AWS - Identity Access Management

Introduction

AWS Identity and Access Management, commonly known as AWS IAM, is a service that allows you to control who can access your AWS services and what actions they can perform.

Simple Example:
Imagine you own a mobile phone. You have full control over who can access it and at what level. For instance:

• Some people can only view your phone (e.g., notifications or the screen lock).

• Others might have deeper access, like viewing your photos or contacts.

Similarly, AWS IAM helps you define who can access your AWS resources and sets permissions at the required levels to ensure security.

IAM Users

An IAM User is an individual identity you create within your AWS account for a specific person or application that needs access to AWS services.
For example:
If someone needs access to manage an EC2 instance, you can create a user for them and attach the required IAM Policy that defines their permissions.

IAM Policy

An IAM Policy is a document that specifies the permissions for a user, group, or role in JSON format.
You can think of it as an agreement document that defines what the user is allowed or restricted from doing within AWS.

• For instance, an IAM Policy might specify that a user can "Start/Stop EC2 instances" but not "Delete S3 buckets."

Policy Structure

An IAM Policy typically includes the following elements:

1. Effect: Specifies whether the policy allows or denies access.
   Example: "Effect": "Allow" or "Effect": "Deny"

2. Action: Lists the actions the policy allows or denies.
   Example: "Action": "ec2:StartInstances"

3. Resource: Specifies the resources the actions apply to.
   Example: "Resource": "arn:aws:ec2:region:account-id:instance/instance-id"

IAM Groups

An IAM Group is a collection of users that share the same set of permissions.
Example Scenario:
If multiple users require the same permissions, such as access to EC2 instances, you can create a group (e.g., "EC2Admins") and attach the required policy to the group. Instead of individually attaching the policy to each user, you simply add them to the group.

Note:

• A user can belong to multiple groups.

• However, groups cannot contain other groups.

Automation of AWS IAM and Other AWS Services

You can automate the creation of IAM users, policies, and other AWS resources using the following tools:

1. AWS CLI:
   The Command Line Interface is used for performing smaller tasks, such as creating IAM users or launching EC2 instances.

2. AWS SDK (e.g., Boto3 for Python):
   The SDK provides programmatic access to AWS services and is particularly useful for serverless application development.
   Why prefer AWS SDK over AWS CLI?
   While both serve similar purposes, the SDK is more versatile, enabling you to write code for serverless services and integrate AWS with custom applications.

3. AWS CloudFormation (CFT):
   CFT enables you to define your infrastructure as code, automating the creation and management of AWS resources.

4. Terraform:
   Like CloudFormation, Terraform is used for Infrastructure as Code (IaC) but is platform-agnostic, meaning it supports multiple cloud providers.

Use Cases:

• AWS SDK/CLI: Automating smaller tasks like creating users or managing instances.

• AWS CloudFormation/Terraform: Automating infrastructure provisioning for larger deployments.

Final Thoughts

AWS IAM is a cornerstone of security in AWS, helping you ensure that only authorized users can access specific resources. By combining IAM with automation tools like AWS CLI, SDKs, and Infrastructure as Code solutions, you can manage access efficiently and scale your AWS environment securely.