List of Topics
1) What is IAM
2) Features of IAM
3) Groups, Roles and Types of Policy
4) Difference Between Managed Policy and Inline Policy
4) Difference Between Managed Policy and Inline Policy
5) Access Key
6) Federating Existing users
1) What is IAM
IAM - Identity and access Management - We can manage
different groups, users their policies
and roles. Every account has a root account which we would have created during
initial account creation in AWS. Using root account for day to day operations
is not recommended as it has unrestricted access for all resources on AWS. AWS
is free of cost service which includes AWS security token service also (STS).
2) Features of IAM
a) There is no charge for using IAM
b) Following ways can be used to interact with AWS -
Console, CLI (Programatic access )
c) If we add a user to group, user will inherit the
permissions of the group.
d) Username's cannot be changed in Management console.
To change the username we need to use either CLI or API.
e) Deleting an user will delete Users group, password
and access keys.
g) In case of a conflict If there are two policies,
one is allow permission to a bucket and other is deny access to a bucket. Then
deny will apply. In simple only if there is any undisputed access then only
allow policy will work.
h) By Default IAM is highly available by replicating
data to multiple servers.
3) Groups, Roles and Types of Policy
Group
Whatever the policy we are attaching to a group. Users
in the group also will get attached to the policy. We can have multiple user in
one group and One users in multiple group. But group to group attaching is not
possible.
Roles
In order to authorize a particular AWS service to
use/call API other AWS service. In other words, used to give permission for a
particular AWS service to use other AWS service. Role names must be unique
within your AWS account.
Roles can be attached to running EC2 instance as well
by using CLI. Roles can be attached to an EC2 only while launching it.
If role is assigned to a EC2 then there is no
requirement to use Secret access key and -access key. We can direct execute the
CLI commands if it is insatalled.
The simplest way to use roles is to grant your IAM
users permissions to switch to roles that you create within your own or another
AWS account. They can switch roles easily using the IAM console to use
permissions that you don't ordinarily want them to have, and then exit the role
to surrender those permissions. This can help prevent accidental access to or
modification of sensitive resources.
For more complex uses of roles, such as granting
access to applications and services, or federated external users, you can call
the AssumeRole API. This API call returns a set of temporary credentials that
the application can use in subsequent API calls.
Federated users sign in by using credentials from an
identity provider (IdP). AWS then provides temporary credentials to the trusted
IdP to pass on to the user for including in subsequent AWS resource requests.
Those credentials provide the permissions granted to the assigned role.
Policy
Policy is also known as collection of permissions. By
Default users can control anything in the account if no policy is assigned.
This can be controlled by assigning the specific policy to user. There are many
predefined policy available in AWS and even we can create our own custom policy
also.
Types of Policy There are two types of IAM policy
available
a) User based
b) Resource
based
Which means a policy will be assigned either to an
User or resource.
Some predefined policy.
Power user policy - User has full access without IAM
management
Admin policy - User has full access including IAM
5) Difference Between Inline Policy and Managed Policy
Inline Policy
An inline policy is a policy that is specific to a user, group, or role. You can create a policy and embed it in a principal entity, either when you create the principal entity (a user, group, or role) or later.
Managed Policy (Managed either by AWS or by Customer)
Managed policy is a standalone policy that is created and administered by either by AWS/Customer. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name. For example, arn:aws:iam::aws:policy/IAMReadOnlyAccess is an AWS managed policy. You can attach the policies to multiple principal entities (a user, group or role) in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.
4) Access Key
5) Difference Between Inline Policy and Managed Policy
Inline Policy
An inline policy is a policy that is specific to a user, group, or role. You can create a policy and embed it in a principal entity, either when you create the principal entity (a user, group, or role) or later.
Managed Policy (Managed either by AWS or by Customer)
Managed policy is a standalone policy that is created and administered by either by AWS/Customer. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name. For example, arn:aws:iam::aws:policy/IAMReadOnlyAccess is an AWS managed policy. You can attach the policies to multiple principal entities (a user, group or role) in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.
4) Access Key
Access key is used to Make API Calls. And access key
has the following two parts
1) Secret access and Keys and
2) Access Key ID
Users need their own access keys to make programmatic
calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows
PowerShell,
When you create an access key, IAM returns the access
key ID and secret access key. You should save these in a secure location and
give them to the user.
Secret access key is accessible only at the time you
create it. If a secret access key is lost, you must delete the access key for
the associated user and create a new key.
By default, when you create an access key, its status
is Active, which means the user can use the access key for AWS CLI. Each user
can have two active access keys, You can give your users permission to list,
rotate, and manage their own keys by
assigning the user with policy IAMUserSSHKeys. So that next user can
manage his own ssh keys.
5) Identity Federation
5) Identity Federation
A federated identity means linking a person's
electronic identity, In AWS federation has following two methods.
a) Users have identities in corporate directory
(i) If corporate directory with SAML (2.0) you can configure SSO
(ii) If MS
AD, you can use AWS DS
b) Users already have internet identities
Using well known web identity like Facebook, Google
Use Amazon Cognito, it acts as an id broker and does
much of the federation work for you, if you don't use it. You must write a code
that interacts with IDP then calls API
6) Limits
Groups in an AWS account - 100
Users in an AWS account - 5000 (If you need to add a
large number of users, consider using temporary security credentials. For more
information about temporary security credentials, go toTemporary Security
Credentials.)
Roles in an AWS account - 250
Instance profiles in an AWS account - 100
Roles in an instance profile - 1 (This limit of one
role per instance cannot be increased.)
Groups a user can be a member of - 10
Access keys assigned to a user - 2
Access keys assigned to the AWS root account - 2