What is IAM in AWS? AWS IAM, on a broad level, refers to who can access what with a given set of conditions in Amazon's cloud. The built-in features in AWS IAM enable customers to simplify their authentication and access management processes for workforce users and system workloads. AWS IAM comes with no additional costs.
Latest posts by Balwant Chandel (see all)

AWS IAM allows organizations to create identities for users or applications, manage permissions to resources using policies, and control access using roles. It includes features such as the use of strong authentication methods, such as a second factor using phone, app, and email. It supports identity federation with third-party identity management systems using the Oauth 2.0 and SAML protocols.

The main components of AWS IAM are IAM identities and IAM policies. In short, to grant permissions in AWS, you attach IAM policies to IAM identities (users, groups of users, and roles).

Let's have a closer look at these concepts.

AWS IAM identities ^

AWS identities can be any IAM users, groups, or roles. An example of user-based authentication in IAM is an AWS IAM user logging into the AWS console to access an application running in an EC2 instance in AWS.

While users often access AWS resources through the AWS CLI or the AWS console, applications require some type of programmatic access resource.  This is where IAM roles come in, which can be used to grant permissions to an application. For instance, you can attach an IAM role to an application running in an EC2 instance that requires read access to an AWS S3 bucket. The IAM user must switch to the IAM role to gain access to the resource.

AWS IAM users

An AWS IAM user is an AWS identity with credentials attached to it. These credentials can be either of the following:

  1. Username + password + account number 
  2. Access key + access secret

For instance, the AWS CLI tool uses access keys and access secrets to identify and authorize users for any administration or management task related to AWS resources. After installation, it requires configuration before it can be used.

Configuring the AWS CLI using an IAM user

Configuring the AWS CLI using an IAM user

As seen in the above screenshot, to configure the AWS CLI, the IAM user has to provide an access key and access secret to authenticate.

Note that there is a limit of two access keys per identity and a hard limit of 5,000 IAM users per AWS account.

IAM users are provided in the ARN format. This is an example:

arn:aws:iam::account-ID-without-hyphens:user/bchandel

An AWS root or IAM admin can create an IAM user on the IAM dashboard of the AWS Console. You have to provide the AWS username, password, and AWS account number. The username created here is not case sensitive and can be in the form of an email address, which makes it unique within AWS. You can create identities in AWS IAM > Add Users.

Adding an IAM user

Adding an IAM user

Creating an IAM user

Creating an IAM user

Next, assign permissions to the IAM.

Attaching an existing IAM Policy

Attaching an existing IAM Policy

IAM permissions can be applied to any of the following options:

  • Adding a user to a preconfigured user group
  • Copying policies from existing users,
  • Attaching AWS-managed policies
  • Creating a new policy

In our example, we will select the AWS managed policy.

IAM user summary

IAM user summary

IAM user access key

IAM user access key

Since we choose both console login and programmatic access (see the Creating an IAM user screenshot), AWS created the access key and access secret for the user. Download the CSV file or copy the values directly from here. Note that the key is visible only at this time; it will be hidden after this.

AWS IAM user groups

AWS groups can be used as containers to organize IAM users into groups and to specify permissions at the group level rather than for individual IAM users. This simplifies the administration and management of IAM users. From the IAM dashboard, select User groups > Create group.

Creating an IAM user group

Creating an IAM user group

Give it name, and add the required users:

Adding an IAM user to an IAM user group

Adding an IAM user to an IAM user group

IAM permissions can be attached to the group during or after creation:

Attaching an IAM policy

Attaching an IAM policy

IAM users cannot belong to more than 10 groups at once.  There is a maximum limit of 300 IAM groups per AWS account, which can be increased by requesting an extension.

AWS IAM roles

If there are users or applications that require temporary access to resources, you can work with IAM roles, which define a set of permissions for making AWS service requests. IAM users can then switch to the role in the AWS console when they need access to the resources to which the role has permissions via an IAM policy.

You create IAM roles on the IAM dashboard.

Creating an IAM role

Creating an IAM role

AWS IAM policy ^

AWS IAM policies define user permissions to specific resources. Written in JSON, these are statements that define actions such as allowing or denying specific resources, such as an S3 bucket or EC2 instances.

AWS managed IAM policies

AWS managed IAM policies

AWS IAM policy types

AWS IAM supports two policy types: AWS managed policies and custom policies.

AWS managed policies

AWS managed policies can't be edited. They are updated and maintained by AWS, and new features are automatically added by AWS.

Custom policies

An administrator (IAM) in AWS creates the IAM policy. AWS offers a handy tool for dealing with policy creation. Using the tool is quite intuitive. You simply select the service for which the policy is required, and specify the effect and actions from the resulting dropdown menu.

Using an AWS policy generator

Using an AWS policy generator

AWS IAM policy example

You can import an IAM policy from the AWS managed policies and edit it as necessary. There are two options for editing a policy: use either a visual editor or a text editor to create a JSON file.

Let's see how an IAM policy is applied. To do so, we will perform the following steps:

  1. Create a user group and add an IAM user to this group.
  2. Create a policy with full access to EC2, and attach this policy to the group.
  3. Test the policy by creating an EC2 instance and then signing it into that instance.

To create an IAM group, go to the IAM dashboard and select User groups > Create Group. Then, give it a name.

Add any user to this group that requires admin-level access.

Creating an IAM admin group

Creating an IAM admin group

On the Permissions tab, select Add permissions > Attach policies.

Attaching the IAM policy to the IAM user group

Attaching the IAM policy to the IAM user group

If you type "Administrator" in the search box, all policies that contain this keyword will be returned. Select AdministratorAccess > Add permissions.

Attaching the AdministratorAccess policy to the user group

Attaching the AdministratorAccess policy to the user group

Policy element

Policy element

To see the detailed JSON formatted information about the elements in the policy, expand the AdministratorAccess policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Version: This element defines which version of the language syntax rule to use.

Statement: This is the main element of the policy, with multiple subclauses in it that define elements such Effect, Action, and Resource.

Effect: This can be Allow or Deny. The default value for effect is Deny, which is the same as no statement or policy attached to the IAM user. Multiple substatements with Allow and Deny will have a resultant effect of Deny.

Action:  This is what a user is allowed to do on access. It can contain multiple elements inside the brackets. In our example, we grant permission to list buckets in the S3 service.

Resource: Resources are the objects within a service, such as EC2 or S3. An example is an EC2 instance. Like IAM users, resources are also written in the ARN format: arn:partition:service:region:account-id:resource-id  

This notation allows AWS to recognize each resource as a unique object. Note that some services, such as S3, require objects across AWS to have unique names. A blank region and account ID are allowed in these cases. The values in the resource are case sensitive. In our example, we grant access to all resources within the EC2 service.

Testing the IAM policy

Now let's test the policy by accessing an EC2 instance using the IAM user created in the previous steps.

Copy the sign-in URL (see screenshot below) from the IAM user's properties under Security Credentials.

IAM User sign in link

IAM User sign in link

Open the URL in a new incognito browser window and provide the required sign-in info for the user.

After signing in to AWS with the IAM user, launch an EC2 instance. Because our policy allows access to EC2, the user should be able to access the EC2 machine from the EC2 console.

Accessing the EC2 instance

Accessing the EC2 instance

Select the instance. The Connect option becomes available. Click Connect to access the Ec2 instance.

Conclusion ^

This article gave a brief overview of AWS IAM. But we have only scratched the surface. AWS IAM is a very powerful tool for managing permissions in Amazon's cloud. If you plan to become an AWS admin, you will have to dig deeper.

0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account