Naved Ahmad's Blog

AWS Identity and access management

Naved Ahmad's photo
Naved Ahmad
·

5 min read

Table of contents

AWS IAM

  • AWS Identity and Access Management (IAM) is a service that enables secure management of access to AWS resources.

  • It allows users to define and control permissions, create and manage users, groups, and roles, enhancing security and facilitating fine-grained access control within the AWS environment.

It is mainly for two purposes: Authentication and Authorization.

We have 4 main terms here:

  1. Users: IAM users are individual entities with unique credentials within an AWS account. They are assigned policies defining their permissions, allowing them to interact with AWS resources.

  2. Policies: IAM policies are documents defining permissions and access control rules. They specify what actions are allowed or denied on AWS resources for users, groups, or roles. Policies are attached to these entities to regulate their access, providing a granular and secure way to manage permissions within the AWS environment. If we attach no policies, the user will not be able to do anything except logging in.

  3. Groups: A group is a collection of IAM users. Instead of attaching policies directly to individual users, you can create a group, attach policies to the group, and then add users to the group. This helps in managing and assigning permissions at scale, making it more efficient to handle access control.

  4. Roles: A role is another entity that you can create and manage. However, unlike groups or users, roles are not associated with a specific AWS identity, such as a user or a group. Instead, roles define a set of permissions for making AWS service requests and are assumed by AWS resources or users outside of your AWS account.

Let us create an IAM user

For now we will not be assigning any policies to it i.e., no authorization only authentication.

Go to your AWS management console and go for AWS IAM.

Search for Users in the left hand side.

Then click on Create user.

Then choose all the settings as shown in the screenshot below and click on next.

Now do not attach any policies for now and simply click on next.

Now review all the settings once and click on create user.

Now your IAM user is created. Click on Download .csv file.

Now log out of the root account and go back to the log-in console and sign-in as IAM user. The Account ID will be the 12 digit number which can be found in the console-in URL, as shown in the above screenshot.

Now enter the IAM user name and password which can be obtained from the .csv file you just downloaded. Click on Sign-in.

Now you will be asked to generate a new password. Do so and click on Confirm Password change.

You will be logged-in as an IAM user.

Since we didn't attached any policies so we do not have the permission do anything.

In order to do anything we need to have permissions. So for now let's go back to our root account, and assign some permissions to this IAM user.

Go to the IAM service and click on the test-user.

After clicking on the test-user, you will see this king of page.

Click on Add permissions and then Add permissions again.

You will on this page as shown in the screenshot below.

We could have this same thing while creating the user, but just for the demonstration purpose we kept thing simple. That was just the authentication part.

Now we will be doing the authorization part.

Click on Attach policies directly as shown in the above screenshot.

The list of policies you will see is known as AWS managed policies. Here is the screenshot.

But what if you want to define your custom policy? For that you have write your own custom policy. We will learn that in future.

For now search for s3 in the search bar and choose Amazons3FullAccess.

This policy is written by AWS for us. If we will be writing our own custom policy then will be using this same JSON format.

Click on next.

Review and click on Add permissions.

Now you will be able to see that the user has 1 policy added, as shown in the screenshot below.

Now let us log-in back as test-user and see whether we can access S3 services or not. Don't forget to enter the new password you created.

Now if you try to access the s3 services, you will able to access it.

Till now we covered the concept of authentication and authorization in IAM.

Groups

Suppose we have 5 developers in our team. We can create 5 different different users, attach policies to them which is going to be a lengthy task. Instead what we can do is that we can create groups and add the users to them.

Also if in future suppose you want to modify some permissions, then you will go through each user one by one and change/modify the policies, but if you have a group, then you can simply change/modify the policies of the group and they will be reflected in all of the users associated to that group.

Let us see how to work with groups.

Log-in as the root user again. Go to the IAM service and click on user groups as shown in the screenshot below.

Then click on create group.

Give a name to the group and add users to it and the requires policies. Note that you can also add users and policies afterwards.

Then click on create group option at right bottom.

Your group will be created and you can add more users and policies as required and can remove them also as required by going inside the group.

That was about groups.

We will learn ore about roles when we learn AWS services related to CI/CD.

Outro

So that was a big picture of AWS IAM. We covered a lot actually.

As we move ahead we will be covering more concepts. Stay tuned.

AWSCloudIAMAWS IAM