Getting Started with AWS Identity and Access Management (IAM)
Identity and Access Management is one of the major components of the Triads of AWS Cloud Security. AWS is a vast collection of over 200 Web Services. And these Web Services are interacted with using API calls. Identity and Access Management provides the means to Authenticate, Secure and Authorize these API calls.
These API calls are either made by Users or other Digital Entities (other Applications or AWS Resources themselves). And Identity and Access Management help authenticate and authorize them all.
Users are human entities that access AWS Resources based on what permissions they possess. New users have np permissions by default hence everything is implicitly denied.
Users can have two modes of access:
- Console Acess
- Programmatic Access
IAM User Groups is a way of combining Users so that they can be managed centrally. Permissions are attached to the whole group. A maximum of ten policies can be attached to a user. Hence groups are also used to attach more policies by grouping policies. That way User Groups are also used to group policies as well.
Roles are a way to authenticate digital or non-human entities that include:
- Digital processes (API calls made by AWS Resources)
- Cross account access
- Federated Users
In order to provide access to these entities, policies are attached to these roles. Roles never work unless they are assumed by some entity.
After the actors are authenticated second part comes where their scope of access is defined. Policies are written in JSON and they decide what kind of API call a Principal is allowed to make on a particular resource. Policies never work unless they are attached to some other identity.
Types of IAM Policies
IAM Policies can be categorized into two types based on Actors:
- Identity-based Policies: Describes what an identity (users, groups and roles) has access to.
- Permission Boundary: Describes the maximum amount of access an Identity-based Policy can provide to an identity. Access of an entity to a resource is decided if allowed by both Identity-based Policy and Permission boundary.
- Resource-based Policies: Describes who has access to a specific resource.
A further classification of Identity-based Policies include two types:
- AWS Managed Policies: These policies are pre-designed by AWS and just need to be attached to users.
- Customer Managed Policies: Customer Managed Policies are a customer-specific combination of permission sets and they can be attached to any entity(users, groups and roles).
- Inline Policies: Inline Policies are also a kind of customer-managed policy but they are limited to the scope of a specific user or role.