An Overview of AWS Identity and Access Management (IAM)
Understanding AWS IAM concepts, policies, and best practices for secure access management.
An Overview of AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM) is a fundamental service that enables you to manage access to AWS services and resources securely. It provides fine-grained access control across all of AWS, allowing you to specify who can access which resources and under what conditions. IAM is crucial for implementing the principle of least privilege, ensuring that users and applications have only the permissions they need to perform their tasks.
Core IAM Components
Users and Groups
IAM Users represent individual entities that need access to your AWS resources. Here's an example of creating an IAM user and group using CloudFormation:
Resources: DevelopersGroup: Type: 'AWS::IAM::Group' Properties: GroupName: Developers ManagedPolicyArns: - arn:aws:iam::aws:policy/PowerUserAccess Developer: Type: 'AWS::IAM::User' Properties: UserName: john.doe Groups: - !Ref DevelopersGroup LoginProfile: Password: !Ref 'UserPassword' PasswordResetRequired: true AccessKey: Type: 'AWS::IAM::AccessKey' Properties: UserName: !Ref Developer
Common User Types
User Type | Description | Common Permissions |
---|---|---|
Administrator | Full access to all resources | Admin policy |
Developer | Access to development resources | PowerUser policy |
Security Auditor | Read-only access for auditing | Security Audit policy |
Application User | Limited access for specific apps | Custom scoped policy |
Database Admin | Access to database services | Database admin policy |
Roles and Policies
IAM Roles architecture and trust relationships:
Example of a service role for EC2:
Resources: EC2ServiceRole: Type: 'AWS::IAM::Role' Properties: RoleName: EC2ServiceRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess - arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess
Policy Types and Structure
Identity-Based Policies
Policy evaluation flow:
Example of a custom policy with conditions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEC2ManagementInRegion", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": ["us-east-1", "eu-west-1"] }, "StringLike": { "ec2:InstanceType": ["t2.*", "t3.*"] } } } ] }
Resource-Based Policies
Example S3 bucket policy with cross-account access:
Resources: SharedBucket: Type: 'AWS::S3::Bucket' Properties: BucketName: shared-resources-bucket BucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref SharedBucket PolicyDocument: Version: '2012-10-17' Statement: - Sid: AllowCrossAccountAccess Effect: Allow Principal: AWS: 'arn:aws:iam::ACCOUNT-ID:root' Action: - s3:GetObject - s3:ListBucket Resource: - !Sub '${SharedBucket.Arn}/*' - !GetAtt SharedBucket.Arn
Security Best Practices
Password Policies and MFA
Password policy configuration using CloudFormation:
Resources: PasswordPolicy: Type: 'AWS::IAM::AccountPasswordPolicy' Properties: MinimumPasswordLength: 14 RequireLowercaseCharacters: true RequireUppercaseCharacters: true RequireNumbers: true RequireSymbols: true MaxPasswordAge: 90 PasswordReusePrevention: 24 HardExpiry: true
MFA device lifecycle:
Access Key Management
Access key rotation workflow:
Monitoring and Compliance
Audit and Logging
CloudWatch dashboard for IAM monitoring:
Resources: IAMDashboard: Type: 'AWS::CloudWatch::Dashboard' Properties: DashboardName: IAMMonitoring DashboardBody: !Sub | { "widgets": [ { "type": "metric", "properties": { "metrics": [ ["AWS/IAM", "AuthorizationSuccessCount"], [".", "AuthorizationFailureCount"], [".", "ConsoleSignInFailures"] ], "period": 300, "stat": "Sum", "region": "${AWS::Region}", "title": "IAM Authorization Metrics" } } ] }
Access Analyzer
Access Analyzer findings workflow:
Common Use Cases
Cross-Account Access
Cross-account access pattern:
Application Access Management
Example of an application IAM configuration:
Resources: ApplicationRole: Type: 'AWS::IAM::Role' Properties: RoleName: ApplicationServiceRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ecs-tasks.amazonaws.com - lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Policies: - PolicyName: ApplicationPermissions PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - dynamodb:Query - dynamodb:GetItem - s3:GetObject Resource: '*'
Temporary Access Management
Temporary access workflow: