Skip to main content

IAM: Identity and Access Management

IAM: Identity and Access Management

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. IAM enables you to manage users and their access to AWS services and resources. You can use IAM to create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

What is IAM?

IAM is the foundation of AWS security. It controls who can access your AWS resources (authentication) and what actions they can perform on those resources (authorization). IAM allows you to create and manage identities (users, groups, roles) and define what they can do in your AWS account.

Key Concepts

Users

  • Identities: Represent people or applications that need access to AWS
  • Credentials: Can have access keys, passwords, or MFA devices
  • Permanent Credentials: Long-term access credentials
  • Best Practice: Create individual IAM users instead of sharing root account

Groups

  • Collection of Users: Logical collection of IAM users
  • Permission Management: Assign permissions to groups instead of individual users
  • User Membership: Users can belong to multiple groups
  • No Credentials: Groups cannot have credentials or login

Roles

  • Temporary Credentials: Assume roles to get temporary security credentials
  • Cross-Account Access: Grant access to resources in other AWS accounts
  • Service Roles: Roles that AWS services assume to perform actions on your behalf
  • Best Practice: Use roles instead of users for applications and services

Policies

  • Permission Documents: JSON documents that define permissions
  • Identity-Based: Attached to users, groups, or roles
  • Resource-Based: Attached to AWS resources (S3 buckets, etc.)
  • Effect: Allow or Deny specific actions on specific resources

Policy Structure

IAM policies are JSON documents that define permissions. Here's the structure:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}

Policy Elements

  • Version: Policy language version (always "2012-10-17")
  • Statement: Array of permission statements
  • Effect: Allow or Deny
  • Action: API actions to allow or deny
  • Resource: AWS resources the actions apply to
  • Condition: Optional conditions for when the policy is in effect

Permission Types

Managed Policies

  • AWS Managed: Pre-built policies maintained by AWS
  • Customer Managed: Custom policies you create and manage
  • Reusable: Can be attached to multiple users, groups, or roles
  • Versioning: Support versioning for tracking changes

Inline Policies

  • Direct Attachment: Policies embedded directly in users, groups, or roles
  • Not Reusable: Cannot be shared across multiple identities
  • Quick Configuration: Useful for unique, one-off permissions

Authentication Methods

Access Keys

  • Programmatic Access: Used for API calls, CLI, and SDKs
  • Access Key ID: Public identifier
  • Secret Access Key: Private credential (like a password)
  • Best Practice: Rotate access keys regularly, never commit to code

Passwords

  • Console Access: Used for AWS Management Console login
  • Password Policy: Configure complexity and rotation requirements
  • MFA: Multi-factor authentication for additional security

Multi-Factor Authentication (MFA)

  • Additional Security: Requires a second authentication factor
  • Virtual MFA: Use authenticator apps (Google Authenticator, Authy)
  • Hardware MFA: Physical security devices
  • Best Practice: Enable MFA for root account and privileged users

IAM Roles

When to Use Roles

  • Applications: EC2 instances, Lambda functions, ECS tasks
  • Cross-Account Access: Grant access between AWS accounts
  • Federated Access: Allow external identities to access AWS
  • Service Access: Allow AWS services to access other services

Role Types

  • Service Roles: Roles that AWS services assume
  • Service-Linked Roles: Predefined roles for specific AWS services
  • Cross-Account Roles: Roles for accessing resources in other accounts
  • Web Identity Roles: Roles for users authenticated by external identity providers

Assuming Roles

  • Temporary Credentials: Roles provide temporary security credentials
  • Session Duration: Configurable session duration (15 minutes to 12 hours)
  • No Long-Term Keys: No permanent access keys for roles
  • Automatic Rotation: Credentials automatically rotate

Resource-Based Policies

Some AWS services support resource-based policies attached directly to resources.

Examples

  • S3 Bucket Policies: Control access to S3 buckets
  • SNS Topic Policies: Control who can publish/subscribe
  • SQS Queue Policies: Control who can send/receive messages
  • Lambda Function Policies: Control who can invoke functions

IAM Best Practices

Security

  • Root Account: Never use root account for daily tasks
  • Individual Users: Create individual IAM users, don't share credentials
  • Least Privilege: Grant minimum permissions necessary
  • MFA: Enable MFA for all users, especially root
  • Password Policy: Enforce strong password requirements
  • Access Key Rotation: Regularly rotate access keys

Permission Management

  • Groups: Use groups to manage permissions for multiple users
  • Managed Policies: Prefer managed policies over inline policies
  • Principle of Least Privilege: Start with minimal permissions
  • Regular Audits: Review and audit permissions regularly
  • Remove Unused: Remove unused users, groups, roles, and policies

Roles Over Users

  • Applications: Use roles for applications running on EC2, Lambda, etc.
  • Cross-Account: Use roles for cross-account access
  • Temporary Credentials: Roles provide temporary credentials
  • No Long-Term Keys: Avoid storing long-term credentials in applications

Common Use Cases

EC2 Instance Roles

  • Applications on EC2: Applications running on EC2 instances
  • No Keys Stored: No need to store access keys on instances
  • Automatic Credentials: Instance automatically receives credentials
  • Secure: Credentials are temporary and automatically rotated

Cross-Account Access

  • Multiple Accounts: Access resources in multiple AWS accounts
  • Centralized Management: Manage access from a central account
  • Audit Trail: Better visibility into cross-account access
  • Security: Use roles instead of sharing access keys

Federated Access

  • Corporate Identity: Use existing corporate identity systems
  • Single Sign-On: Enable SSO for AWS console access
  • SAML: Support for SAML 2.0 identity providers
  • External Users: Allow external users to access AWS resources

IAM Boundaries

IAM boundaries provide an additional layer of access control.

Service Control Policies (SCPs)

  • Organization Level: Applied at AWS Organizations level
  • Maximum Permissions: Define maximum permissions for accounts
  • Not Grants: Don't grant permissions, only set boundaries
  • Centralized Control: Manage permissions across multiple accounts

Monitoring and Auditing

CloudTrail Integration

  • API Logging: Logs all IAM API calls
  • Who, What, When: Track who did what and when
  • Compliance: Meet compliance and audit requirements
  • Security Analysis: Analyze security events

Access Analyzer

  • Unused Permissions: Identify unused permissions
  • External Access: Find resources shared externally
  • Permissions Analysis: Analyze permissions and access patterns
  • Recommendations: Get recommendations for improving security

IAM Identity Center (Successor to SSO)

IAM Identity Center provides centralized identity management for AWS.

Features

  • Single Sign-On: SSO for AWS accounts and applications
  • Centralized Management: Manage users and groups centrally
  • Multi-Account: Works across multiple AWS accounts
  • External Identity Providers: Integrate with external IdPs (SAML, OIDC)

Troubleshooting Common Issues

Access Denied

  • Check Policies: Verify policies are attached and correct
  • Resource Policies: Check resource-based policies (bucket policies, etc.)
  • Boundaries: Check for IAM boundaries or SCPs
  • Resource ARNs: Verify resource ARNs in policies are correct

Temporary Credentials Expired

  • Role Duration: Check role session duration settings
  • Token Refresh: Refresh temporary credentials before expiration
  • Assume Role: Re-assume role if credentials expire

By understanding IAM's capabilities and following best practices, you can secure your AWS resources effectively. Always refer to AWS documentation for the latest features and security recommendations.