Introduction
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM provides the infrastructure necessary to control authentication and authorization for your AWS accounts.
Key features of IAM
- Granular Permissions: Define fine-grained access control to AWS resources.
- Multi-Factor Authentication (MFA): Add an extra layer of security.
- Identity Federation: Integrate with existing corporate directories.
- Access Analyzer: Identify resources shared with external entities.
- Temporary Security Credentials: Grant temporary access to resources.
AWS IAM Policy
- AWS Managed Policies
- Customer-Managed Policies
- Multi-Factor Authentication (MFA)
- Granular Control Using Policies
- Identity Federation
Types of IAM Policies
- Managed Policies
- AWS Managed Policies
- Customer Managed Policies
- Inline Policies
- Resource-Based Policies
- Permission Boundaries
- Service Control Policies (SCPs)
- Organizations SCPs (service control policy)
- Organizations RCPs (resource control policy)
- Access control lists (ACLs)
Grant least privilege
When you create IAM policies, follow the standard security advice of granting the least privilege or granting only the permissions required to perform a task. Determine what users and roles need to do and then craft policies that allow them to perform only those tasks.
Understand access level groupings
| Service |
Access level |
This policy provides the following |
| IAM |
Full access |
Access to all actions within the IAM service. |
| CloudWatch |
Full: List |
Access to all CloudWatch actions in the List access level, but no access to actions with the Read, Write, or Permissions management access level classification. |
| Data Pipeline |
Limited: List, Read |
Access to at least one but not all AWS Data Pipeline actions in the List and Read access level, but not the Write or Permissions management actions. |
| EC2 |
Full: List, Read Limited: Write |
Access to all Amazon EC2 List and Read actions and access to at least one but not all Amazon EC2 Write actions, but no access to actions with the Permissions management access level classification. |
| S3 |
Limited: Read, Write, Permissions management |
Access to at least one but not all Amazon S3 Read, Write, and Permissions management actions. |
Types of IAM roles
- Service roles
- Cross-account access roles
- Web identity roles
- SAML 2.0 federation roles
- Custom roles
IAM User Permissions
| Permission Level |
Description |
| Administrator Access |
Full access to all AWS services and resources. |
| Read-Only Access |
Can view resources but cannot create, modify, or delete them. |
| Power User Access |
Full access to most AWS services but cannot manage IAM users or groups. |
| Billing Access |
Access to view and manage AWS billing and cost management. |
| Custom Permissions |
Granular access to specific services, actions, or resources based on policies. |
IAM Group Permissions
| Permission Level |
Description |
| Administrator Group |
Users in this group have full access to all AWS services and resources. |
| Read-Only Group |
Users can only view resources but cannot make changes. |
| Power User Group |
Users have full access to most services but cannot manage IAM users or groups. |
| Billing Group |
Users can manage billing and cost-related tasks. |
| Custom Group |
Users have permissions defined by custom policies attached to the group. |
Access Levels
| Access Level |
Description |
| Full Access |
Unrestricted access to all actions and resources within a service. |
| Read-Only Access |
Ability to view resources but not modify or delete them. |
| Write Access |
Ability to create, modify, or delete resources. |
| List Access |
Ability to list resources but not view details or modify them. |
| No Access |
No permissions to access the service or resource. |
AWS IAM Power User vs Azure Contributor Role
| Feature |
AWS IAM Power User |
Azure Contributor Role |
| Scope |
AWS services and resources. |
Azure resources within a subscription or resource group. |
| Resource Management |
Full access to most AWS services. |
Full access to Azure resources. |
| IAM/Role Management |
Cannot manage IAM users, groups, or policies. |
Cannot manage role assignments or permissions. |
| Billing/Account Access |
No access to billing or account settings. |
No access to subscription-level settings. |
| Use Case |
Developers/power users in AWS. |
Resource managers in Azure. |
Conclusion
One effective technique for controlling access to AWS resources is AWS IAM. By understanding and utilizing its features, such as granular permissions, MFA, and identity federation, you can ensure that your AWS environment is both secure and efficient. Always follow the principle of least privilege to minimize security risks and tailor permissions to the specific needs of your users and roles.