All Articles

AWS IAM - 01

inner peace

This is my self note regarding AWS IAM. I am really happy to share it with you guys. Feel free to add your thought, end in the comment section.

IAM means Identity Access Management. This is the place that we manage users, policies, groups and roles.

The policy is a JSON document that state what are things to allow or deny by the user. As an example policy, please consider below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ec2:AttachVolume", "ec2:DetachVolume"],
      "Resource": "arn:aws:ec2:region:111122223333:instance/*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/purpose": "test"
        }
      }
    }
  ]
}

In any policy, we can describe it as

Effect: This means is this policy give permission or deny the permission

Action: This describes what can do to the policyholder

Resource: This means in what region or what resource can change(in example which region or specific resource name [EC2, S3 bucket name])

Condition: This means what are the other conditions that need to be fulfilled by the policyholder to execute this policy. It could be the policyholder need to log in from a specific IP address.

Any user will attach a policy for any service according to below order.

Explicit Deny > Explicit Allow > Implicit Deny

Onc user can have multiple policies.

Then we can create a User Group. For example, we can create an Administrator group and set the policy to that group. Whoever attached to that group will automatically extend the group policy to themselves.

The best practice is, I think, manage users by assigning them to user groups. If you want to temporarily block the access for some users, in example if one of your developers is going for a vacation, just add that user to a group that set the policy to deny access.

Another point that I need to make here, there is 2 kind of access to AWS.

  1. Using AWS web console
  2. Programmatically access using Key Pair (In here we need to create a new key pair or need to assign an existing key pair)

Also, it is the best practice that enforces the multi-factor authentication for the AWS console access.

If you have anything to ask regarding this please leave a comment here. Also, I wrote this according to my understanding. So if any point is wrong, don’t hesitate to correct me. I really appreciate you.

That’s for today friends. See you soon. Thank you

Main image credit