Introduction

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS services and resources for your users. With IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

Key Concepts

  1. Users: Individual accounts that represent a person or service.
  2. Groups: Collections of users that share the same permissions.
  3. Roles: Temporary credentials for AWS services or applications.
  4. Policies: Documents that define permissions and are attached to users, groups, or roles.

Setting Up IAM

Creating a User

  1. Sign in to the AWS Management Console.
  2. Navigate to the IAM Dashboard.
  3. Click on "Users" in the left-hand navigation pane.
  4. Click on "Add user".
  5. Enter a User Name and select the type of access (Programmatic access, AWS Management Console access, or both).
  6. Set Permissions:
    • Attach existing policies directly.
    • Add user to group.
    • Copy permissions from existing user.
    • Attach custom policies.
  7. Review and Create User.

Example: Creating a User with Programmatic Access

aws iam create-user --user-name JohnDoe
aws iam create-access-key --user-name JohnDoe

Creating a Group

  1. Navigate to the IAM Dashboard.
  2. Click on "Groups" in the left-hand navigation pane.
  3. Click on "Create New Group".
  4. Enter a Group Name.
  5. Attach Policies to the group.
  6. Review and Create Group.

Example: Creating a Group and Adding a User

aws iam create-group --group-name Developers
aws iam add-user-to-group --user-name JohnDoe --group-name Developers

Creating a Role

  1. Navigate to the IAM Dashboard.
  2. Click on "Roles" in the left-hand navigation pane.
  3. Click on "Create role".
  4. Select the type of trusted entity (AWS service, another AWS account, etc.).
  5. Attach Policies to the role.
  6. Review and Create Role.

Example: Creating a Role for EC2

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*"
    }
  ]
}
aws iam create-role --role-name EC2FullAccess --assume-role-policy-document file://trust-policy.json
aws iam attach-role-policy --role-name EC2FullAccess --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess

Policies

Types of Policies

  1. Managed Policies: AWS managed or customer managed.
  2. Inline Policies: Policies that are embedded directly into a single user, group, or role.

Example: Creating a Managed Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
aws iam create-policy --policy-name S3FullAccess --policy-document file://s3-policy.json

Practical Exercises

Exercise 1: Create a User and Assign Permissions

  1. Create a user named "Alice" with programmatic access.
  2. Create a group named "Admins" and attach the policy AdministratorAccess.
  3. Add "Alice" to the "Admins" group.

Solution

aws iam create-user --user-name Alice
aws iam create-access-key --user-name Alice
aws iam create-group --group-name Admins
aws iam attach-group-policy --group-name Admins --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam add-user-to-group --user-name Alice --group-name Admins

Exercise 2: Create a Role for Lambda Execution

  1. Create a role named "LambdaExecutionRole".
  2. Attach the policy AWSLambdaBasicExecutionRole to the role.

Solution

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
aws iam create-role --role-name LambdaExecutionRole --assume-role-policy-document file://trust-policy.json
aws iam attach-role-policy --role-name LambdaExecutionRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Common Mistakes and Tips

  • Not using MFA (Multi-Factor Authentication): Always enable MFA for added security.
  • Over-permissioning: Follow the principle of least privilege. Only grant the permissions necessary for the task.
  • Not rotating access keys: Regularly rotate access keys to minimize the risk of compromised credentials.

Conclusion

In this section, you learned about AWS Identity and Access Management (IAM), including how to create users, groups, roles, and policies. You also practiced setting up IAM entities and assigning permissions. Understanding IAM is crucial for managing access to your AWS resources securely and efficiently. In the next module, we will dive into AWS Key Management Service (KMS) to learn about managing encryption keys.

© Copyright 2024. All rights reserved