AWS Identity and Access Management (IAM) is the most widely used AWS service. Amazon Web Services (AWS) offers high level data protection when compared to an on-premises environment, at a lower cost. It enables secure control access to AWS resources and services for the customers. Customers can create and manage AWS users as well as groups, […]
What is IAM User in AWS
An IAM user is an entity that customers create in AWS. The IAM user represents the person or service who uses the IAM user to interact with AWS. A primary use for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI. A user in AWS consists of a name, a password to sign into the AWS Management Console, and up to two access keys that can be used with the API or CLI. IAM user accounts are user accounts which customers can create for individual services offered by AWS.
Root Users can create IAM, and assign them individual security credentials such as words, access keys, passwords, and multi-factor authentication devices, or request temporary security credentials to provide users access to AWS services and resources.
- IAM user represents the person or service who uses the IAM user to interact with AWS.
- A primary use for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI.
- Root users can create IAM users, attach group level policies or user level policies and share these IAM accounts with other entities.
- Group level and user level policies restrict and authorize individual IAM users to AWS services under Root user account.
- IAM users are individuals who have been granted access to an AWS account. Each IAM user has three main components:
- A user-name.
- A password.
- Permissions to access various resources.
- Customers have persistent identities set up through the IAM service to represent individual people or applications.
The description of power user access given by AWS is “Provides full access to AWS services and resources, but does not allow management of Users and groups.” The power to manage user is the highest privilege operation in AWS thus it is provided to the administrative access policy only.
- Power users are just below the Root user and have all the privileges the Root user has with the exception of the ability to manage the IAM users.
Roles and Temporary Security Tokens
AWS IAM role is same as the user in which AWS identity with certain permission policies to determine specific identity that can or cannot be done with AWS. One can also use similar roles to delegate certain access to the users, applications or else services to have access to AWS resources.
- Roles are used to grant specific privileges to specific entities for a set duration of time. These entities can be authenticated by AWS.
- AWS provides these entities with a temporary security token from the AWS Security Token Service (STS), which lifespan run between 5 min to 36 hours.
- Customers can create roles in IAM and manage permissions to control which operations can be performed by the entity.
- Customers can also define which entity is allowed to assume the role. In addition, they can use service-linked roles to delegate permissions to AWS services that create and manage AWS resources on your behalf.
- Granting permissions to users from other AWS accounts, whether you control those accounts or not known as Cross-Account Access
- IAM users can temporarily assume a role to take on permissions for a specific task.
- Temporary credentials are primarily used with IAM roles and automatically expire.
- A role can be assigned to a federated user who signs in using an external identity provider.
- IAM roles can be used for granting applications running on EC2 instances permissions to AWS API requests using instance profiles.
- Only one role can be assigned to an EC2 instance at a time.
- Using IAM roles for Amazon EC2 removes the need to store AWS credentials in a configuration
- IAM Role Delegation has two policies:
- Permissions policy – grants the user of the role the required permissions on a resource.
- Trust policy – specifies the trusted accounts that are allowed to assume the role.
An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. An IAM user can assume a role to temporarily take on different permissions for a specific task. A role can be assigned to a federated user who signs in by using an external identity provider instead of IAM. AWS uses details passed by the identity provider to determine which role is mapped to the federated user.
An IAM group is a collection of IAM users. Groups let Root users specify permissions for multiple users, which can make it easier to manage the permissions for those users. Customers can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users. Any user in that group automatically has the permissions that are assigned to the group.
- A group is not an identity and cannot be identified as a principal in an IAM policy.
- Groups are collections of users and have policies attached to them.(admin, developers, human resources…)
- A group can contain many users, and a user can belong to multiple groups.
- Groups can’t be nested; they can contain only users, not other groups.
- Use the principal of least privilege when assigning permissions.
- Customers cannot nest groups (groups within groups).
The “identity” aspect of AWS Identity and Access Management (IAM) helps customers with the question “Who is that user?”, often referred to as authentication. Instead of sharing their root user credentials with others, they can create individual IAM users within their account that correspond to users in their organization. IAM users are not separate accounts; they are users within customers’ accounts. Each user can have its own password for access to the AWS Management Console.
Using the following elements, IAM provides the infrastructure necessary to control authentication and authorization for customers’ accounts. They are Principal, Request, Authentication, Authorization, Actions (Operations), and Resource.
A principal is a an IAM entity or application that is allowed to interact with AWS resources, or that can make a request for an action or operation on an AWS resource. The principal is authenticated as the AWS account root user. A principal can be permanent or temporary, and it can represent a human or an application. The administrative IAM user is the first principle, which can allow the user for the particular services in order to assume a role.
- There are three types of principals: root users, IAM users, and roles/temporary security tokens.
The username and password customers used to create an AWS account for the first time is called root user account. This account contains one important right that no other account created under IAM will have – the right to delete the entire AWS account including all storage, all EC2 instances, containers and everything else for that matter.
- The account root user credentials are the email address used to create an account and a password. The root account has full administrative permissions and it cannot be restricted.
- It’s AWS recommendation that customers not to use the root user for their everyday tasks.
- Best practice for root accounts:
- Don’t use the root user credentials.
- Don’t share the root user credentials.
- Create an IAM user and assign administrative permissions as required.
- Enable MFA