Skip to main content

IAM & AWS CLI

IAM: users and groups

Identity and access management, it is also a global service because it is needed in order to start up your AWS console after all if it is only available in one particular region then other region would not be able to work at all!

Root account is created by default when you register for an AWS account. They should not be used or shared. Only used for making other account with permissions because root account has access to everything.

Users are people within your organization and can be grouped.

Groups can only contain users not other groups.

Users don't have to belong to a group, and user can belong to multiple group.

Why groups and users?

Users or groups can be assigned a JSON document called policies which contains permission what a user/group are allowed to do.

IAM policy define the permissions of the users.

By default, a user are not allowed to do anything by default, you apply the least privilege principle: don't give more permissions than a user need to complete a task. For example if a user only need to work on a EC2 instance, then you only give permission to work on that EC2 instance, you don't give it more permission to say work on all of the EC2 instances.

User that's in a group will inherit the permission policy assigned to the group.

Tags

You can add tags to almost everything, they will help you identify and track down the resources that you created based on the tags you add to them.

Logging in as IAM user

To login as an IAM user, you would need either the account ID or if you created an alias for the account ID, you can use that. Then you would enter in the IAM user's username and password.

For root user you do not need to use the account ID, you can just log in using the email address.

IAM policies inheritance

If a user is part of a group then it will inherit the policy that is attached to the group. If a user is part of multiple group then it will inherit all of the policy that the user is part of.

You can also create something called inline policy for a user that is not part of a group. They are attached to the user directly not inherited from group.

IAM policy structure

Consists of:

  • Version: policy language version
  • Id: An identifier for the policy, this is optional
  • Statement: one or more individual statements, this is required

Further more, for each statement it consists of:

  • Sid: an identifier for the statement, optional
  • Effect: whether the statement is allow or denied access
  • Principal: account/user/role to which this policy applied to
  • Action: list of actions this policy allows or denies
  • Resource: list of resources to which the actions applied to
  • Condition: conditions for when this policy is in effect, optional

image.png

IAM password policy

Strong password = higher security for your account

You can set up policy to prevent password re-use

Also need multi factor authentication (MFA). You need a secondary device that you own to verify your identity.

Password + security device you own = good and strong security

Even if you lose your password or got stolen you account won't be compromised, because the hacker will need the same security device that you only have.

MFA device options in AWS
  • Virtual MFA device: Google authenticator, Authy. Support multiple tokens on a single device. Another app that you install to authenticate yourself
  • Universal 2nd factor security key. YubiKey by Yubico. It is a physical device.
  • Hardware key fob MFA Device
  • Hardware key fob MFA device for AWS GovCloud

 

 

 

 

 

 

 

 

 

 

 

 

 




Back to top