AWS – IAM (Identity Access Management)

IAM stands for the Identity Access Management and IAM allows you to manage users and their level of access to the AWS console.

Features of AWS :

  • Centralized control of AWS account.
  • Integrates with existing active directory account allowing single sign on.
  • Fine grained access control to AWS resources.
  • Access is available on User/Group/Roles.
  • Multifactor authentication.
  • Provide temporary access for user/devices and services where necessary.
  • Allows you to setup your own password rotation policy.

High Level Concept :

  • User – End users (Think people)
  • Group – Collection of users under one set of permission.
  • Roles – Similar to group, but you can assign to both users and AWS resources (like EC2). EC2 instances can have credentials stored on them, however it is a security risk and difficult to manage. Roles solve the issue.

Roles and their Policy Templates :

  • Administrator Access.
    • Full Access to AWS services and resources.
  • Power user Access.
    • Full Access except management of users and groups.
  • Read Only Access.
    • Read only access to resources.
  • More Granular access depending on the resource required (Such as S3 access etc).

Configure IAM for your account :

Step 1 : Login to AWS account and page looks like below.

1.PNG

Step 2 : Click on IAM  under security and identity compliance and then the window looks like below. This is the IAM Dashboard.

1.PNG

In the above screen shot we can see the IAM user sign in link which is little bit difficult to remember so we are going to customize it.

1.PNG

1.PNG

1.PNG

Step 3 : Now we are going to Activate multi factor account on the root account to create it more secure.

1.PNG

1.PNG

Step 4: Now we are going to create new IAM user which is used to sign in to AWS console

1.PNG

1

 

1.PNG

1.PNG

We can create group here also but we are going to create it from the dashboard so simply just click on the Next: Review.

1.PNG

Now click on Create User.

1.PNG

Here we can see that our user is now created , now we have to download the credentials file because it will be very useful and we will not get it further if we skip this page.

1.PNG

Now go to the dash board to apply the other IAM related services to the User.

1.PNG

Step 5: Now we will create a group to assign the permissions.

1.PNGClick on Manage Groups  to create a new group.

1.PNG

After clicking on the Create New group , it will prompt to enter the group name , so I am giving it Developer, you can set whatever you want to set and click Next.

1.PNG

After click next it will ask for the policy which is needed to provide to the user which we had created recently. In my scenario I am selecting power user access.

1.PNG

Now finally we will get the review page of whichever configuration we have done in previous pages.

1.PNG

Now In the groups page we can see that the group name which we have created.

1.PNG

Step 6 : Now select the user in the group which we had created.

1.PNG

1.PNG

Now click on Add users to Group.

1.PNG

Select the user name which we had created and associate with this Developer Group.

1.PNG

1.PNG

1.PNG

Step 7 : Go to the Dashboard

1.PNG

Step 8 : We will set the IAM password policy

1.PNG

1

1.PNG

1.PNG

Roles : Roles effectively is a like a Group, but in this we can add AWS resources ,as we can say I will allow my EC2 instance to be able to access S3 , suppose we need to store a user credentials on EC2 to give then the access.

Step 9 : To create a new role click on the Create New roles

1.PNG

Now here we will select Amazon EC2 and click Next Step.

1.PNG

1.PNG

1.PNG

1.PNG

Roles is now created.

Summary : 

  • IAM is effectively the management console for managing access to AWS resources for an organisation.
  • IAM consist of users , groups and roles.
  • A user is an individual , Groups are collection of users with one set of permissions , roles can be applied to both users and AWS services (Such as Lambda, EC2, etc).
  • Enable multi factor functions.
  • Create single sign on link for users within your organisation.
  • Set password policy.
Advertisements