AWS IAM Essentials: Users, Groups, Policies, and Multi-Factor Authentication

AWS IAM Essentials: Users, Groups, Policies, and Multi-Factor Authentication

📢 Day 3 of 90 days of AWS learning challenge

·

4 min read

Introduction

Welcome to Day 3 3️⃣ **of our AWS learning journey!**🔍📚 Today, we delve into one of the foundational services of AWS: Identity and Access Management (IAM)🛡🌐. In simple words, it is user management utility of AWS through which you can access or grant access to any user in secured manner. Let’s get started!

What is IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources🛡. With IAM, you can centrally manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM is Global service🌏**, hence region selector will not be active or allow you to select any specific region.**

  1. Users

    An IAM user 🙋‍♂️is an entity that you create in AWS to represent the person or service that interacts with AWS. A user in AWS IAM is an identity with specific permissions to interact with AWS services and resources. Root user account should not be shared or used

    Example Use Case: You can create a user for each developer in your team, giving each user specific permissions to access resources needed for their work.

  2. Groups

    IAM groups are collections of IAM users👥. You can manage permissions for multiple users in one place by assigning policies to groups.

    Example Use Case: Create a group called “Developers”📝 and attach a policy that provides access to Amazon EC2 and S3 services. Adding users to this group will grant them these permissions automatically.

  3. Policies

    A policy is an object in AWS that defines permissions🛡.

    IAM policies are JSON documents📜 that define permissions to manage AWS services and resources. Policies can be configured from user interface of IAM service on AWS console. Policies are attached to users, groups, or roles to grant permissions.

    Example Use Case: A policy might allow users to manage only the S3🗑📁 service, ensuring they cannot inadvertently make changes to other AWS services.

IAM Policies

Policies are fundamental to IAM and are used to define the actions that are allowed or denied. Here’s a breakdown of the key components:

IAM Policy consist of,

  1. Version : Policy language version which always include " 2021-10-17"

  2. ID : It is an identifier for the policy

  3. Statements: Each policy contains one or more statements. Each statement includes:

Sid: It is an identifier for the statement

Effect: Whether the statement allows or denies access (Allow or Deny).

Principle: It denotes the account/user/role to which this policy applied

Action: The list of actions that are allowed or denied.

Resource: The list of resources to which the actions applied

Condition (Optional): Conditions for when the policy is in effect.

Example Policy

Here’s a simple example of an IAM policy :

Attaching Policies🔁

Policies can be attached to users, groups, or roles. When attached to a group, all users within that group inherit the permissions defined by the policy.

Least Privilege Principle

IAM policies should follow the principle of least privilege, granting only the necessary permissions to users and groups.

IAM Password Policy

**Following are the important password rules,**🚫

Minimum Length: Require at least 8 characters.

Character Types: Include at least one uppercase letter, one lowercase letter, one number, and one special character.

Password Expiration: Set passwords to expire every 90 days.

Password Reuse Prevention: Prevent reuse of the last 5 passwords.

Change Default Passwords: Enforce immediate change of default passwords upon first login.

Lockout Policy: Implement account lockout after 5 failed login attempts.

Secure Storage: Store passwords securely using hashing and encryption

IAM MFA Overview

What is MFA?

**Multi-Factor Authentication (MFA)**🛡 is a security feature that requires users to present two or more separate forms of identification before they can access an AWS account. This adds an extra layer of protection on top of your username and password.

Enabling MFA

Set up a virtual MFA device: Use an application like Google Authenticator or Authy to generate a time-based one-time password (TOTP).♻

Assign MFA to users: Go to the IAM console, select the user, and assign the MFA device.

Benefits of MFA

Increased Security: Even if a password is compromised, the account remains secure as the attacker would also need access to the MFA device.

Compliance: MFA helps meet compliance requirements for security standards like ISO 27001, SOC, and PCI DSS.

Example Use Case

Administrator Account: For users with administrative privileges, enabling MFA ensures that even if their credentials are compromised, unauthorized access to critical resources is prevented.

You can read more aboutMFAhere:.

Conclusion

**Understanding IAM is crucial for managing access to our AWS environment securely. By mastering IAM users, groups, and policies, and implementing MFA, you can protect our AWS resources effectively.**💡