AWS Identity and Access Management (IAM) is the most widely used AWS service. Amazon Web Services (AWS) offers high level data protection when compared to an on-premises environment, at a lower cost. It enables secure control access to AWS resources and services for the customers. Customers can create and manage AWS users as well as groups, […]
What are the important components of IAM?
An entity in AWS that can perform actions and access resources. A principal can be an AWS account root user, an IAM user, or a role. You can grant permissions to access a resource in one of two ways:
Principal element in a policy to specify the principal that is allowed or denied access to a resource. AWS customers cannot use the
Principal element in an IAM identity-based policy. They can use it in the trust policies for IAM roles and in resource-based policies. Resource-based policies are policies that they embed directly in an IAM resource. For example, they can embed policies in an Amazon S3 bucket or an AWS KMS customer master key (CMK).
AWS customers can specify any of the following principals in a policy:
- AWS account and root user
- IAM users
- Federated users (using web identity or SAML federation)
- IAM roles
- Assumed-role sessions
- AWS services
- Anonymous users (not recommended)
Principal element in these ways:
- In IAM roles, use the
Principalelement in the role’s trust policy to specify who can assume the role. For cross-account access, the customer must specify the 12-digit identifier of the trusted account.
- In resource-based policies, use the
Principalelement to specify the accounts or users who are allowed to access the resource.
A Request is a process where a principal send to AWS in order to use the AWS Management Console, the AWS API, or the AWS CLI. The request includes:
- Actions or operations – The actions or operations that the principal wants to perform.
- Resources – The AWS resource object upon which the actions or operations are performed.
- Principal – The person or application that used an entity (user or role) to send the request. Information about the principal includes the policies that are associated with the entity that the principal used to sign in.
- Environment data – Information about the IP address, user agent, SSL enabled status, or the time of day.
- Resource data – Data related to the resource that is being requested. This can include information such as a DynamoDB table name or a tag on an Amazon EC2 instance.
AWS gathers the Request information into a request context, which is used to evaluate and authorize the request.
Authorization is a process of specifying exactly what actions a principal can and cannot perform in AWS resources. This will be possible after IAM has authenticated the principal, then IAM must manage the access of that principal to protect the client AWS infrastructure. Authorization is handled in IAM by defining specific privileges in policies and associating those policies with principals.
- Effect:– Allow or Deny.
- Service:– Most AWS Cloud services support granting access through IAM, including IAM itself.
- Resource:– The resource value specifies the specific AWS infrastructure for which this permission applies.
- Action:– Action value specifies the subset of actions within a service that the permission allows or denies.
- Condition:–The condition value optionally defines one or more additional restrictions that limit the actions allowed by the permission.
After AWS approves the operations of customers’ request, they can be performed on the related resources within their account. A resource is an object that exists within a service. the resources include an Amazon EC2 instance, an IAM user, and an Amazon S3 bucket. The service defines a set of actions that can be performed on each resource.
A principal must be authenticated (signed in to AWS) using their credentials to send a request to AWS.
To authenticate from the console as a root user, customers need to sign in with their email address and password.
- IAM provide customers their account ID or alias, and then their users name and password.
- Principal can be authenticated three ways :
- By using User name and Password
- By using access key, that’s a combination of an access key ID (20 characters) and an access secret key (40 characters).
- Access Key/Session Token—When a process operates under an assumed role, the temporary security token provides an access key for authentication.
After the request has been authenticated and authorized, AWS approves the actions or operations in customers’ request. Operations are defined by a service, and include things that the customer can do to a resource, such as viewing, creating, editing, and deleting that resource. IAM supports approximately 40 actions for a user resource, including the following actions:
To allow a principal to perform an operation, you must include the necessary actions in a policy that applies to the principal or the affected resource
Operations (Actions) are defined by a service that include things such as viewing, creating, editing, and deleting that resource by customers. In order to get granted in these Operations, Principals (Root user,IAM user, and Role) request need to pass Authentication and Authorization.