AWS IAM


Identity and Access Management (AWS IAM) is one of the first services you are introduced to when learning about AWS. IAM is Global, so no need to worry about regions, and is used to ensure users are only allowed access to the services that are required. Everyone shouldn’t have access to everything.


AWS IAM Jargon

Users

Exactly what you think of when you think of users in the real world. A person who uses any of the services is a user. If you are setting up your own AWS account you will begin with the root user, your first step should be creating a new User and not using the root user for day to day activities.

Users can have any combination of credentials:

Default limits:


Groups

A collection of users. Just like in the real world this could be a group of marketing users who need access to campaign data, finance users who need more sensitive data or customer services users who need customer data.

Default limits:


Roles

This is what defines the set of permissions your users and services have. This where you decide if the ‘marketing’ role needs to be able to read/write to an S3 bucket, read/write to the RDS, and nothing else.

Default limits:


Policies

These can be created through the AWS Console using the predefined policy documents or using JSON to define these on a case by case basis you can’t get what you need through the predefined policies.

Default limit of:

iam-example


Building a Policy

Policies can be created either using the UI or by writing JSON with what you need.

If you choose to write, or finely tune your policy using JSON AWS has a tool that can be used to make this simpler. Even if you do not choose to use it it can be a useful way to illustrate what goes into a policy.

There are three parts to the policy at it’s most basic level:

Version

The current version of the policy language.

Action

In this case to Create and Delete buckets

Effect

In this case to ‘Allow’. This is by default set to ‘Deny’ in the same way that Users have no permissions by default when they are created.

Resource

The syntax here is used to determine to ARN or Amazon Resource Name. In this case ‘my_new_bucket’ in S3



Troubleshooting


Useful Links

AWS IAM Documentation
FAQ
Policy Builder
JSON Reference Guide
Testing Policies Documentation
Policy Test Simulator


Photo by Pixabay on Pexels

 

# #

March 16, 2019

Bitnami