Introduction
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS services and resources for your users. With IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
Key Concepts
- Users: Individual accounts that represent a person or service.
- Groups: Collections of users that share the same permissions.
- Roles: Temporary credentials for AWS services or applications.
- Policies: Documents that define permissions and are attached to users, groups, or roles.
Setting Up IAM
Creating a User
- Sign in to the AWS Management Console.
- Navigate to the IAM Dashboard.
- Click on "Users" in the left-hand navigation pane.
- Click on "Add user".
- Enter a User Name and select the type of access (Programmatic access, AWS Management Console access, or both).
- Set Permissions:
- Attach existing policies directly.
- Add user to group.
- Copy permissions from existing user.
- Attach custom policies.
- Review and Create User.
Example: Creating a User with Programmatic Access
Creating a Group
- Navigate to the IAM Dashboard.
- Click on "Groups" in the left-hand navigation pane.
- Click on "Create New Group".
- Enter a Group Name.
- Attach Policies to the group.
- Review and Create Group.
Example: Creating a Group and Adding a User
aws iam create-group --group-name Developers aws iam add-user-to-group --user-name JohnDoe --group-name Developers
Creating a Role
- Navigate to the IAM Dashboard.
- Click on "Roles" in the left-hand navigation pane.
- Click on "Create role".
- Select the type of trusted entity (AWS service, another AWS account, etc.).
- Attach Policies to the role.
- Review and Create Role.
Example: Creating a Role for EC2
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*" } ] }
aws iam create-role --role-name EC2FullAccess --assume-role-policy-document file://trust-policy.json aws iam attach-role-policy --role-name EC2FullAccess --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
Policies
Types of Policies
- Managed Policies: AWS managed or customer managed.
- Inline Policies: Policies that are embedded directly into a single user, group, or role.
Example: Creating a Managed Policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }
Practical Exercises
Exercise 1: Create a User and Assign Permissions
- Create a user named "Alice" with programmatic access.
- Create a group named "Admins" and attach the policy
AdministratorAccess
. - Add "Alice" to the "Admins" group.
Solution
aws iam create-user --user-name Alice aws iam create-access-key --user-name Alice aws iam create-group --group-name Admins aws iam attach-group-policy --group-name Admins --policy-arn arn:aws:iam::aws:policy/AdministratorAccess aws iam add-user-to-group --user-name Alice --group-name Admins
Exercise 2: Create a Role for Lambda Execution
- Create a role named "LambdaExecutionRole".
- Attach the policy
AWSLambdaBasicExecutionRole
to the role.
Solution
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
aws iam create-role --role-name LambdaExecutionRole --assume-role-policy-document file://trust-policy.json aws iam attach-role-policy --role-name LambdaExecutionRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Common Mistakes and Tips
- Not using MFA (Multi-Factor Authentication): Always enable MFA for added security.
- Over-permissioning: Follow the principle of least privilege. Only grant the permissions necessary for the task.
- Not rotating access keys: Regularly rotate access keys to minimize the risk of compromised credentials.
Conclusion
In this section, you learned about AWS Identity and Access Management (IAM), including how to create users, groups, roles, and policies. You also practiced setting up IAM entities and assigning permissions. Understanding IAM is crucial for managing access to your AWS resources securely and efficiently. In the next module, we will dive into AWS Key Management Service (KMS) to learn about managing encryption keys.