An Overview of AWS Identity and Access Management (IAM)
AWS

An Overview of AWS Identity and Access Management (IAM)

Understanding AWS IAM concepts, policies, and best practices for secure access management.

January 7, 2024
DevHub Team
4 min read

An Overview of AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) is a fundamental service that enables you to manage access to AWS services and resources securely. It provides fine-grained access control across all of AWS, allowing you to specify who can access which resources and under what conditions. IAM is crucial for implementing the principle of least privilege, ensuring that users and applications have only the permissions they need to perform their tasks.

flowchart TB A[Root Account] --> B[IAM Users] A --> C[IAM Groups] A --> D[IAM Roles] B --> E[Permissions] C --> E D --> E E --> F[AWS Resources] style A fill:#f96,stroke:#333,stroke-width:2px style E fill:#bbf,stroke:#333,stroke-width:2px

Core IAM Components

Users and Groups

IAM Users represent individual entities that need access to your AWS resources. Here's an example of creating an IAM user and group using CloudFormation:

Resources: DevelopersGroup: Type: 'AWS::IAM::Group' Properties: GroupName: Developers ManagedPolicyArns: - arn:aws:iam::aws:policy/PowerUserAccess Developer: Type: 'AWS::IAM::User' Properties: UserName: john.doe Groups: - !Ref DevelopersGroup LoginProfile: Password: !Ref 'UserPassword' PasswordResetRequired: true AccessKey: Type: 'AWS::IAM::AccessKey' Properties: UserName: !Ref Developer

Common User Types

User TypeDescriptionCommon Permissions
AdministratorFull access to all resourcesAdmin policy
DeveloperAccess to development resourcesPowerUser policy
Security AuditorRead-only access for auditingSecurity Audit policy
Application UserLimited access for specific appsCustom scoped policy
Database AdminAccess to database servicesDatabase admin policy

Roles and Policies

IAM Roles architecture and trust relationships:

graph LR A[Principal] -->|Assumes| B[IAM Role] B -->|Temporary Credentials| C[STS] B -->|Grants| D[Permissions] D -->|Access| E[AWS Services] subgraph Trust Policy B C end subgraph Permission Policy D E end

Example of a service role for EC2:

Resources: EC2ServiceRole: Type: 'AWS::IAM::Role' Properties: RoleName: EC2ServiceRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess - arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess

Policy Types and Structure

Identity-Based Policies

Policy evaluation flow:

flowchart TB A[Request] --> B{Explicit Deny?} B -->|Yes| C[Deny Access] B -->|No| D{Explicit Allow?} D -->|Yes| E[Allow Access] D -->|No| F[Deny Access] style C fill:#f96,stroke:#333,stroke-width:2px style E fill:#9f6,stroke:#333,stroke-width:2px

Example of a custom policy with conditions:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEC2ManagementInRegion", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": ["us-east-1", "eu-west-1"] }, "StringLike": { "ec2:InstanceType": ["t2.*", "t3.*"] } } } ] }

Resource-Based Policies

Example S3 bucket policy with cross-account access:

Resources: SharedBucket: Type: 'AWS::S3::Bucket' Properties: BucketName: shared-resources-bucket BucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref SharedBucket PolicyDocument: Version: '2012-10-17' Statement: - Sid: AllowCrossAccountAccess Effect: Allow Principal: AWS: 'arn:aws:iam::ACCOUNT-ID:root' Action: - s3:GetObject - s3:ListBucket Resource: - !Sub '${SharedBucket.Arn}/*' - !GetAtt SharedBucket.Arn

Security Best Practices

Password Policies and MFA

Password policy configuration using CloudFormation:

Resources: PasswordPolicy: Type: 'AWS::IAM::AccountPasswordPolicy' Properties: MinimumPasswordLength: 14 RequireLowercaseCharacters: true RequireUppercaseCharacters: true RequireNumbers: true RequireSymbols: true MaxPasswordAge: 90 PasswordReusePrevention: 24 HardExpiry: true

MFA device lifecycle:

stateDiagram-v2 [*] --> Requested Requested --> Assigned Assigned --> Active Active --> Deactivated Deactivated --> [*] Active --> Lost Lost --> Replaced Replaced --> Active

Access Key Management

Access key rotation workflow:

sequenceDiagram participant Admin participant IAM participant Application Admin->>IAM: Create new access key IAM-->>Admin: Return new credentials Admin->>Application: Update application with new key Application-->>Admin: Confirm key works Admin->>IAM: Deactivate old key Admin->>IAM: Delete old key

Monitoring and Compliance

Audit and Logging

CloudWatch dashboard for IAM monitoring:

Resources: IAMDashboard: Type: 'AWS::CloudWatch::Dashboard' Properties: DashboardName: IAMMonitoring DashboardBody: !Sub | { "widgets": [ { "type": "metric", "properties": { "metrics": [ ["AWS/IAM", "AuthorizationSuccessCount"], [".", "AuthorizationFailureCount"], [".", "ConsoleSignInFailures"] ], "period": 300, "stat": "Sum", "region": "${AWS::Region}", "title": "IAM Authorization Metrics" } } ] }

Access Analyzer

Access Analyzer findings workflow:

graph TD A[Access Analyzer] -->|Analyzes| B[Resource Policies] B -->|Generates| C[Findings] C -->|Review| D{Action Required?} D -->|Yes| E[Update Policy] D -->|No| F[Archive Finding] E -->|Verify| G[Reanalyze] G -->|Clear| H[Close Finding]

Common Use Cases

Cross-Account Access

Cross-account access pattern:

sequenceDiagram participant User participant Account A participant STS participant Account B User->>Account A: Authenticate Account A->>STS: AssumeRole STS-->>Account A: Temporary Credentials Account A->>Account B: Access Resources

Application Access Management

Example of an application IAM configuration:

Resources: ApplicationRole: Type: 'AWS::IAM::Role' Properties: RoleName: ApplicationServiceRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ecs-tasks.amazonaws.com - lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Policies: - PolicyName: ApplicationPermissions PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - dynamodb:Query - dynamodb:GetItem - s3:GetObject Resource: '*'

Temporary Access Management

Temporary access workflow:

stateDiagram-v2 [*] --> RequestSubmitted RequestSubmitted --> Approved RequestSubmitted --> Rejected Approved --> AccessGranted AccessGranted --> AccessExpired AccessExpired --> [*] Rejected --> [*]
IAM
Security
Access Management