this in detail.
Here is a list of topics that are going to be covered in this blog:
Check out our AWS Tutorial and start learning!
What is AWS IAM?
AWS Cloud is known to provide a safe virtual environment to its users. AWS Cloud’s services are rendered at minimal prices. IAM is one of the most popular security services provided by AWS. AWS IAM lets users securely access AWS and at the same time, lets them create users and groups to control who accesses their resources.
IAM allows users to authenticate users or grant them access permissions. Users can also limit or withdraw access from users or groups.
Why AWS IAM?
In usual corporate scenarios, granting access and taking permissions is a long process. It is usually the IT admins who have all the passwords and in order to make any changes, you have to ask them. In most cases, all the passwords are also the same. IAM changes this and adds layers of security. It also provides a secure platform to share resources. Users are authenticated and granted permissions as and when required, and you can control who has access to your resources and to what extent.
Join our free AWS Course and learn more about AWS SQS!
How Does AWS IAM Work?
The IAM workflow contains the following elements:
- Principal: Something that performs actions on an AWS resource is called principal. This could be a user, an application, or a role.
- Authentication: Every principal that is trying to get access, needs to be authenticated. A principal has to provide credentials or keys to confirm their identity.
- Request: A principal is required to send AWS a request, providing details of the resource they plan to use and the action that has to be performed.
- Authorization: IAM only allows a request if it is allowed by a policy. After the request has gone through the process of authentication and authorization, it is approved.
- Action: An action determines if a resource has to be viewed, edited, created, or deleted.
- Resources: Actions are performed on the resources stored in your AWS account.
Learn all about AWS IAM with our AWS IAM Tutorial for Beginners!
Components of AWS IAM
The following are some basic components of IAM:
Let us discuss them in detail.
IAM users are identified with credentials and permissions that are attached to them. A person or an application can be a user. You can create an IAM user name for each employee in your company. You can grant them access and permissions accordingly. Each user can access only one account. All new users have no authorization to do any action in AWS, by default. You can assign permissions to each of the users individually according to the requirements.
IAM groups consist of a bunch of IAM users. You can use IAM groups to put users, who require similar permissions, under the same group. This way you can grant permission to one group and it will automatically apply to each user within that group. If you add another user to the group, the same permissions and policies will apply to that user as well. This lessens the workload on administrators.
IAM policies provide permissions and manage access to all AWS resources. IAM policies are stored as JSON documents in AWS. This document contains information on who can access the resource, what actions they can perform, which AWS resources can be accessed by the user, and when they can be accessed. There are two types of policies:
- Managed Policy: A managed policy is the default policy in AWS. You can attach this policy to various entities in your AWS account. These can be managed by AWS or the customers.
- Inline Policy: An inline policy is created by the customer(s) and embedded into one single entity.
IAM roles define which actions can be denied or allowed by any entity in AWS. This is done as a set of permissions. It can be accessed by any entity in AWS. Temporary credentials are given out as role permissions.
Crack any interview by learning from our blog on AWS Interview questions and answers.
Features of AWS IAM
Let us now go through the following list of the main features of IAM:
- Granular Permissions: There are restrictions that can be applied to requests using policies. For example, you can allow a user to view a piece of information but withhold edit access.
- Shared Access: You can create different user names and passwords for different users. This helps you delegate access to resources.
- Identity Federation: Users can be authenticated by using other accounts such as Facebook or Google. IAM can trust that authentication and allows access to users based on those accounts. Users can also use this to maintain the same password on site and on cloud.
- Multifactor authentication (MFA): MFA is allowed on IAM. Users can provide their credentials and a one-time password from their phones for authentication.
- Free Security: IAM security is completely free to use. Users do not get charged for adding any users, groups, or policies.
- PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) sets a standard for security for credit card handling organizations. IAM also complies with it.
- Password Policy: IAM has a password policy that lets you reset or rotate a password. You can make rules on how a user should pick their password or how many tries they get to enter a correct password.
How to Create an IAM User on AWS?
You can create an IAM user in the AWS Management Console by using the following steps:
- You can sign in to the AWS Management Console and then open the IAM console. .
- Click on Users in the navigation pane, and then click on Add Users.
- Type in the chosen username for the new user.
- If you want to add more users, you can click on Add another user for each user you want to add. AWS lets you create 10 users at a time.
- Now you have to select the type of access these users will have. You have three options, programmatic access, AWS Management Console Access, or both.
- You can select Programmatic access if the user needs access to API, CLI, or PowerShell. Each new user will get an access key. These can be viewed on the last page.
- You can select AWS Management Console Access if the user needs access to the AWS Management Console. Each new user will have a new password.
- After you are done selecting access, click on Next: Permissions.
- The Set permissions page will open. Here, you can select how you want to grant permission to the user(s).
- Select Add user to the group if you want to assign the same set of permissions to the user(s) as an existing group. You can also create a new group for the user(s) by clicking on Create group.
- Select Copy permissions from the existing user if you want to copy all permissions from an existing user to the new user(s).
- Select Attach existing policies directly if you want to choose from an already set list of policies in your account. You can also select Create policy to create a new policy to go with the user.
- Click on Next: Tags.
- You can attach tags to the user(s) if you want.
- Click on Next: Review. If you are fine with all the information that you have entered, select Create user.
- Here, you can click Show next to each password and access key to view the access keys assigned to each user. You can also click Download .csv to download the access keys.
- You can also send emails to all the new users with their credentials.
The IAM user account is ready to use
AWS IAM Best Practices
The following are some of the best practices:
- You should never share your credentials with anyone. Whoever needs access, should have an individual user account. It is highly advisable to use temporary credentials that expire after some time.
- You should not use the root account for daily activities. The root user has access to all AWS resources. IAM users should be created with the least permissions and access. Do not create access keys for the account unless it is absolutely necessary.
- Always make sure that an IAM user only has access to the resources they need. As soon as their requirement is over, the access should be withdrawn.
- Use MFA to provide an extra blanket of security.
- Use IAM Access Analyzer and AWS CloudTrail to monitor the account activity. You can keep a check on any suspicious activity and take appropriate actions.
AWS has provided various measures to keep data safe on the cloud. IAM has proven to be the best among these due to all the reasons we have already discussed in the blog. As the acceptance for AWS Cloud is growing steadily around the world, there is going to be a need for people who possess in-depth knowledge about AWS services. IAM will be a major contender because of the imperative need for online security.
Got more questions and doubts? Post them on our AWS IAM Community Page!