Monday , February 27 2017

Configuring AWS Identity and Access Management (IAM)

What we learned so far:

  • AWS IAM is global and not limited to any specific region
  • Root account is the account through which we signed up for AWS account and by default it has full access to all the services and resources. It is also required to configure MFA for security purpose.

Now that we have understood IAM being a centralized control of your AWS account. Configuring MFA (multi-factor authentication) is one of the mandatory steps for the root account else we notice it shows as a pending task out of the 5 security step. We have successfully configured in previous article

IAM consist of Users, Group, Roles & policy documents and further we will understand more how to configure those & use it. After setting up the multi-factor authentication (MFA) on AWS root account we will further create User and Group so that we can delegate AWS service & resources access to dedicated authorized users.

clip_image002

Let us use “SAM” as a new user and below you will find two access type option.

1. Programmatic Access – User needs access key ID and secret access key to access the AWS service using API, CLI, SDK and other development tools.

2. AWS Management Access Console – User needs password to login using web AWS management console

While creating user you could also create more than one users and assign option to change password at first sign in. If you notice there are two access type

clip_image004

clip_image006

Instead of assigning the AWS services directly to the users let’s create custom group and add users to it which is a best practice. You might want to create groups based on the organization requirement and delegation purpose like HR, System Admin, Finance etc. As a group the policies are applied to users

clip_image008

We will create a group called “SystemAdmin” and assign policy “AdministratorAccess” to manage AWS services. Policy document is set of permissions which are assigned to group & any users who are member of the group inherits the permission. Policy document “AdministratorAccess” as mentioned below provides full access to AWS services and resources.

clip_image010

You can drill down to see the code (Jason format) which details attributes and its value. If you are developer you will love to read this and look for other policy documents too.

  • Attributes – versions, statement, effect, action & resource
  • Values – date, Allow, *(wildcard)

clip_image012

User is added to the Group – “SystemAdmin”

clip_image014

Review the summary

clip_image016

After clicking on create you will see the below details. Since we have selected both the access type; user is assigned not only with Access Key ID, Secret Access Key but also with password to access AWS services and resources using programmatic as well as via management console

clip_image018

Let’s understand roles, it is just a set of permission that grants access to actions and resources in AWS. It allows one service to interact with another AWS service and in further article we will understand more about roles.

clip_image020

Let us create a role called “AmazonEC2”

clip_image022

Select AmazonEC2 service under role type under AWS service roles and click on select

clip_image024

Select the policy AmazonEC2FullAccess & click on next step.

clip_image026

Review the role summary

clip_image028

Now the role is created and available as mentioned below. Working with role is again a vast topic we will see in further articles.

clip_image030

Now that we have created role lets finish the last part of the security status i.e. configure and apply IAM password policy.

clip_image032

Click on manage password policy

clip_image034

Below is the default option and let’s modify as your requirement, in my case I had updated password length with 8 and enabled password expiration to 30days.

 clip_image036

clip_image038

Below is the security status which shows that we completed the 5 out of 5 steps complete.

clip_image040

Let’s summarize:

  • New users have no permission by when created and hence Administrator must assign permission to access AWS services and resources.
  • Access Key ID and Secret Key are different from Password and used for different purpose for example access type called Programmatic and Management Console. You cannot use password to do programmatic Access type & key ID/Secret Key to do Management console access.
  • Configure MFA at least on your AWS root account for security purpose.
  • You can create your own password policies under AWS IAM as per your requirement.

This is not the end of AWS IAM, there is lot to learn and deep dive on this topic but we have gone through the overview and a quick hands-on. We will explore more in the coming articles so stay tuned.

About Charles Derber

Charles Derber is an IT Consultant, Volunteer & Speaker. He is Passionate about IT Technology & has an experience for a Decade in this Industry. His expertise is consulting on IT Infrastructure & Cloud, helping customers all over the world to plan, design & implement.

Check Also

Build Your Own LAB – Cross-Region Replication for AWS S3

Cross-Region replication feature enables asynchronous automatic replication of copying objects between two AWS regions. You ...

One comment

  1. Nice Article. How it help to developer in terms of balance the day to day life.

Leave a Reply

Your email address will not be published.