The Amazon Web Services (AWS) Cloud provides a secure virtual platform on which users can deploy applications. Compared to on-premises environments, AWS security provides users with a higher level of data protection at a lower cost. There are many types of security services, but Identity and Access Management (IAM) is one of the most widely used. AWS IAM allows you to securely control users' access to their AWS services and resources. IAM allows you to create and manage AWS users and groups, and use permissions to grant or deny their access to AWS resources.
This AWS IAM tutorial begins by understanding AWS security.
What is AWS security?
Cloud security is a top priority at AWS. Hosting your environment in the cloud ensures that it is hosted in a data center or network architecture built to meet the requirements of the most security-sensitive organizations. Additionally, this high level of security is available on a pay-as-you-go basis, meaning there are virtually no upfront costs and the cost of using the service is much lower than in an on-premises environment.
There are many different types of security services available, some of which are widely used on AWS.
- I
- Key management system (KMS)
- cognito
- Web Access Firewall (WAF)
This tutorial deals with IAM.
IAM allows you to manage access to AWS services and resources in a highly secure manner. IAM allows you to create groups and grant those users or groups access to some servers or deny them access to services.
Why IAM?
Before the advent of AWS and IAM, passwords were often shared in highly insecure ways in corporate environments, such as by phone or email. Often there is only one admin password, usually stored in a configured location, or there is only one person who can reset the password, so you can call that person and reset the admin password. I had to ask for the password. This was not safe at all. Anyone can walk by, eavesdrop, and walk away with the password to access your systems and information.
A more secure communication tool is now available: a third-party application hosted on AWS called Slack. Eliminate eavesdropping by allowing people to share documents through your application.
In the next section of the AWS IAM tutorial, let's understand what IAM is.
What is IAM?
AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS resources. This allows you to create and control services for user authentication and restrict access to specific people using AWS resources.
How does IAM work?
An IAM workflow includes six elements:
- A principal is an entity that can perform actions on AWS resources. Principals can be users, roles, or applications.
- Authentication is the process of verifying the identity of a principal trying to access an AWS product. The principal must provide credentials or the required key for authentication.
- Request: A principal sends a request to AWS that specifies an action and the resource to perform it on.
- Authorization: By default, all resources are denied. IAM approves the request only if all parts of the request are allowed by the matching policy. After authenticating and authorizing your request, AWS approves your action.
- Actions are used to view, create, edit, or delete resources.
- Resources: You can perform a set of actions on resources related to your AWS account.
Let's take a look at the components of IAM in the next section of the AWS IAM tutorial.
IAM components
IAM has other basic components. First, there are users. Many users form a group together. Policy is an engine that allows or denies connections based on policy. Roles are temporary credentials that are assigned to instances as needed.
An IAM user is an identity that has associated credentials and permissions. This could be an actual user or an application that is a user. IAM allows you to securely manage access to AWS services by creating an IAM username for each employee in your organization. Each IAM user is associated with only one of her AWS accounts. By default, a newly created user does not have permissions to perform any actions on her AWS. The advantage of one-to-one user specification is that privileges can be assigned to each user individually.
A collection of IAM users is an IAM group. When you use IAM groups to specify permissions for multiple users, the permissions that apply to the group also apply to the individual users within that group. Managing groups is very easy. When you set permissions for a group, those permissions automatically apply to all users in the group. When you add another user to a group, the new user automatically inherits all policies and permissions already assigned to that group. This reduces administrative burden.
IAM policies set permissions and control access to AWS resources. The policy is stored in his AWS as a JSON document. Privileges specify who can access a resource and what actions they can perform. For example, a policy allows an IAM user to access one of his buckets in Amazon S3. The policy includes the following information:
- Who has access?
- Actions users can perform
- AWS resources that users can access
- When can you access it?
In JSON format it looks like this:
There are two types of policies: managed policies and inline policies.
- A managed policy is a default policy that you attach to multiple entities (users, groups, and roles) in your AWS account. Managed policies, whether AWS-managed or customer-managed, are standalone identity-based policies that are attached to multiple users and groups.
- An inline policy is a policy you create that is embedded directly into a single entity (user, group, or role).
An IAM role is a set of permissions that defines what actions are allowed and denied by entities in the AWS console. They are similar to users in that they can be accessed by any type of entity (individual or AWS service). Role privileges are temporary credentials.
For example, you might want to allow your mobile app to use AWS resources, but you don't want to store keys, credentials, or passwords. Or you may want to grant access to a resource to a user who already has an identity defined outside of AWS, such as a user who already has her Google or Facebook authentication. If you want to provide a service to someone or give someone access to resources in your account, you can also use roles for that purpose. You may also allow third parties, such as consultants or auditors, temporary access to your account. These are not permanent users, only users who have temporary access to your environment.
Let's explore the capabilities of IAM in the next section of the AWS IAM tutorial.
Features of IAM
As a refresher, here are some of the main features of IAM.
- Shared access to your AWS account. A key feature of IAM is the ability to create individual usernames and passwords for individual users or resources, and to delegate access.
- Granular permissions. Restrictions can be applied to requests. For example, you can allow users to download information, but deny the user the ability to update it through a policy.
- Multi-factor authentication (MFA). IAM supports MFA. With MFA, in addition to a username and password, a user enters a one-time password from their phone, which is a randomly generated number used as an additional authentication factor.
- Identity Federation. If the user has already authenticated, such as with a Facebook or Google account, IAM can trust that authentication method and grant access accordingly. This can also be used to allow a user to maintain her one password for both on-premises and cloud environment work.
- Available for free. There is no additional charge for IAM security. There is no additional charge to create additional users, groups, or policies.
- PCI DSS compliant. The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from major card schemes. IAM complies with this standard.
- Password policy. IAM password policies allow you to remotely reset or update passwords. You can also set rules such as how users choose passwords and how many attempts they can make before being denied access.
In the final section of the AWS IAM tutorial, take a look at a demonstration of how to create an S3 bucket using the multi-factor authentication (MFA) feature.
Demo: Create an S3 bucket using MFA functionality
In the last part of this article, we will summarize all the information presented and use it to solve a basic problem.
Problem Statement: How to create an S3 bucket for your company that allows each user to read and write data using multi-factor authentication.
Task: Create policies and assign permissions to users and groups.
- Provides access (read and write) to the developer group.
- Provides a policy that allows users to read or deny write permissions to objects in an S3 bucket.
This is a very good use case if you have sensitive data in your S3 buckets and want to ensure that only privileged or MFA-authenticated users can make changes to those buckets. Enable multi-factor authentication for these privileged users.
conclusion
With the information provided in this AWS IAM tutorial, you now have a clear understanding of AWS security and IAM. Amazon Web Services provides many remote computing services apart from security services. As businesses around the world adopt his AWS Cloud, professionals with deep knowledge of AWS principles and services are in high demand. With Simplilearn, you can easily upgrade yourself and gain AWS expertise through our Cloud Architect course. Start today and excel at Amazon Web Services.
The AWS Solutions Architect Certification provides a deep dive into key aspects of AWS Identity and Access Management (IAM), a service essential to managing the security of AWS environments. This certification emphasizes the importance of understanding IAM's comprehensive capabilities for securely controlling access to AWS services and resources.