AWS Identity and Access Management — IAM
“Who am I, and if so, how many?” The philosopher Richard David Precht needed hundreds of pages in his book of the same name to at least roughly answer these questions. With Identity and Access Management (IAM), there is no time for such roundabout actions. Organisations need to validate digital identities promptly and unequivocally to decide who gets access to what resources. So let’s have a look how to create and manage user accounts in AWS. You will first get an overview about the IAM structure and afterwards create a new user inside a group and assign permissions to it.
IAM users can be assigned long-term security credentials. You might create an IAM user when you have a new team member or application that needs to make AWS API calls. Manage the API permissions of a user by associating permissions policies with the user or adding the user to a group that has permissions policies associated with it. After creating an IAM user, you can assign credentials to allow AWS Management Console access, programmatic access or both.
IAM groups do not have their own credentials, but when an IAM user makes an API call with their access key, AWS looks up that user’s group memberships and finds the relevant permissions policies. All group members share the same permissions policies. That helps you to manage permissions of collections of IAM users. It’s also possible to add a user to multiple groups as the relationship between IAM users and IAM groups is many-to-many. In case that multiple permissions policies apply to the same API action, any policy that has the effect deny will take precedence over any policy that has the effect allow. This order is applied regardless of whether the policies are associated with the user, group or resource.
An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that specifies what the identity can and cannot do in AWS. But, instead of being uniquely associated with one person, a role is intended t one assumable by anyone who needs it. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you create a role, it provides you with temporary security credentials for your role session. This is suitable for situations in which you might not want to create and manage new sets of long-term credentials for team members or applications. IAM roles can be assumed for short-term sessions. To control access to an IAM role, define a trust policy that specifies which principals can assume a role. Potential principals include AWS services and also users who have authenticated.
Policies define permissions of an entity or resource. They define what can and what cannot be done in AWS. You can either assign a predefined policy (managed policies) or a self defined one (inline policy) to an entity or resource. To make a policy active you have to attach it to either directly to a user, group, resource or role.
The format of a policy is in JSON. It contains several sections like what actions can be done or which resources are affected. Let’s have a look at an example:
The example shows a basic policy which allows read permissions for IAM components. Inside attribute Effect it is defined that the below actions are allowed. Actions itself defining the range of permissions, in this case to see and list everything inside IAM. With the last attribute attribute Resource it is possible to limit the policy to a specific or a range of services like an EC2 instance.
Create a User
Now let’s put it all into some praxis by first creating a new user. Inside your AWS account search for IAM and click on it, you will be navigated to the IAM dashboard.
Click on Users and then on Add user. Next give it a user name and specify the credential type. Where Access key are for accessing AWS through the AWS CLI, API Gateway, SDK or other development tools. Password access is through typical AWS Management Console like you are doing it right now.
On the next screen just click on Next: Tags, we will take care of it later on. Again, click on Next: Review as we aren’t assigning any tags here. Check the overview and if you done everything correct, click on Create user. Now it is a good choice to download the .csv file which includes the access credentials and store it somewhere safe. Afterwards you won’t be able to see the secret access key and password again, so don’t skip it.
Create a Group
Again, navigate to the IAM dashboard and click on User groups. Now hit the button Create group on the top right corner.
Let’s say you want to create a user group for Developer, so name the group Devs and add the user you have created before to the group by checking the box. Next you can assign policies to the group, all users in group will have these permissions. Search in the filter for AdministratorAccess and check the box. This is a managed policy as it is predefined by Amazon.
Finally hit Create group! You should be able to use your new user credentials to login into the AWS Console. As you have assigned administrator permissions to the group there are no restrictions in any views.