AWS IAM: Everything You Need to Know

  1. Concepts What is IAM? IAM stands for Identity and access management IAM allows you to manage users and their level of access to the AWS console. You can specify permissions to control which users can access specific services, the kinds of actions they can perform, and which resources are available. AWS Cloudtrail keeps logs of the user's activity and APIs, but I will go deep into AWS Cloudtrail in another article. It’s good to have an idea of all the puzzle pieces that can be involved in IAM, so let’s go over a simple explanation of these concepts. Authentication vs Authorization Authentication checks for who is the user and if they are who they say they are. Authorization answers questions like what can this user do? What can this user access? Root Account When you go and create an AWS account for yourself you are creating what is said to be a root account. You should not use the root account credentials on the day to day and if you have a team, your team members shouldn’t use this root account either, you need to provide users for your team members. You can have many users associated with a root account. I will show you how in the hands-on later in this article. In the image below, you can see one account and several users associate with that one single account.
What is a User in AWS?
A user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials.
By default the users don’t have access to anything, you need to create the policies to give them access.
MFA, Multi-Factor Authentication
This is an extra layer of security over your authentication, you need a password or access key and a code from a device.
This works with the AWS console or programmatically. You are only allowed to have one device per user where you will be receiving the code.
Where can’t you use IAM?
You can’t use IAM for EC2 SSH Keys or Windows RDP certificates, you must use SSH keys, in this case, users can share these.
User Groups
User Groups are a very efficient way of managing access. You can make a policy for each group. Each group can be equivalent to your organization's department, so it will include one or more users.
IAM Role
An IAM role is an IAM identity that you can create in your account that has specific permissions.
An IAM role is not the same as a user, and you don’t need to have one IAM role per user, that is wrong! You can actually have several roles per user, or you can even use an IAM role for communication between services. IAM roles can be temporary, so you can, for example, give admin permissions to a user and remove this role from the user when the user no longer needs to perform admin tasks.
At the end of the day, an IAM Role is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.
When a user assumes an IAM role it replaces the original policy.
Use case #1: There is permission needed to communicate between 2 AWS services.
Use Case #2: There is a need to give admin permissions temporarily to a user.
What is an AWS Policy?
A policy is an object in AWS that, when associated with an identity or resource, defines its permissions. Most policies are stored in AWS as JSON documents.
Here, you can see check what elements need to be present in a JSON policy. It will be very helpful to know this when you face a moment where you need to create your own policy.
In my last post, I needed to create a policy for my s3 bucket!
AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies. You can read about each one of these types here.
The most common scenario where you can leverage policies within your organization is when you create a policy for each user group.
IAM users are not separate accounts, they are users inside of your account.
When a user is added to a group, the user inherits the group’s permissions but it won’t lose its own permissions.
Password Policy
A strong password will provide higher security. You can protect your users and groups from being compromised. So in AWS, you can set up a password policy with different options.
The first one is you can set a minimum password length, and you can require specific character types, for example, you may want to have an uppercase letter, lowercase letter, number, non-alphanumeric characters, for example, a question mark, and so on.
Then you can allow or not, IAM users to change their own passwords or you can require users to change their password, after some time, to make your password expired, for example, say every 90 days, users have to change their passwords.
Finally, you can also prevent password reuse so that users when they change their passwords, don’t change it to the one they already have or change it to the one they had before.
The Multi-Factor Authentication or MFA is also a security mechanism the users can have, even if they forget their passwords, with MFA they can recover it because they have their MFA code.
You can use Google Authenticator or Authy which is multi-device. They both work the same except one is multi-device. For Authy you have support for multiple tokens on a single device.

  1. Hands-On What will we be doing? Set up MFA Create a user Create a group (add and remove users to this group) Create a role (assign it to it a user) Let’s start! Go to AWS and login, for now as a root user, because you haven’t created users yet. (Some foreshadowing here 😉)

aws login
On the console, search for IAM, and click on it.

When you access IAM, you will see the dashboard, you will notice that if you don’t have an MFA, it will show you an alert about it.

Click on enable MFA. Then, click to activate MFA.
Leave the virtual MFA device option selected and press continue.

Use Authy or a similar application on your phone to read the QR code

Your app will generate one code, write it down on the first input
Wait for the second code to generate and write it down on the second input
Now click on assign MFA.

Congratulations! You have set up MFA for your root account.
Now let’s add a user! Look at the left vertical menu and look for the user.

Go ahead and click on add user,

Give your user a name, check botch checkboxes in the access type, programming access, and AWS management console access.
Also, tip the checkbox that says requires a password reset.
Now, press next.
Instead of creating the user immediately in the next screen choose the option, add the user to the group. In this option, you will be able to create the group and immediately have your user being part of the group you just created.

Name your group (examples for names, developers, HR, accountants, etc)

Congratulations, you have now created a user, a group, added a user to a group and you have set up MFA.
A good exercise here is to create a second group and to create also a second user, and try to move one user from one group to another, simulating someone whose position changed in the company, for example.

If you want to remove a user from a group you can open your group to see which users are in that group, and you can click the user to see the remove from group option.

Now let’s create a role.
Again, in the side menu on the left, you will find the option for roles.

Go ahead and click Roles.
In this case, you will be creating a role for permissions to AWS resources.
That is the option AWS Service.

Select EC2. Then go ahead and search for a policy, type S3, and choose AmazonS3FullAccess.

So now you created a role for ec2 to be able to communicate with s3.
You can also create a role and assign it to a user.
Go to your users, pick one user and press add permission.

You can test your IAM Policies with an IAM Policy Simulator, a tool provided by AWS.
You can use this tool as your QA environment.
More about this tool here:
Testing IAM policies with the IAM policy simulator
For more information about how and why to use IAM policies, see Policies and permissions in IAM. You can access the IAM…

IAM is a very powerful and useful service! Also 100% free as mentioned before.
Are you studying for the AWS Certification exam? I will be posting about the different AWS services! Expect a post a week at the minimum! If that is something you would like to see, follow me!