[Pre-requisite: Creation of an account on AWS]
IAM stands for Identity and Access Management. It is an essential service provided by Amazon Web Services that provides a way to create users, and groups and regulate access to AWS resources.
The credentials you create the account with are that of the Root User. By default, the Root User has access to all resources and can perform any operation.
One of the AWS best practices is to create another user to perform the day-to-day operations. It is advised NOT to use the Root User credentials for the same.
The 4 main components of IAM are :
- Users
- User Groups
- Policies
- Roles
Users
A new user can be created with specific policies applied, and tags and can belong to a particular group
User Groups
The same set of permissions and resource-level access can be given to a group of users.
Policies
Access and permissions to the various resources can be applied by assigning policies to either individual users or user groups. These policies are written in JSON. There are some in-built AWS policies, custom policies can be created as well.
The following is the policy that provides AdministratorAccess (arn:aws:iam::aws:policy/AdministratorAccess). This policy allows performing all actions on all resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Roles
Roles do not refer to a particular user, but rather are representative of a set of permissions. They can either be assigned to AWS resources or users to perform a certain task.
Another best practice is to follow the Least Privileged Model — i.e to only give the permissions required, not more, not less.
The concept of Explicit Deny Vs Implicit Deny is important to understand.
The following is the policy JSON file for (arn:aws:iam::aws:policy/AmazonEC2FullAccess) which provides full access to Amazon EC2.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
}
}
]
}
On Modifying this policy to the following — note the change in value of field Effect from “Allow” to “Deny” for “Action”: “elasticloadbalancing:*” .
This is the case of Explicit Deny, where the policy EXPLICITLY denies access to any operation on elasticloadbalancing
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
}
}
]
}
On Modifying this policy to the following — note the removal of the field related to“Action”: “elasticloadbalancing:*” .
This is the case of Implicit Deny, where the policy IMPLICITLY denies access to any operation on elasticloadbalancing. i.e, if the user is not granted permission to perform a particular operation, it is equivalent to denying it (implicit denial).
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
}
}
]
}
If there are multiple “Effect” fields, the value of Explicit Deny takes a higher priority than Accept. [Pro-tips at 17:51 in this video]
Resources