AWS Identity and Access Management (IAM) service controls the access for various AWS resources.
We can provide or restrict access to certain users who can use particular AWS resource.
AWS Components:
1) Users: IAM user is the entity by which we can access AWS services and resources.By default we get root user for using AWS.Since root user can’t be and should not be shared so we create various users by using root account.
Each user might or might not have a different access/permission based on requirement.User can also belong to multiple groups.But why we create users and group.Reason for creating users and group is to access AWS account.
2) Group:
Group contains Users.We can assign various permissions to groups.It will provide easy permission to users since we can just assign users to those groups,rather than providing individual permissions to Users.
However it is also possible to assign permissions directly to users.
Be default AWS uses least privilege principle which means AWS gives very restrictive permissions to users by default.Reason for the same is cost, since it cost alot if we unnecessarily provide all permissions to all users.
Another reason for restricting it is security, only few users will be having access to certain services.Permissions will be given on need basis.
3) Policies:
IAM policy works just like inheritance.If a parent has it, then child automatically gets it too.Similarly, IAM policy applied to a group ,will automatically be inherited to all users in that group.
IAM sets permissions by using policies.Policies are stored as JSON document but it is not necessarily means that we need to use JSON to define the policies.We can do it using UI as well on IAM console.
Policies define what type of resource/s are allowed or restricted to which user/role etc.so it controls:
A) Who can access the resource
B) What type of actions are allowed on that resource
C) which resource can be accessed
As we mentioned above there are 3 types of policies:
A) Managed policy:
A Managed Policy is an IAM policy which is created and administered by AWS.AWS has predefined set of managed policies which are suitable for most of our use cases.Ideally we should use managed policies.
However if you want to change the permission in any of those managed policies then you can’t change it.We need to use Customer Managed Policy.
B)Customer Managed Policy:
As mentioned above, if AWS provided managed Policies are not sufficient for your use case, then you can copy one of the existing AWS managed policy and edit it according to our requirement.
C) Inline policy:
Inline policy is attached to a user/group or role to which it applies. There is a strict one to one relationship between the entity and the policy.
When that user or group is deleted then associated inline policy will also be deleted along with the entity.
From security point of view, AWS strongly recommends using AWS managed policies.
Note: IAM is a global service so we do not need to select any region while creating users or group since users/groups will be accessible through all regions.
Understanding policy JSON:
Effect: Allow or Deny access to resource.
Principal: User/role on which it is applied.
Action: List of actions which are allowed or denied.
Resource: Name of resource on which this policy is applied like S3 bucket etc.
Example 1:
Read permission for IAM components.
{
“Version”: “2014–10–27”,
“Statement”: {
“Effect”: “Allow”,
“Action”: [
“iam:Get*”,
“iam:List*”
],
“Resource”: “*”
}
}
Example 2:
{
“Version”: “2014-10-27”,
“Statement”: [
{
“Sid”: “S3ReadWrite”,
“Effect”: “Allow”,
“Action”: [
“s3:GetObject”,
“s3:PutObject”
],
“Resource”: [
“arn:aws:s3:::bucketA/*”
]
}
]
}
Sid – An identifier which is used to describe the effects of the policy.This is optional.
It allows read and write access to S3 bucket named bucketA
Related articles: