Identity Access Management 101

IAM Allows you to:

  • Manage Users
  • Manage their level of access to the AWS Console

What does IAM give you?

  • Centralized control of your AWS account
  • Shared access to your AWS account
  • Granular permissions
    • Enable different levels of access for different users
  • Identity Federation (including Active Directory, Facebook, LinkedIn)
  • MFA
  • Provides Temporary access for users/devices and services, as necessary
    • If you developed a web or mobile app, can enable users to have temp access to resources within the account
      • Store or locate data in an S3 bucket
      • DynamoDB
  • Allows you to set up your own password rotation policy
  • Integrates with many different AWS services
  • Supports PCI DSS Compliance
    • Payment Cod Industry

Critical Terms

  • Users
    • End users
      • people
  • Groups
    • Collection of users under one set of permissions
    • Marketing team may need access to read or write certain files in an S3 bucket
    • This group needs a specific set of permissions
    • Add users to this group
  • Roles
    • Create roles and then assign them to AWS resources
    • Roles are used to define a set of permissions
      • S3 bucket access
      • Assumed by users or other services, such as EC2
      • EC2 may need to query DB
        • configure using role
    • An IAM role does not have any credentials and cannot make direct requests to AWS services
    • IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2
  • Policies
    • Document that defines one or more permissions
    • Can be attached to user, group, or role
    • That user, group, or role will have the permissions defined in the policy

Authentication when on premise identity store is not compatible with SAML

If your identity store is not compatible with SAML 2.0, then you can build a custom identity broker application to perform a similar function. The broker application authenticates users, requests temporary credentials for users from AWS, and then provides them to the user to access AWS resources.

The application verifies that employees are signed into the existing corporate network's identity and authentication system, which might use LDAP, Active Directory, or another system. The identity broker application then obtains temporary security credentials for the employees.

To get temporary security credentials, the identity broker application cals either AssumeRole or GetFederationToken to obtain temporary security credential, depending on how you want to manage the policies for users and when th temporary credentials should expire. The call returns temporary security credentials available to the internal company application. The app can then use the temporary credentials to make calls to AWS directly. The app caches the credentials until they expire, and then requests a new set of temporary credentials.

Here, we are using a custom identity broker application in the on premise data center and use STS to issue short-lived AWS credentials.

Extras

  • When users are receiving timeout errors when accessing a website via the internet, check security groups of EC2 instances to make sure they allow inbound traffic from your public IPv4 address on the proper port
    • you wouldn't check IAM here because IAM users run into issues with APIs but not for timeouts
    • Timeouts are usually caused by blocked firewall access
    • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesConnectionTimeout
  • To test if a user has permissions to execute a CLI command, use the --dry-run option.
    • checks whether you have the required permissions for the action, without actually making the request, and provides an error response.
    • If you have the required permissions, the error response is DyRunOperation, otherwise it is UnauthorizedOperation
  • If you want to add authentication to API requests, use IAM permissions with sigv4
    • Signature Version 4 is the process to add authentication information to AWS requests sent by HTTP.
    • For security, most requests to AWS must be signed with an access key, which consists of an access key ID and secret access key.
    • These two keys are commonly referred to as your security credentials.
  • If you have a policy that allows and denies an action, the deny overrides the allow
  • An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.