Day 32: AWS I AM

𝐔𝐬𝐞𝐫𝐬 & 𝐆𝐫𝐨𝐮𝐩𝐬:

👉 Identity and Access Management, Global service

👉 Root account created by default, shouldn’t be used or shared

👉 Users are people within your organization, and can be grouped / Groups only contain users, not other groups

👉 Users don’t have to belong to a group, and user can belong to multiple groups

𝐏𝐞𝐫𝐦𝐢𝐬𝐬𝐢𝐨𝐧𝐬:

👉 Users or Groups can be assigned JSON documents called policies (defines the permissions)

👉 We apply the least privilege principle: don’t give more permissions than a user need

👉 Consists of Version, Id, Statement, Sid, Effect, Principal, Action, Resource, Condition

𝐏𝐚𝐬𝐬𝐰𝐨𝐫𝐝 𝐏𝐨𝐥𝐢𝐜𝐲:

👉 In AWS, you can setup a password policy

👉 MFA = password you know + security device you own, if a password is stolen or hacked, the account is not compromised

𝐈𝐀𝐌 𝐑𝐨𝐥𝐞𝐬 𝐟𝐨𝐫 𝐒𝐞𝐫𝐯𝐢𝐜𝐞𝐬:

👉 Some AWS service will need to perform actions on your behalf — to do so, we will assign permissions to AWS services with IAM Roles

𝐈𝐀𝐌 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐓𝐨𝐨𝐥𝐬:

👉 Credentials Report (account-level) — a report that lists all your account’s users and the status of their various credentials

👉 Access Advisor (user-level) — Access advisor shows the service permissions granted to a user and when those services were last accessed

Users & Groups:

• Identity and Access Management (IAM): IAM is a global service provided by AWS that enables you to manage access to AWS services and resources securely. It is used to create and manage users, groups, and roles within your AWS environment.
• Root Account: The root account is created by default when you sign up for AWS. It has complete access to all AWS services and resources. It is highly recommended not to use or share the root account credentials for everyday tasks to enhance security.
• Users and Groups: Users represent people within your organization, and they can be organized into groups. Groups, however, only contain users and not other groups. Users don’t have to belong to a group, and a user can belong to multiple groups.

Permissions:

• Policies: IAM policies are JSON documents that define permissions. Users or groups can be assigned policies to specify what actions they are allowed or denied on which resources.
• Least Privilege Principle: This principle suggests granting users or groups the minimum permissions they need to perform their tasks. It helps to minimize potential security risks.
• Components of IAM Policy:

Version: The version of the policy language.

Id: An optional identifier for the policy.

Statement: The main section that specifies the permissions.

Sid: An optional statement identifier.

Effect: Whether the policy allows or denies the specified actions.

Principal: The entity that is allowed or denied access.

Action: The specific action(s) the policy allows or denies.

Resource: The AWS resource(s) to which the actions apply.

Condition: Optional conditions that must be satisfied for the policy to take effect.

Password Policy:

• AWS Password Policy: In AWS, you can set up a password policy to enforce password requirements such as length, complexity, and expiration. This helps enhance the security of user accounts.
• MFA (Multi-Factor Authentication): MFA combines something you know (password) with something you own (security device). It adds an extra layer of security, and even if a password is compromised, the account remains protected as the attacker would also need the physical device.

IAM Roles for Services:

• AWS Service Permissions: Some AWS services need to perform actions on your behalf. IAM roles are used to grant permissions to these services. This eliminates the need to embed access keys directly in your applications.

IAM Security Tools:

• Credentials Report (Account-level): This report provides a list of all users in an AWS account and the status of their various credentials (passwords, access keys, MFA).
• Access Advisor (User-level): Access Advisor shows the service permissions granted to a user and when those services were last accessed. It helps in understanding and managing user permissions effectively.