AWS Identity And Access Management (IAM) is a webservice provided by AWS platform that provides access control capabilities (authentication and authorization) to AWS resources.
AWS Identity And Access Management (IAM) provides the following key capabilities.
1. Access control to AWS resources - IAM enables fine-grained access control to AWS resources and APIs. IAM enables access control by specific conditions like - by time of day, by originating IP address, by SSL, by MFA etc.
2. Multi-factor authentication (MFA) - IAM provides the capability for MFA, which augments the basic authentication with MFA token/device based authentication.
3. Federated access - IAM provides the capability to grant access for AWS resources to existing employees of a company, using the companies existing identity system.
4. Analytics - IAM provides reporting capabilities to analyze the access provided across AWS resources and services.
AWS provides three different identities - Users, User Groups, and Roles - to manage access to AWS resources.
IAM Users - Users are individual entities (can be real people or applications) in IAM, who can be provided with individual security credentials (access keys, passwords, multi-factor authentication), and individual access to AWS resources and services.
User Groups - User groups are collection of users. Permissions can be set on groups so that all users within a group have the same permissions.
IAM Roles - IAM roles are entities that can be created and assigned specific permissions. A role can be assumed by anyone who needs it, and is not associated with a single group or entity.
Root user is the user id (email id) and password used to first create the AWS account. Root user has complete access to all the AWS services and resources in the account. After creating the AWS account, it is recommended to create a separate admin user to manage admin and everyday tasks, instead of using the root user.
Following are some best practices to manage access to AWS resources.
Do not use root account - Your root account has access to all your AWS resources and services, hence it is a best practice to not share or use it.
Use Groups - Instead of giving access to AWS resources and services for individual users - create groups, give needed access to the groups, and add users to the groups - so that all users within a group has the same access.
Enable Multi-factor Authentication (MFA) - It is a best practice to enable MFA for privileged users such as admins. MFA adds an extra layer of protection on top of basic user-id and password based authentication.
Grant least privileges - Grant only the minimum required permissions for the user or group.
Policies are objects in AWS that are associated with an entity (users, groups, roles) or AWS resources to define their permissions. Policies are stored in AWS as JSON objects. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies.
Following are some key elements in a policy JSON schema.
Version - Specifies the version of the policy language.
Statement - Main policy element that contains the following elements. You can have more than one statement in a policy.
Sid - Statement ID that differentiates between statements.
Effect - Indicates if the policy allows or denies access. Possible values are 'Allow' or 'Deny'.
Principal - The account, user, or role for whom access is allowed or denied. This is applicable only for resource-based policies.
Action - Specifies the list of actions that the policy allows or denies.
Resource - Specifies the list of resources to which the policy applies. This is only applicable for IAM permissions policy.
Condition - Specifies the circumstances under which the policy grants permissions.