When we talk about security, AWS IAM (Identity and Access Management) is one of the most fundamental and critical AWS service which needs suitable observation to design it because any careless and negligible exercise leads to huge complications. AWS IAM is often ignored at project start, which leads to enormous complications while managing access to resources down the road. Most of the time it's appropriate to design IAM properly at the beginning - this prevents teams from needing to change the IAM management format every time a new requirement is identified.
It's impossible to build an approach to IAM that never changes, and also provides full functionality in infrastructure environments. Let's talk about some best practices which help teams manage things in a proper manner.
In this blog series, we will talk about IAM options and their use-cases, and we will also talk about best practices while configuring IAM and how to manage IAM access using Terraform. For this, I will be writing several blogs in this series to cover the following topics:
- AWS IAM: The challenge
- AWS IAM: Best practices Part 1
- AWS IAM: Best practices Part 2
What options we have
Before diving into the IAM approaches, let's talk about the pieces to IAM, including: policy, user, group and roles. Let's also talk about some basics and importance of these AWS IAM options.
As per AWS official documentation, a policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied.
In simple terms, policy is backbone of AWS IAM which actually contains all the logic (like allow/deny) on the basis of rules we defined in IAM policy.
AWS as JSON documents.
AWS also provided multiple ways to create and validate IAM polices like AWS Policy Generator and IAM Access Analyzer. IAM access analyzer is very powerful which not only validate but also provides multiple features like unintended access to AWS resources and which policy elements don’t conform to AWS best practices also maintained by IAM access analyzer.
IAM user is an object that we create in AWS which is provided to user or application. The main function of IAM user is to provide access to resources on the basis of policy that attached to IAM user. There are two types of request that IAM user can utilize:
- AWS management console access
- Programmatic access using credentials
An IAM role is an identity with permission policies that determine what the user can and cannot do in AWS. However, a role does not have any credentials (password or access keys) associated with it. It is very similar to user because those using it can request to get access to AWS resources.
There are multiple situation where IAM roles can be used:
- Grant the user access to the AWS resources in AWS account
- Grant AWS resources access to other AWS resources
- A role can be assigned to a federated user who signs in by using an external identity provider instead of IAM
- Roles also used in AWS Security Token Service API
An IAM group is a collection of IAM users. You can use groups to specify permissions for a collection of users, which can make those permission easier to manage for those users.
An IAM group holds IAM policies which is used by similar users.
We didn't cover every aspect of AWS IAM, but we did cover the basic objects. Next we'll dive into the main parts of this blog series. This is written not only for folks who already have a great depth of knowledge of AWS IAM but also for folks who have only a basic understanding about AWS IAM.
This blog series will mainly focus on the approaches and practices which can help in planning a structure or format for AWS IAM management. These approaches are not mandatory but according to use-case, anyone can follow any practices which can help them to set up AWS IAM in a proper way. Please let us know if you have any suggestions and approach related to this blog or IAM.
Stay tuned for upcoming AWS IAM blogs. Keep learning!
Opstree is an End to End DevOps solution provider.
Contact us :)