Tuesday, 20 June 2017

Getting started with IAM

Identity and Access Management is where you manage your AWS users and their access to AWS services. IAM is speciifically used to manage users, groups, access policies and roles.
The "root" user is created when you first create the AWS account and has full access to every part of the account and subsequent users created later have no access to any AWS service by defaultt. Access is granted to them via the use of access policies.

To start working with IAM click on IAM under the Security, Identity and Compliance section of the AWS services dashboard. You will be presented with the below screen:


IAM users sign in link is the URL which will be used by users we create using IAM to authenticate and log in to AWS to gain access to services. If we want to customize the URL to something more user friendly we can use Route 53 perhaps to create a CNAME record for this URL.

Next, I'd like to point you to the section where it says Security Status. This is somewhat like the best practices guidelines by AWS for securing our AWS account. Ideally all the items should be set to green for us to adhere to best practices.

I've briefly described these items below:


  • The "delete your root access keys" item is already marked green because no root access keys were created when I created the account. 
  • MFA means multi-factor authentication and should be set up for the root account. The MFA device being used could be virtual like a compatible app installed on a device or a hardware device that might be provided by AWS themselves.
  • The "create idnividual IAM users" item is marked orange because I haven't created any IAM users yet. We should avoid using the root account sign in unless absolutely neccessery and prefer using individual IAM user accounts for doing our work.
  • The next item "use groups to assign permissions" is also marked orange becuase I haven't created any groups yet. Best practices dictate that permissions or access policies should be associated with groups and not individual users. This allows for ease of management.
  • The last item is "apply IAM password policy". This helps to apply certain rules for setting user passwords and allows us to enforce strong passwords.



Now, let's create an IAM user.
To do so expand the "create individual users" item.


Click on manage users. This will bring up the below screen:


From here click on add user. We will be presented with the below screen where we can specify the user name and select an access type:


I've specified the user name as sahil and selected the acces type as management console access. The second option "pragmmatic access" creates an access key which we can insert witthin API calls for communication between applications and other AWS services.
I've opted to give a password of my choice instead of an autogenereated password and I've unchecked the box to force the user to change their password on first login.
Once done click on "next: permissions".

Here we define what level of access will be granted to the user that we are creating. We will be presented with the below set of options:



We could add the user to a group and in doing so apply the access policies on the group to the user but since I don't have any groups created yet I'll attach a policy to the user directly by selecting "attach existing policies directly". Note that doing so is a deviation from best practices.

Selecting "attach existing policies directly" option opens up the below list:



Here we can select an existing access policy, search for and filter the acces spolicies by typing in search box and then select the required policy. For example if I wanted to grant a user access to the EC2 service I could type ec2 in the search box and select the required policy from the results. We can also create custom policies by clicking on create policy.
From the list of available policies I've selected the first one "AdministratorAccess" and this will grant full administrative rights to every available AWS service to the user. Once you've selectedd the required permissions click on Next: Review.

This opens up a review page where we can basically review our selections:


From here click on create user. This will create tthe user and displays the below page where we can see that our user has been created and also provides a sign in link which the new user will use to login to and access AWS.



I've clicked on the sign in link and the below login page is displayed.



Once I enter my credentials and click on sign in I'll be logged in as the user sahil to the AWS management console.

After logging in  I expanded on my user name to confirm that the user sahil is an IAM user and under the recently visited services I can observe that IAM service was recently used as shown in the below screenshot:



Before wrapping up the article I'd like to briefly touch upon the implementation of password policies.

From the IAM dashboard, under the security status section expand the item "Apply an IAM password policy" and click on the manage password policy button.



This will bring the below page where we can check mark our selections to strenghten our password policy.


Once the required selections have been made click on apply password policy. If we need to make any modifcations then we can delete the existing password policy and create a new one.


I've written extensivley about IAM users in this article but haven't really expanded much on groups and roles. I found groups to be somewhat analogous to the groups we have in UNIX/Linux wherein users part of the group have the same privileges as the group itself. So in case of IAM groups, an access policy appllied to the group will also be applicable to all members of the group. Roles is something interesting. Roles provide the ability to grant rights to particular AWS serivces to interact with other AWS services. For example, we can create a role to allow EC2 services to able to interact and work with Amazon S3 service.

3 comments:

  1. Super blog provided by you thanks keep updating AWS Online Training Hyderabad

    ReplyDelete
  2. Really It is very useful information for us. thanks for sharing..
    AWS Training In Hyderabad

    ReplyDelete
  3. I’m Артур Борис a resident/citizen of the Republic Of Russian. I’m 52 years of age, an entrepreneur/businessman. I once had difficulties in financing my project/business, if not for a good friend of mine who introduced me to Mr Benjamin Lee to get a loan worth $250,000 USD from his company. When i contacted them it took just five working days to get my loan process done and transferred to my account. Even with a bad credit history, they still offer their service to you. They also offer all kinds of loan such as business loans, home loans, personal loans, car loans. I don’t know how to thank them for what they have done for me but God will reward them according to his riches in glory. If you need an urgent financial assistance contact them today via email lfdsloans@outlook.com  WhatsApp information...+1-989-394-3740

    ReplyDelete

Using capture groups in grep in Linux

Introduction Let me start by saying that this article isn't about capture groups in grep per se. What we are going to do here with gr...