Identity and Access management
Table of Contents
IAM = Identity and Access management #
IAM is AWS Global service.
Groups only contain users, NOT other groups.
Users don’t have to belong to a group and user can belong to multiple groups.
Users or Groups can me assigned JSON documents called policies. Those policies define permissions for the users / groups.
In AWS you apply the least privilege principle: don’t give user more permission than they need.
Creating user in AWS CLI #
IAM console > Users
Create user #
Create group “admin” #
IAM policies structure #
IAM policies structure includes:
- Version: policy version
- ID (Optional): identifier
- Statement: one or more statements (required)
- SID: identifier (optional)
- Effect: Allow or Deny
- Principal: account / user / role to which policy is applied to
- Action: list of allowed or denied actions
- Resource: list of resources to which the action is applied to
- Condition: conditions for when the policy is applied (optional)
MFA #
Accessing AWS #
- AWS Management Console - protected by password + MFA
- AWS Command Line (CLI) - protected by access keys
- AWS Software Development Kit (SDK) - for code - protected by access keys
Access Keys can be generated through AWS Console. Users manage their own access keys. #
Access Key ID = username
Secret Access Key = password
Creating Access Key #
IAM > Users > Username > Security Credentials > Access Keys > Create Access Key > Command Line Interface (CLI)
Configuring AWS CLI with the new access key #
# Configure AWS CLI
aws configure
# Test
aws iam list-users
IAM roles for Services #
- Some AWS services will need to perform actions on your behalf
- Those AWS services will need permissions to be assigned with IAM Roles
Common Roles for Services:
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation
Create AWS Service Role #
IAM > Roles > Create role > AWS service
Add permissions:
IAM Security Tools #
IAM Credentials Report (account-level) #
- Report that lists all users and status of their credentials
IAM > Credentials Report
IAM Access Advisor (user-level) #
- Access Advisor shows the service permissions granted to a user and when those services were last accessed
IAM > Users > Username > Last Accessed
IAM Access Advisor (Last Accessed) can be used to determine what user is accessing and to adjust his / her role in line with the “Least Privilege Principle”.
IAM Beset Practices #
- Don’t use root account
- One physical user = One AWS user
- Assign users to groups and assign permissions (policies) to groups
- Create strong password policy
- Use and enforce MFA
- Create and use Roles for giving permissions to AWS services
- Use Access Keys for Programmatic access (CLI / SDK)
- Audit permissions using IAM Credentials Report and IAM Access Advisor
- Never share IAM users & Access Keys
Shared Responsibility Model for IAM #
| AWS | Organization |
|---|---|
| Infrastructure (global network security) | Users, Groups, Roles, Policies management and monitoring |
| Configuration and vulnerability analysis | Enabling MFA on all accounts |
| Compliance validation | Rotating keys |
| Using IAM tools to apply appropriate permissions | |
| Analyze access patterns and review permissions |
» Sources « #
- AWS Global Infrastructure: AWS Global Infrastructure
- Shared Responsibility Model: Shared Responsibility Model - Amazon Web Services (AWS)
Full YouTube Rahul’s AWS Course: https://www.youtube.com/playlist?list=PL7iMyoQPMtAN4xl6oWzafqJebfay7K8KP
» References « #
» Table of contents (CLF-C02) « #
» Disclaimer « #
Disclaimer: Content for educational purposes only, no rights reserved.
Most of the content in this series is coming from Stephane Maarek’s Ultimate AWS Certified Cloud Practitioner CLF-C02 2025 course on Udemy.
I highly encourage you to take the Stephane’s courses as they are awesome and really help understanding the subject.
More about Stephane Maarek:
This article is just a summary and has been published to help me learning and passing the practitioner exam.