Amazon Computer Services
What is IAM?
IAM represents Identity Access Management. AWS IAM is a worldwide service that is specially designed to create and handle users, groups, roles, and policies for actively controlling access to several AWS resources.
We use IAM to control who can use our AWS resources (authentication) and what resources they can use and in what ways (authorization).
Elements of IAM
It is important to understand a few primary IAM terminologies, to effectively handle real-life directorial users and their permissions to access AWS resources as according to their roles and responsibilities.
The following list represents these terminologies and subsequently goes into the detail of each of the elements of IAM:
A user is a person or software that requires access to several AWS resources to implement the designated function. The user can access AWS resources with either a username or password or with an access key and the secret key.
The access key is a 20-character alphanumeric key that performs as a user-ID.
The secret key is a 40-character alphanumeric key that implements as a password or secret key. An access key and secret key are used together for beginning API, SDK, and CLI authentication.
Password policy defines the complexity requirement of a password and represents the mandatory rotation period for a password related to IAM users.
Multi-Factor Authentication (MFA)
It is an additional layer of security protection for user authentication that needed users to enter a six-digit token on top of the username and password.
A group is a set of an IAM user.
A role is an IAM entity that constitutes one or greater IAM policies defining useful resource permissions. A role permits access to implement specific operations mentioned in the respective policies related to the role.
A policy is a document written in JSON format that generally states one or more permissions as per the IAM policy standards.
Let us now understand all these terminologies in detail and their importance in IAM.
Importance of IAM
AWS IAM users can be generated for any organizational entity (actual end-users such as a person or software). According to their roles and responsibility in the organization, these users required to access AWS resources to execute their day-to-day functions.
Generally, a single user is authenticated by username and password. Equally, programmatic access (that is SDKs and CLIs, also called as applications) are authenticated using an access key and secret key. Single users can also use an access key and secret key by configuring them on EC2 instances or physical computers to implement AWS CLI commands
It is best practice to recognize organizational entity and generate respective IAM users with credentials to provide them access to the AWS platform. Each user, whether it is an individual or software, it must give appropriate credentials for authentication. Only after an outstanding authentication, a user can access AWS resources such as AWS dashboard, API, or CLI or any other AWS service.
Logical representation of organizational users can be defined with the help of the following figure:
Let us assume that Rohan is a system administrator, Rohit is a network administrator, and Mohit is a database administrator. It is good practice is to supply minimum needed privileges to each user situated on what their role is expected to be. A system administrator can require access on all the infrastructure, and a network administrator can require access to all network services and resources. Similarly, a database administrator can require access only to databases.
On the other side, software such as ERP and payroll software can also require to access required AWS resources. Applications hosted on EC2 can require to access a hosted database on RDS. For all such applications, there can be a user ID with an access key and secret key that software can use to access respective resources on AWS.
Permissions can be allowed to software using an AWS role as well. In the next sections, we can see how authentication works with AWS roles.
The access key and secret key are not created for all the users. It is only generated for the users who require to access AWS resources using API, SDKs, and CLIs. For accessing services using an AWS console, one can use a username and password.
Access key and secret key
An access key and secret key are in a pair. The Access key is a 20-digit key, and the secret key is a 40-digit key. The corresponding key work with each other for authentication.
These keys are used by AWS SDK, CLI, REST, or Query APIs. As the name implies, a secret key is supposed to be kept secret and protected. It is good practice is not to hardcode an access key and a secret key in a software program. If these keys are hardcoded and not deleted before sharing AMI or EBS screenshot with others, it can pose the security risk.
The access key and a secret key are created only once. It can either at the time of creating a user or later, as and when needed manually. At the time of generating an access key and a secret key, AWS provides an option to download them in CSV format.
Once it is created, we need to download and hold it securely. AWS does not give any structure to retrieve an access key and a secret key if these keys are missing. The best answer is to delete old keys and regenerate new keys. As a result, we will require to edit earlier key pair with a regenerated new key pair for software to work smoothly. A maximum two sets of access keys and secret keys can be linked with any IAM user.
Password policy defines the complexity requirement of a password and represents a mandatory rotation period for a password related to IAM users.
While generating an IAM user, an IAM administrator can give a reasonably strong password on the favour of the user. IAM administrator can configure the user to modify the specific user password while the user logs in for the first time to AWS.
A password policy can be configured from Account settings inside the IAM dashboard. As consistent with the organization’s compliance requirement, password complexity can be configured via selecting one or more options as a display in the following figure.
It is essential to note that password policy only affects the user password. It does not affect in any way the access key and secret key.
As a result of password policy, a user password can expire after the configured number of days, but the access key and secret key does not expire. When a password expires, a person cannot log in to the AWS console. However, API calls work fine using an access key and a secret key.
Change in password policy comes into effect for all the new users, but for all existing users, it comes into effect whenever their specific password is changed. It does not apply to the existing user password until it is updated.