Anand Raval
DAY 05 : AWS Identity Access Management Users, Groups, and Roles

DAY 05 : AWS Identity Access Management Users, Groups, and Roles

Anand Raval's photo
Anand Raval
·

3 min read

Table of contents

Identity Access Management (IAM) Users, Groups, and Roles

New AWS accounts have a single user called "root user" created automatically.

  • Grants full permissions to do anything in the account

  • Not recommended to log in as the root user

    ➢ Identity Access Management (IAM) is responsible for managing access to AWS resources.

  • Responsible for authenticating users and determining what they are authorized to do

    ➢ IAM has three types of identities

  • Users

  • Groups

  • Roles

    ➢ An IAM user represents a person or application that needs access to AWS or a subset of services

  • An employee that needs access to AWS will have a user created for them

  • An application that needs to access or interact with AWS will have a user created on their behalf

    ➢ New users by default do not have access to anything in AWS

  • Users have to be granted explicit permissions to access specific services/resources

  • Users are implicitly denied all permissions by default

    ➢ To grant users access to resources, IAM policies need to be applied to the user, giving them permissions

➢ Policies are documents that either grant or deny access to specific AWS services/resources.

➢ IAM policies define what resources a user/group/role can access and what actions they can perform on them.

➢ Policies can be assigned to multiple users.

➢ Users can have multiple policies assigned to them.

➢ It is a best practice to follow least-privilege permissions.

  • Identities/users should only be granted the minimum permissions necessary for them to perform their job.

  • No extra permissions should be given to them.

  • If a user should only be able to stop and start EC2 instances, a) Allow only stopping/starting of EC2; don’t allow them to create/delete/modify instances b) Don’t allow them to have permission to do anything with any other services

    ➢ Groups are a collection of IAM users.

  • Policies can be added to groups

  • IAM users within a group automatically inherit all the policies from the group

  • Example – having a separate group for each department

    ➢ Roles allow users, applications, or services to assume temporary permissions.

  • Roles are assigned permissions/policies just like users and groups

  • When someone assumes an IAM role, they inherit the permission of the role temporarily and return to their original permission when done

    ➢ IAM roles are recommended when there is a need to grant temporary access to a service.

    ➢ Multi-Factor Authentication (MFA) requires users to provide an extra security code from an MFA device/app to be able to log in to their account

  • MFA is enabled on a per-user basis

  • It is a best practice to enable MFA for all users

Organizations

➢ Organizations help manage multiple AWS accounts ➢ Organizational units (OUs) allow you to group accounts with similar business or security requirements ➢ Service Control Policies (SCPs) restrict what an account can do

  • SCPs can be applied to individual accounts or OUs

  • When applied to OUs, all AWS accounts within the OU inherit the policies

Thankyou for reading !!!!

AWSCloudDevopsIAMAWS Cloud Practitioner