☁️ CloudProjectHub

IAM

What is AWS IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM allows you to manage users, groups, roles, and their corresponding permissions, enabling fine-grained access control and following the principle of least privilege.

Key Features

  • User Management: Create and manage AWS users and groups
  • Role-Based Access: IAM roles for temporary access
  • Policy-Based Permissions: JSON policies for fine-grained control
  • Multi-Factor Authentication: Additional security layer
  • Integration: Works with all AWS services
  • Auditing: CloudTrail integration for access monitoring

Prerequisites

  • AWS Account (root user access initially)
  • Understanding of access control concepts
  • Knowledge of JSON policy syntax
  • Basic understanding of AWS services and resources

Step-by-Step: Setting up IAM Users

  1. Sign in to AWS Management Console: Use root account or IAM user with admin privileges
  2. Navigate to IAM: Search for "IAM" in services
  3. Create IAM User: Go to Users → Add users
  4. User Details:
    • User name: Enter username
    • Access type: Programmatic access, AWS Management Console access, or both
  5. Set Permissions:
    • Add user to group: Create or select existing group
    • Attach policies directly: For specific permissions
    • Copy permissions from existing user: For similar access patterns
  6. Password Setup: Set console password (if console access enabled)
  7. Tags: Add key-value pairs for organization
  8. Review and Create: Review settings and create user
  9. Download Credentials: Save access keys and password securely

Creating IAM Policies

  1. Navigate to Policies: In IAM console, go to Policies
  2. Create Policy: Click "Create policy"
  3. Policy Editor: Choose Visual editor or JSON
  4. Visual Editor:
    • Select service (e.g., EC2, S3)
    • Choose actions (e.g., List, Read, Write)
    • Add conditions if needed
  5. JSON Editor: Write custom policy in JSON format
  6. Review Policy: Add name, description, and tags
  7. Create Policy: Save the policy

Setting up Multi-Factor Authentication (MFA)

  1. Go to Security Credentials: In IAM console, select user
  2. Manage MFA Device: Click "Manage" next to MFA device
  3. Choose MFA Type: Virtual MFA device or Hardware MFA device
  4. Set up Virtual MFA: Use authenticator app (Google Authenticator, Authy)
  5. Scan QR Code: Scan with authenticator app
  6. Enter Codes: Enter two consecutive codes to activate

Best Practices

  • Follow the principle of least privilege
  • Use IAM groups to manage permissions at scale
  • Enable MFA for all users, especially privileged accounts
  • Use IAM roles instead of long-term access keys when possible
  • Regularly rotate access keys and review permissions
  • Use policy conditions to restrict access further
  • Enable CloudTrail for auditing IAM activities
  • Use AWS Organizations for multi-account management

IAM Components

  • Users: End users who interact with AWS
  • Groups: Collections of users with shared permissions
  • Roles: Temporary permissions for AWS services or users
  • Policies: JSON documents defining permissions
  • Identity Providers: External identity sources (SAML, OIDC)

Policy Types

  • Managed Policies: AWS-created or customer-created reusable policies
  • Inline Policies: Policies embedded directly in users/groups/roles
  • AWS Managed: Pre-built policies for common use cases
  • Customer Managed: Custom policies created by you

Common Use Cases

  • User access management for organizations
  • Cross-account access with roles
  • Application access to AWS resources
  • Temporary security credentials
  • Compliance and audit requirements
  • DevOps and CI/CD pipeline access
  • Third-party application integration