A Beginners Guide to AWS IAM
Identity and Access Management (IAM) soley about defining and managing roles and access privileges of individual network users the circumstances in which users are granted or denied privileges.
On a fundamental level, IAM encompasses the following:
- how individuals are identified in a system
- how roles are identified in a system, and how they are assigned to individuals
- adding, removing, and updating individuals and their roels in a system
- assigning levels of access to individuals or groups of individuals
- protecting the sensitive data within the system and securng the system itself
AWS Identity and Access Management (IAM) allows managing access to AWS services and resources easy. AWS IAM gives the ability to create and manage AWS users and groups, and use permissions to allow or deny access to AWS resources, free of charge.
Note: Before continuing on, ensure that you have an AWS account created at aws.amazon.com
After you created your AWS account and successfully logged into AWS, head to AWS IAM by clicking Services -> Security, Identity, & Compliance -> IAM. Now, your screen should look like the one below.
This page gives you an overview of your IAM resources. Because this is just a beginners guide, we will only be touching the Users, Groups, and Roles. Below the resource section, the Security Status indicates areas where best practices should be enforced.
Security Status Checklist
Delete your root access keys
When you first create your account, by default you don’t have a root access key created. This is a good because we don’t want unrestricted access to our AWS resources. Following security best practices, you shouldn’t be using your root (elevated) account as your daily account - an admin account should be created, that has administrative privileges. So, because we don’t have a root access key, AWS has given us checkmark.
Activate MFA on your root account
This next step, we will need an Multi-Factor Authentication app, Google Authenticator app is the most common:
Now it’s time to activate the MFA on our root account (account we are currently logged into) to ensure that its secure.
Create individual IAM users
In this next step, we are now going to create users. Here we can now start assigning specific groups, roles, and policies to ensure that they only have the permissions they need to access the required resources.
User groups to assign permissions
By creating groups we can assign permissions to the users to help manage them, but most importantly to audit permissions.
Apply an IAM passowrd policy
Passwords are the first and foremost most important aspect in keep your account secure. Enabling best security practices towards passwords ensures that users account are much harder to hack.
Security Status Complete
We are now finally done with the security status checklist.
Congratulations, we you provisioned AWS IAM on your account. You now have enough knowledge to experiment with AWS IAM to get a better understanding of it. There is definitely a lot you now do, for example:
- create more users, groups, or roles
- create policies and attach then to users, groups, or roles
- assign different roles and groups to different users and see what kind of access they have or don’t have to certain resources
- see what happens when a user tries to input a reusable password, or a weak password
Again, this ia a very basic introduction to AWS IAM. I wanted to provide a general base of how to create a user, group, role, and policy to enable you to further experiment with AWS IAM.